In a twist of irony, the global spread of WannaCry, the malware that recently attacked the NHS, was caused by spying tools leaked from the US’ National Security Agency (NSA). Highly infectious, WannaCry (also known as WannaCryptor and WCry) spread to at least 150 countries within a few hours.
Night 7k Call Girls Noida Sector 121 Call Me: 8448380779
WannaCry: Autopsy of Ransomwar
1. WannaCry: Autopsy of Ransomware
In a twist of irony, the global spread of WannaCry, the malware that recently attacked the NHS, was
caused by spying tools leaked from the US’ National Security Agency (NSA).
Highly infectious, WannaCry (also known as WannaCryptor and WCry) spread to at least 150
countries within a few hours. According to antivirus company, Avast, it took less than 24 hours
to infect more than 100,000 Windows systems, 57% of them in Russia. Besides the NHS, its
other high-profile victims included Telefonica, Santander, FedEx, Vodafone and Renault.
Many organisations were forced to shut down systems and even production sites to prevent
the spread of the virus, and the NHS was virtually paralysed by the attack, postponing
operations and cancelling thousands of appointments at over 48 hospitals, medical centres and
GP surgeries. Six hospitals were still experiencing difficulties the following day and diverting
emergencies as a result.
Exploiting Windows SMB Vulnerabilities
WannaCry infects systems which operate on a vulnerable Windows Server and SMB (Server
Message Block). It is spread using software the NSA had developed to spy with and which was
stolen by a hacking group called the Shadow Brokers who then leaked it on the internet.
It uses the same basic methods as most other ransomware, by getting users to open an
attachment in an email, e.g. a Word document, PDF, image, etc. Once opened, the malware
installs itself and a ransom request is shown on the screen asking for around £230 in Bitcoins to
restore access.
Because of the success of WannaCry, it is believed that other ransomware, such as the
infamous Locky, will use the same leaked technology to improve their ability to infect and
spread on a larger scale.
The Mechanics of the Infection
2. The programs developed by the NSA to exploit the vulnerabilities in SMB are known as
EternalBlue, EternalChampion, EternalSynergy and EternalRomance. Together, they are known
as the FuzzBunch kit. These programs load a backdoor implant tool, called DoublePulsar, on to
a compromised system, enabling attackers to load other malware.
WannaCry’s authors have obviously used this mechanism to accelerate the spread of their
strain. The infection uses EternalBlue and DoublePulsar to execute remote commands through
Samba (SMB) in order to distribute ransomware to other machines on the same network.
WannaCry Preying on Windows XP
It is no surprise that cybercriminals are finding a use for these government developed, ultra-
advanced hacking tools. According to Recorded Future, a US company specialising in threat
intelligence, Chinese and Russian hackers had begun studying the malware leaked by Shadow
Brokers with a particular interest in exploits that targeted SMB vulnerabilities.
“We’re talking about very sophisticated techniques and
tools that are generally beyond the reach of the
underground community”, said Levi Gundert, Vice
President of Intelligence and Strategy at Recorded
Future
Microsoft had already patched the vulnerabilities exploited by these tools in March 2017.
However, according to Recorded Future, Chinese hackers were not totally convinced of the
solidity of these patches. Attack still remains a possibility against non-patched systems and
against OS versions that are no longer supported by Microsoft.
This is a problem for the NHS, where 5% of their machines still use Windows XP. They are not
the only ones at risk, however: many media industry organisations and a multitude of others all
rely on applications which need this legacy OS to run. The problem is that XP is so old that it no
longer supported by Microsoft and so doesn’t get patches or updates.
WannaCry stopped … by a stroke of luck
In response to the WannaCry emergency, Microsoft took the unusual step of releasing patches
for SMB flaws on Windows XP (including embedded version of SP3), Windows Server 2003 and
Windows 8. In this attack, Windows 10 has remained unscathed, however, Microsoft expects
that the threat will evolve and eventually bypass Windows 10’s first line of defence. It,
therefore, recommends disabling SMB on the network, if possible.
Thanks to a stroke of luck, WannaCry is in temporary decline. A security researcher, known only
as MalwareTech, accidentally stopped the malware spreading by registering a domain
appearing in its code. This blocked the execution of WannaCry and stopped its broadcast.
According to MalwareTech, the domain he registered was a security feature devised
WannaCry’s developers to prevent it being analysed by security systems.
Unfortunately, malware developers can easily modify WannaCry to get around this pitfall. In
fact, within 24 hours of the first attack ending, Costin Raiu, Director of research and analysis
3. team at Kaspersky Lab, identified the release of new versions no longer hampered by
MalwareTech operations. The WannaCry threat is, therefore, back out in cyberspace and
looking for its next set of victims.
All Clear at eUKhost
At eUKhost, we found no evidence of infection on any of our Windows servers. However, we
remain fully vigilant and have taken the preemptive step of patching all managed servers that
are potentially vulnerable, in order to protect them from this exploit.
If you manage your own servers and use Windows OS, we strongly recommend that you check
and make sure you have the latest Windows patches installed.
We urge all of you the check your desktop / laptop operating system to make sure that they are
also patched and fully up to date.
For further information please read the following status update:
http://euk-status.com/2017/05/13/microsoft-vulnerability-urgent-attention-needed/
If you have any questions, please don’t hesitate to contact our 24x 7 support team.