Do you WannaCry?

By Michael Brown

Overview

What is WannaCry and how does it work?

WannaCry (aka Wanna, WannaDecryptor and WannaCyptor) is ransomware, which is computer malware that extorts money from you by requiring you to pay a ransom to access your own data. This past week it infected more than 250,000 computers in some 150 countries. Ransoms are paid in bitcoin with a starting price of US$300 (approximately £240) per machine. The price doubles every 72 hours until the files become unrecoverable after one week. Wanna infects not only your computer, but other computers connected to your office network. The ability of the code to replicate itself onto other machines classifies WannaCry as a ‘worm’.

While it’s worming its way into every other windows PC and server on your network, the virus methodically and silently goes through your filesystem and encrypts your files. Encryption is accomplished through a cipher called AES (128 bit key size) and is so strong it was chosen by the U.S. government to protect classified information. Each machine generates its own new random decryption key, which is sent to a remote server on the dark web (tor) controlled by hackers for future retrieval once the ransom is paid. The encryption algorithm and key size used makes it essentially impenetrable and is not feasible to decrypt the files without the key.

Macs and linux computers are immune to WannaCry.

How does it infect your computer

Although yet unproved, WannaCry probably makes its way, like most malware, into your network through an email attachment.  The initial executable loads new programs or payloads from the open internet, giving it the ability to refresh itself and change over time. Part of what makes WannaCry so dangerous and virulent is that it uses an exploit to infect other machines called EternalBlue and DoublePulsar. Both exploits were written by the National Security Agency (the US military intelligence organisation responsible for global collection of signal intelligence) and made public in April 2017 by a hacking group called Shadow Brokers. Eternal Blue and DoublePulsar are only a few of the hacking exploits made available on the open internet to hackers by the Shadow Brokers. One thing is for sure, we haven’t seen the last of these kinds of attacks.

Paying the ransom

Paying the ransom doesn’t actually mean that you’ll get your files back; there are unverified public reports of both cases happening. Remember you’re dealing with a criminal and you have no recourse if they don’t perform their part of the bargain.

Based on our analysis of the bitcoin block chain and public reporting, it looks like the owners of less than 1 in a 1000 infected computers have paid up.  There is evidence to suggest that retrieving the key after paying requires a person within the criminal gang to send the decryption key; surprisingly it seems like key retrieval is not automated.  This casts further doubt on whether a ransom payer might ever get their decryption key.

Impact and risk analysis

Ransomware typically has focussed on home users and historically lacked the necessary sophisticated attack techniques required to compromise servers within the enterprise environment. WannaCry targets both businesses and consumers. From a business perspective, the consequences of infection include (but are not limited to):

  • significant disruption to business operations;
  • loss of proprietary and customer data, possibly permanently;
  • financial loss; and
  • negative impact to business reputation.
  • Recommended infosec programs you should undertake

Email systems Just like most malware and computer viruses, it is believed that WannaCry enters an organisation through an infected email attachment. So as a first line of defence, firms should enable strong spam protection to mitigate phishing emails from reaching your staff in the first place. Your email systems should utilise Sending Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing. Without these technologies, hackers can impersonate you and others through bogus emails. This puts your organisation at risk of a phishing attack. Think about one of your employees receiving an email asking them to do something from their manager or another person in a position of power within the organisation. If the mail looks genuine, there is a reasonable chance the action will be taken. Education Users should undergo periodic training to ensure that they are able to distinguish the subtle differential characteristics of a spear-phishing attack and social engineering scams and most importantly, what to do about when they encounter them. Identity and access control Ensure that a strong identity management system is in place and deploy the axiom of least privilege.

Technical prevention advice

Five immediate actions you need to take now if not already taken

  1. Make sure that every computer in your network is patched with Microsoft update MS17-010, and more generally have all critical windows updates installed.  If you cannot apply the patch to legacy systems, you need to shut down SMBv1 services and block TCP ports 139 and 445 and UDP ports 137 and 138.  Be advised that this will stop file and printer sharing from that server.
  2. Put in local host entry or an enterprise-wide entry for the domain “www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com” and ensure that it can connect to any host on TCP port 80.  In the current versions of the virus, this operates as a kill switch to prevent installation of the malware.  Wanna Cry is not proxy aware so installation of local host files will also work.
  3. Update all of the signatures on anti-malware software installed on all your machines.
  4. Be sure that files on fileservers are permissioned correctly so that most users aren’t able to re-write older files which should be archived.
  5. Ensure that backups are made and that some of them are stored offline in a computer or media not accessible from your internal network.

Remediating infection

If your organisation becomes infected, immediately shut down your computers and servers. Undertake following steps:

  • Activate and execute your cybersecurity incident response plan;
  • Implement your business continuity plan;
  • Contact your cybersecurity legal services firm to assist you;
  • Save forensic logs and provide them to the police;
  • Restore machine system and share files from protected backups from clean boot.