Author: Etienne Greeff, CTO & Founder of SecureData
The aptly named ‘WannaCry’ ransomware attack, which brought organisations around the globe to their knees when it first appeared on Friday 12th May, is the latest in an ongoing tidal wave of ransomware cyber attacks. At the time of writing, WannaCry has hit 150 countries and over 200,000 computers leaving a wake of destruction.
For the organisations who have felt the full wrath of the attack and any others who are storing data on vulnerable software, this should be deemed as a serious wake-up call. After all, WannaCry exploits a flaw in vulnerable, end-of-life versions of Microsoft Windows (most notably Window XP an Windows 7). To unlock the hijacked data, the WannaCry hackers are demanding a payment worth £230 per infected user.
Ransomware was the number one type of malware in 2016. It works by encrypting, or hijacking, files until a ransom is paid. In the meantime, the user sees a displayed message stating payment is required before they can access their files. To avoid payments being traced or blocked, cyber criminals typically used cryptocurrency platforms such as Altcoin and Bitcoin.
Assessing the extent of the damage
As the saga continues to rumble along, many large organisations have already faced the consequences of exploited vulnerabilities. Alongside the NHS in the UK, infected organisations include Germany’s main rail company Deutsche Bahn, Spain’s Telefonica, French carmaker Renault, US logistics company FedEx, and thousands of victims in countries such as Russia, India, China, Ukraine and Taiwan. It’s fair to say the extent and scale of the damage caused are significant.
In China alone, nearly 30,000 organisations had been attacked by the end of Saturday 14th May. While the attack attracted significant media coverage in the UK we didn’t even feature as the top 20 countries by hosts infected. The most infected country was the Russian Federation followed by Ukraine, India and Taiwan. What made the UK so newsworthy was the real-life impact caused by attacks on hospitals. The hijack of the NHS meant patients had to be moved, treatments delayed and some even cancelled. Meanwhile, 1000 computers at the Russian Interior Ministry have been infected.
Clearly, the attack is highly aggressive and has been extremely effective. Even though cyber security experts recommend victims not to pay the attackers, many have indeed paid the ransom to obtain the decryption key in a bid to restore normal operations.
Scaled beyond belief
We know that the malware spread exponentially through a worm-borne ransomware, but it lacks scale in decryption and sophistication in ransom payment collections. Simply put, the attacker’s clever use of code has generated vast scale for infections, but they have shown poor business acumen for turning ransoms into profit. So, despite its apparent success, has this attack actually bitten off more than it can chew?
The WannaCry hackers have left much to be desired when it comes to the transactional components for securing the cash. WannaCry’s decryption process is manual, which means someone physically has to provide the decryption key for literally hundreds of thousands of ransoms (assuming anyone pays up of course).
Firstly, this process is fundamentally at odds with the scale of the attack. They simply don’t have the manpower to ‘cash in’. And secondly, Bitcoin, which is used to take the ransom payments, is the most visible and the most traceable of all the cryptocurrency platforms (this is why we are beginning to see Ramsomware attacks using altcoins such as Monero and Zcash as their currency of choice). Therefore, the motivation behind the attack remains unclear.
Data-hijacking ‘collateral damage’
Our own analysis has led us to believe the attack was actually meant for home users. For example, the malware is targeted at older versions of Windows operating systems, more commonly in use on home computers. The inclusion of a kill switch is interesting too. Typically, Domain Name System (DNS) based kill switches are used by virus writers to avoid detection by sandboxes (a security mechanism for running typically untested or untrusted programs in isolation). A sandbox would answer to all DNS queries and potential requests to outside sites. Virus writers know this so terminate malware when they see requests answered. This could point to the fact that the malware was targeted at organisations which does not run sandboxes, which would typically be home users.
Combined with the failure to effectively monetize the operation, this suggests the intended targets were not corporate organisations, such as the NHS and Telefonica. It would seem these organisations got caught up as collateral damage, however, they could have easily prevented any ransomware infection through basic security hygiene and up-to-date frontline security.
The proactive defence of data
Organisations should be taking a front-foot approach to avoid being the next in line being held hostage. They need to act now. The ransomware element of the malware could easily be swapped for a more destructive command that would wipe the hard drive of infected machines completely. New and more innovative ‘strains’ of the malware are expected so there is a pressing need to get ready to weather the storm.
The impact of WannaCry could have been significantly suppressed by implementing basic best-practice security hygiene. For example, the NHS left themselves vulnerable as their computer systems were dangerously out-dated. Alarmingly, many NHS Trusts still use Windows XP as their main operating system.
In order to operate a strong security defence, organisations need consistent ingress and egress filtering, regular patching, and backups of all data. Following these basic steps, security should then focus on vulnerability testing and management, improved user-education to stop the opening of dangerous links and attachments, anti-virus endpoint detection, and content filtering.
These are all well-understood practices but need to be implemented consistently in order to break the ransomware kill chain and choke this persistent threat out.
The future threat
From the attackers perspective, WannaCry is a technical success; they have proved their concept for the worm delivery channel. With the enormity and global scale achieved, however, they will rue the day they failed to convert this opportunity into cold hard, real-world currency. Next-time organisations might be so lucky.
Moving forward, this will not be the last we see of large-scale ransomware attacks, or even of WannaCry itself. Cyber criminals are innovative and tech-savvy. They are constantly looking for new ways to infiltrate computer systems and deliver new payloads. Easy wins, such as targeting legacy operating systems, are just the tip of the iceberg.
The techniques for a similar attack will evolve and grow more complex, and more damaging. In the future, we expect to see game-changers such as new payment platforms used for ransom, a greater array of target types, infect-a-friend attacks and ransomware-as-a-service.
The worm success of WannaCry could well spark an avalanche of ransomware attacks. It is time to get ready for the next wave of attack. Whilst the battle versus WannaCry has certainly started, it has only just begun. After all, more than 1.3 million systems still remain vulnerable.
Article Link: http://digitalforensicsmagazine.com/blogs/?p=2076