WannaCry a.k.a. WannaCryptor a.k.a. WCry is wreaking havoc in the digital world, particularly in Europe. At last count, this malicious bit of code has affected over 200,000 computers worldwide.
WannaCry is officially known as WanaCryptor, that’s what the malware’s developer calls it anyway. For the sake of convenience, we’ll refer to it as WCry from here on.
WCry is a kind of malware known as ransomware. Ransomware works by encrypting all the data on your computer and then demanding a ransom, usually in the form of iTunes cards or bitcoin, to decrypt your data for you.
Think of it this way, the malware enters your PC, locks up all your data in a vault and then asks you for money the key to unlock said vault.
Given the state of modern encryption standards, it’s improbable that you’ll ever be able to recover your data without the right key, which means that you have no option but to pay to get back access to your data.
WCry takes advantage of at least two Microsoft Windows vulnerabilities to spread rapidly through networks with little to no user intervention.
WCry demands a ransom of $300 in bitcoins (around Rs 19,000) and the price doubles if you don’t pay within 3 days. After 7 days, WCry claims that your data won’t be recoverable.
A number of cybersecurity experts have confirmed that the US Military Intelligence agency, the NSA (National Security Agency), first discovered these exploits and deliberately refrained from disclosing them to Microsoft.
— Myles Longfield (@myleslongfield) May 12, 2017
A hacker group calling itself The Shadow Brokers hacked into a section of the NSA last year and discovered a treasure trove of catalogued, undisclosed vulnerabilities and exploits. The Shadow Brokers initially tried to sell stolen exploits, but the lack of interest in the "outdated" exploits disillusioned them. The vulnerabilities were made public soon after.
Two of those vulnerabilities, code named Eternalblue and Doublespar, are allegedly being used to drive the spread of WCry.
The Eternalblue exploit affects every version of Windows since 2001’s Windows XP and was patched in March this year. Windows 10 is apparently safe from the exploit, however.
If the NSA had disclosed the vulnerability earlier, it is likely that the patch would have come sooner. There is no official word on the state of the Doublespar exploit yet, but we assume that it's been patched. At the time the exploits were leaked, Microsoft did say that Windows wasn't vulnerable.
WCry itself first made an appearance in March, but wasn’t much of a threat at the time. Ransomware, is, after all, not uncommon. WCry is such a big deal now because it was recently updated to exploit Eternalblue and Doublespar, making it incredibly virulent.
How does it spread?
The exact mechanism of how WCry spread or where it originated from is unknown. It’s suspected that the malware initially spread via infected attachments sent over email.
Once a PC is infected WCry executes a program that attempts to connect to an obscure website – iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, in this case. This website acts as a kill switch. If WCry can connect to it, it ceases to function. If it can’t, it unzips a password protected file and proceeds to encrypt the data on your computer.
Sample I found scans SMB after dropping WannaCrypt. Can anyone confirm it's the same thing? P2P spreading ransomware would be significant. pic.twitter.com/zs5Td4ovvL
— MalwareTech (@MalwareTechBlog) May 12, 2017
The website was an unregistered domain and ideally, only the hacker would know that exact address. The hacker simply has to register the domain for the attack to cease. As it turns out, a 22-year old blogger accidentally killed the first wave of WCry by finding and registering that domain. More on that later.
Using Eternalblue, the malware then starts actively querying your network and attempts to spread and the process repeats. All of this happens with no user intervention.
All encrypted files receive a .WNCRY extension. So if you have a word document titled notes.docx, it’ll be renamed to notes.docx.wncry, and you’ll know you’ve been hacked.
Each encrypted folder will contain a file with instructions for paying the hackers a sum of $300 in bitcoin. A decryption tool is also bundled, but it needs the right code, which only the hacker can provide.
Microsoft already patched the holes in its OS in March, but judging by the number of infections and the rate at which it spread, a great many users and organisations didn’t install those security updates and patches.
In its security blog, Microsoft explains that the Eternalblue exploit was designed to target Windows 7, Windows Server 2008 and earlier versions of Windows. The exploit could never target Windows 10 and hence, that OS was safe from the attack.
Users of WIndows XP are the most vulnerable, however, because this OS no longer receives security updates from Microsoft. Considering the virulence of WCry, however, Microsoft relented and released patches for Windows XP and two other defunct OS versions.
On a side note, these OS versions are still supported by Microsoft, but only select clients receive updates, and this service is paid for by those clients.
How much damage can it cause?
Ransomware like this is almost impossible to deal with. As mentioned earlier, modern encryption standards make it almost impossible to recover encrypted data without an immense amount of computing power at your disposal, and even then, the chances of recovery are slim.
If infected, your only hope is that you had a safely stored backup of all your data. Those who’re using an online storage solution like OneDrive or iCloud are not safe either. The encrypted files can get synced online, tainting all your online data as well.
— Marco Aguilar (@Avas_Marco) May 12, 2017
If not, you either pay the hacker or find a way to live with the fact that the data is lost forever.
Physical copies of your most important data are the best backup option. This can include CD/DVD backups of your essential data.
The ransomware has brought the National Health Service (NHS) in the UK to its knees, interfered with the operation of factories, destroyed hospital records, interfered with Spain’s essential utilities and at last count, infected over 200,000 computers.
We've also heard reports that over 600 companies in Japan were infected and that schools and government institutions in China were shut down by the attack.
While damage to personal property is a real possibility, the real damage is being done to businesses and essential services.
It doesn’t help that government institutions have a reputation for running on outdated hardware and software. In India, for example, most ATMs (Automated Teller Machines) run on the unsupported, 15-year old Windows XP operating system.
What can I do about it?
If you’re infected, there’s nothing you can do. Either pay up or suck it up. If you’re not infected, make sure you update your system right NOW. Not over the weekend, not tomorrow, or even tonight. Start the update process right now and hope for the best. If you’re not on Windows or are using Windows 10, this is an exploit you needn’t worry about.
Take backups of your most important data and isolate if from your network. The best option would be to use physical, uneditable media like a CD or DVD.
Microsoft has issued additional patches for every single affected OS, including Windows XP, and has also updated Windows Defender, Windows’ in-built security solution, to detect and clean out WCry.
Anti-virus software makers like Kaspersky and Trend-Micro have also done their part in improving protection against this malware.
The accidental hero
Popularly dubbed the accidental hero, a 22-year old researcher and blogger who works for a threat intelligence company and identifies himself only by ‘malwaretech’, accidentally stopped the spread of WCry.
Malwaretech stumbled upon the garbled URL that was the killswitch for WCry. Discovering that it was an unregistered domain, he simply registered it for less than $11 (around Rs 700).
Unwittingly, he’d just killed the most virulent malware since Conficker.
The complete story can be found on the malwaretech blog here, suffice it to say that the spread of the ransomware came to a screeching halt soon after.
Sadly, ransomware like this can easily be mutated and it’s now up and running again, likely querying a new, obfuscated URL that nobody seems to have figured out yet.
Regardless, malwaretech’s efforts may have at least provided enough of a breather for firms and businesses to marshal their resources and further bolster their defences on a global scale.
The lesson here is simple, keep your operating system updated and make sure you have backups of all important data. WCry is only one among an infinite variety of malware out there, and you never know when one of them might strike you.
Published Date: May 16, 2017 08:20 am | Updated Date: May 16, 2017 08:20 am