Perspectives on the WannaCry Ransomware Attack

Starting on Friday May 12^th reports have started to spread of a global malware that appears to have impacted tens of thousands of hosts in almost a hundred countries within a span of hours. Included amongst the high-profile victims of the campaign is the UK’s NHS who have reportedly experienced widespread outages across more than forty organisations as well as numerous GPs. Ambulance services have also been effected. The ransomware is demanding a payment worth £230 per infected host. The ransomware has now spread globally with major disruption in Germany, Taiwan and China.

Before talking about the attack I want to debunk a myth around the attack. First of all this is not a cyberattack as reported by a lot of media outlets. A cyberattack implies that somebody is targeting a specific organisation. This is indiscriminate malware exploiting a well-known and documented vulnerability within Windows. With the vulnerability exploited and the malware installed, data on the device is encrypted, ransom is demanded and the malware spreads to hosts on the Internet and on the local network exploiting the same vulnerability. This is an interesting combination of malware, ransomware and a worm. So a worm is used to spread the malware which encrypts the device and ask for ransom.

The origin of the particular vulnerability that is exploited is interesting. On April 14 a threat actor called Shadow Brokers leaked a number of exploits believed to be created by a group within the US National Security Agency called the Equation group. One remote code execution exploit in particular was particularly damaging.  A remote code execution vulnerability allows an attacker to execute code on device without any credentials. The name of the exploit was EternalBlue and affect all current and most past versions of Windows including Windows XP. Microsoft released a patch for this vulnerability on the 14^th of April.  Orange Cyberdefense has been saying for the past two years that the militarisation of cybersecurity will spill over and have major effects in the civilian domain. Here is prime example of an offensive tool create by the US military being used by criminals having a devastating effect in civilian life.

How do we defend ourselves against WannaCrypt?
Despite the intimidating association of this campaign with NSA toolsets the malware spreads and operates using a standard and well-understood killchain. Breaking this killchain at any of its links will prevent infection or minimise damage. The simplest and most effective controls at this point appear to be:

1. Ensure that any and all valuable systems that are not yet infected are thoroughly backed up and that the backup system is not itself connected to the network.

2. Block or throttle Microsoft File Sharing traffic (SMB traffic on port 139 and 445). This should absolutely be done from the Internet and as far as possible between zones of your internal network with different levels of trust;

3. Remove Windows EOL technologies from the network or patch them urgently using the special patch released by Microsoft at:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-WannaCrypt-attacks/

The patch is provided for the following operating systems:

• Windows XP

• Windows Vista

• Windows Server 2003

1. On all other systems urgently install MS patch MS17-010: 

   • https://technet.microsoft.com/en-us/library/security/ms17-010.aspx (MS17-010 patch)

   • http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598 (MS EoL patch)

2. Ensure the killswitch within the software can operate as intended

The malware contains a very interesting feature, a killswitch. Effectively a killswitch is a feature in the software that allows it to deactivate if certain conditions are met. This is equivalent to the red self-destruct button in action movies ! Our analysis indicates a mechanism built into the code with a check to see if the malware can connect to a host name www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. If the malicious program can’t connect to the domain, it’ll proceed with the infection. If the connection succeeds, the program will stop the attack.

MalwareTech have registered this domain effectively activating the killswitch and reports are that the spread is being slowed already. Connections to this domain should therefore be allowed in order for the killswitch to work.  Unfortunately this check isn’t proxy aware in other words it does not use the local device’s web proxy settings. The  malware tries to connect to the website directly. If you are running an explicit web proxy you will need to make sure that the DNS address does resolve locally  to an IP address and that there is one way port 80 access to this IP address on your external firewall.

Anatomy of WannaCrypt malware
The diagram below breaks down the WannaCrypt malware and shows the infection path, worm and ransomware component of the attack.

Cashing out the proceeds from the WannaCry ransomware
The indiscriminate nature of the WannaCry ransomware and the rapid spread the malware means that the proceeds from the attacks could potentially be huge. There is a major problem however for the criminals behind the WannaCry ransomware. The ransom is demanded in bitcoin with only three bitcoin wallets. Bitcoin is an older crypto currency with an open blockchain. In normal language this means that any person can have a look at the wallets in question as this is part of the blockchain. It also means that while money can be transferred into the bitcoin wallets there is a high risk for the criminals that cashing out the money can be tracked and attributed. With the extremely high profile of this attack there will be extreme scrutiny of the bitcoin wallets from law enforcement agencies.

The bitcoin addresses are as follows:

• https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

• https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

• https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

The total amount of ransom paid so far is relatively modest at 15 Bitcoin equating to around £20,000.

How can Orange Cyberdefense help with WannaCry and other ransomware?

SecureData can assist in a number of very specific ways with WannaCry and other ransomware.

1. If you are a Managed Firewall Services customer then we have already started configuring the appropriate firewall and IPS technologies to block SMB traffic as required. If you are not aware that this has happened, wish to confirm or wish us to take further steps then please contact our Service Centre;

2. If you are a Managed Vulnerability Scanning Services (MVS) Customer then we have already been scanning the relevant vulnerabilities for some time now, and you would already have received reports regarding this issue where it occurs on any systems we scan. If you are not a MVS customer, or are concerned about systems we may not already be scanning, then please contact any Orange Cyberdefense representative so that we may try to assist you further;

3. If you are a Managed Threat Detection customer then we already have some detections in place to detect this kind of attack in its general form and are working to add additional detections to monitor for the specific attributes of the attack. Please contact us if you have any concerns or requests for specific monitoring to be put in place.

4. We have a number of leading technology partners that can be used to disrupt all the elements in the ransomware killchain including phishing as a service, spam filtering, next generation anti malware and web filtering.

5. SecureData’s elite consultancy division SensePost regularly assists businesses with cyberattacks including ransomware infestations. We have a 20 year track record in cybersecurity, malware and the killchain and help to minimise the damage caused by an attack or infestation.

Why this problem isn’t going away soon
We often get asked why the problem does not go away? As the diagram below shows the simple answer is that this is a business transaction with a willing buyer and a willing seller. In a sense while WannaCry was widespread it wasn’t particularly sophisticated as it used a known exploit, used only 3 bitcoin wallets and due to its indiscriminate nature raised the heat for the criminals. Other variants of ransomware will continue to operate and is based on this simple premise that the criminal has something the buyer wants and used to have  i.e. their own data.