Cyber Attack Advice

 

Several days ago, we saw a major global cyber epidemic that infected in excess of 100,000 machines across the world. This included several hospitals and medical practices in the UK, but some of the largest attack concentrations were witnessed in Russia, Ukraine, India and Taiwan. On the first day of the attack, WannaCry was discovered in 74 countries and that number quickly increased with time.

What is WannaCry?

Generally, the WannaCry malware comes in two parts - the exploit which allowed the worm to infect and propagate Windows based networks. The second part is the encryptor that is downloaded to the computer after it has been infected. Historically ransomware has been distributed via email attachments, email links or links contained in malicious websites. In order for a computer to be infected, a user had to make a mistake by opening the attachment or clicking on the link. However, WannaCry was automatic and was spread without any user interaction.

How did it spread?

The origins of the WannaCry attack go back to April 2017 when the Shadow Brokers - a mysterious group that has been leaking NSA (National Security Agency) weaponised exploits over the last eight months, leaked close to 300mb of material that had been apparently stolen from the NSA. One of the 'zero-day' exploits contained in the leak was dubbed 'Eternal Blue' (an APT or Advanced Persistent Threat designed to covertly monitor and extract data from its target). This was a remote exploit that affected vulnerabilities in a network sharing process called SMB (Server Message Block) in Windows XP to Windows 2012.  

Using this exploit, the attackers could gain remote access to computer systems and install the encryptor software. The encryptor software once downloaded looked for any of 176 file types. Once found, these files are encrypted and “.WCRY” is attached to the end of the file names and this is what coined the name 'WannaCry'. Once the system has been encrypted, the desktop wallpaper is changed to a picture that contains information about the infection and what actions the user has to take. A text file is also distributed containing the same detail to make sure that the message is received. As the encryptor was delivered via a Worm, the malware spread to all computers on the network.

All organisations impacted by WannaCry had something in common - they had either failed to patch the vulnerability with the security update MS17-010 that was released by Microsoft in March (a month before the EternalBlue exploit was made public) or they were running older unsupported Windows versions. Patching is not always an easy process for networks, it can take considerable time and careful checks have to be made to ensure that the latest update does not impact any programs already running. This can often result in a delay between the security update and its installation. However, some organisations do not regularly install patches - A Federation of Small Business Business Crime Survey 2016 highlighted that only 53% of those involved in the survey regularly perform software updates.

What was it's purpose?

As with most ransomware which usually requires a ransom payment, typically in Bitcoins - WannaCry was no different. Initially $300 was required in order to decrypt the files, but some later versions featured demands of $600. At time of writing, the three bitcoin wallets tied to WannaCry have only received $47,510 or 27.9 bitcoins.

How was it stopped?

A malware researcher in the UK managed to suspend the infection by registering a domain name that was discovered within the code. He registered the domain name and pointed all the traffic to a server designed to capture malicious traffic. By doing so, he inadvertently stopped the spread of the global malware epidemic.

 How to defend against WannaCry

Unfortunately, if files have already been encrypted then there’s very little you can do to decrypt them. This means that the best way to fight this malware is to avoid infection in   the first place.

  • Install software updates and if you haven’t done so install MS17-010 right away
  • Create file backup copies on a regular basis on storage devices that are not constantly connected to the computer. If there is a recent back-up then the infection and subsequent encryption is not a disaster, but it will result in several hours work on system re-installation. Backing up data is the single most effective way of overcoming an infection once the system has been cleaned up
  • Use a reliable paid and licenced anti-virus program and they will have the ability to detect the WannaCry signature
 

At the time of writing, it is not known who orchestrated the attack or the identity of the Shadow Brokers who leaked the Eternal Blue exploit.

To find out more visit: https://www.ncsc.gov.uk/news/latest-statement-international-ransomware-cyber-attack-0  

 

-Ends-

 

Back to list

Media Contacts

For media enquiries, please contact Media Enquiries.