For anyone with a digital footprint, it’s a worst-case scenario: you open your laptop and instead of seeing recent emails and webpages, you’re greeted by a red screen conveying a nightmarish message, “Ooops, your files have been encrypted!”
This very message greeted thousands of companies and individuals on the morning of May 12th. Known as WannaCry, Wanna Decyptor or WannaCrypt, this dangerous malware crippled Britain’s National Health Service (NHS) and caused treatments and surgeries to be cancelled across the country.
What is WannaCry?
The WannaCry virus was created for the purpose of extorting money — in the form of Bitcoin — from distraught users around the world. A form of encryption-based ransomware, the Wanna Decryptor (WCRY) uses advanced AES and RSA encryption cyphers that allow hackers to decrypt files using a unique identification key.
In previous incarnations of the virus, victims were sent ransom notes in the form of .txt files linking to instructions on payment and data retrieval. In this latest attack, WannaCry takes over a computer’s wallpaper with a message about how to download the ransomware from Dropbox — demanding hundreds in Bitcoin to decrypt the files.
Once inside a computer, WannaCry ransomware cleverly creates encrypted copies of certain files before deleting the originals. Victims are left with encrypted copies that are unreadable without a decryption key. This latest version of WannaCry also increases the ransom amount and threatens a total loss of data if the ransom is not received by a certain date — creating a sense of urgency that makes victims more likely to pay up.
How Was WannaCry Developed?
While ransomware like WannaCry can spread through phishing emails or via websites containing malicious programs, security experts scouring NHS networks have been unable to find evidence of a spear fishing campaign.
Instead, security professionals at Avast, Proofpoint and Symantec believe the latest version of WannaCry was spread via a vulnerability discovered by the Equation Group — a technology collective suspected of being tied to the NSA. Recently, news of this vulnerability was released by the Shadow Brokers, a hacking group known for releasing NSA hacking tools.
While the attack most notably afflicted Britain’s NHS, it caused worldwide damage, affecting CCN-CERT (the Spanish computer response organization), and public and private institutions throughout China and Russia.
WannaCry Wreaks Havoc
While the attack has claimed 200,000 victims in 150 countries, each demanding $300 in Bitcoin, as of May 29th, only $117,424 has been collected. While the latest incarnation of WannaCry is the biggest ransomware outbreak in history, a 2015 hack on banks netted hackers £650 million. However, as the first ransomware deadline draws near, WannaCry payments have been rising steadily.
Since hackers use Bitcoin “mixers” or tumblers to break connections between Bitcoin payments and their recipients, it is often difficult to track where the illegal money goes. The technology company Elliptic is currently tracking the WannaCry virus and has had past success in delivering “actionable evidence” to law enforcement agencies regarding currency used in arms trafficking, money laundering and drug offenses. If the WannaCry hackers get caught, it will most likely occur when they try to collect their ransoms, since Bitcoin exchanges hold identifying information about their clients.
How Does WannaCry Spread?
The vulnerability exploited by WannaCry is known as MS17-010 (or Eternal Blue), a loophole linked to machines running Microsoft Windows Vista, 7, 8, 10 and XP. While Microsoft announced the vulnerability on March 14th and recommended that all users download the latest patch, the remedy was too late for many victims.
Due to their large size and the need for systems to be operable at all times, hospital systems are often slow to update and patch their software, making them uniquely vulnerable to ransomware attacks. Some experts theorize that Russia and China were hit hard because many users in those countries rely on bootleg copies of Microsoft software that are ineligible to receive the latest patches.
While Microsoft fixed the vulnerability in its March update, many individuals and organizations did not update their software right away, leading to massive vulnerabilities. After the attack was announced, Microsoft took the unusual step of issuing fixes for older, “retired” software like Windows XP, which was still used by some NHS computers. While XP received some damage from the virus, the hardest hit Windows software was Windows 7, which experienced 67% to 97% of all infections.
Leaked from NSA networks by the Shadow Brokers hacking collective, the latest WannaCry attack highlights the dangers of governments stockpiling technological vulnerabilities. Other software vulnerabilities stockpiled by the NSA eventually ended up on WikiLeaks — causing widespread damage. For many experts, WannaCry represents a dangerous convergence of the world’s biggest hacking threats — nation states and organized crime.
What is Ransomware?
Originating in 2005 in the U.S., ransomware quickly spread across the world. The malware earns its name by infecting computers, tablets and smartphones with malicious software that locks these devices until victims pay to unlock them.
Ransomware often arrives on computers through malicious attachments masquerading as innocent files. Once opened, they encrypt hard drives and make it impossible to retrieve anything — pictures, documents and music — stored on the device.
While anti-virus software can help protect many machines, cybercriminals are always looking for new ways to override such protections. Ransom amounts often vary, but a 2014 attack in the UK charged victims £500 a piece. And since there is no honor among thieves, there’s no guarantee you’ll get your data back, even if you pay up.
How Was WannaCry Stopped?
Though the virus quickly spread across the globe, WannaCry’s code contains a long URL that acts as a “kill switch.” Before the malware could do major damage to the United States, a 22-year-old self-taught security researcher from England, named Marcus Hutchins, also known as MalwareTech, stopped the attack by inspecting the malware’s code and registering its domain name with Internet services. He is now working with Britain’s National Cyber Security Centre to prevent a new strain of WannaCry attacks that may or may not have a kill switch.
When executing the virus, the malicious code looks up the domain name and will only work if that address isn’t live. Once the domain name was activated and detected, the Wanna Decryptor stopped spreading. Hutchins remains uncertain that his fix will permanently stop the spread of the virus, but activating the kill switch has significantly slowed the spread.
Domain names often function as malware command and control centers, so when MalwareTech bought the domain name, it triggered the kill switch built into WannaCrypt. Hutchins believes that the domain name was not intended as a kill switch, but rather a mechanism by which the malware could identify whether it was being analyzed.
There is also the alarming possibility that WannaCrypt was a test of readiness to see how long it would take to shut down such an attack. Perhaps the malware was used to gather intelligence on the kinds of systems that could be affected by WannaCry, or it could have been used to demonstrate the moral hazard of governments cataloging system vulnerabilities without notifying software developers.
While experts remain divided about whether WannaCrypt’s kill switch was lazy or intentional, the fact that the virus was able to propagate for so long does not bode well for the state of global preparedness.
Regardless of the reasons, WannaCry demonstrated what happens when software vulnerabilities fall into the wrong hands. While governments must take greater responsibility for their hacking activities, software developers like Microsoft must detect, notify and issue patches in a timely manner to prevent worldwide hacking disasters.
How to Prevent Ransomware
Since ransomware is easily bought and sold on the dark web, these kinds of attacks will become more and more common. As of August 2016, nearly 40% of companies worldwide have been victims of ransomware.
By having a structured regimen of data back up, it’s easy to work around ransomware by accessing previous versions of systems. Otherwise, paying hacker-criminals may be necessary. However, when you pay up, you run the risk of being targeted again and again. To hackers, “once you pay, you will always pay.”
While the safest way to protect you or your company from malware and ransomware is to avoid clicking links from unknown sources, all Windows users should immediately update their systems with the latest patches and implement updates every time they are released. Systems running “retired” software ineligible for updates should be immediately removed from all networks.
Protecting Your Business
With threats from malware and ransomware growing every year, one can never be too careful when it comes to keeping your business safe. That’s why it’s important to protect your business with PCI-validated point-to-point encryption (P2PE) solutions that secure payment data the moment a card is swiped. To keep your company safe and secure in the future, contact Bluefin today to learn more about our seamless P2PE solutions.