I wouldn’t normally write a post on this topic. However, there’s quite a lot being reported which doesn’t intentionally mislead but seems to leave certain facts open for interpretation. I was out doing a network install on Friday when the customer said to me “The NHS has been hacked”. I was slightly puzzled so I went over and had a look, it hadn’t been hacked but had most certainly suffered a large outbreak of the new WannaCry ransomware.
Now, this is where the misconceptions start. I’ve seen a lot of people saying on Twitter that it’s unbelievable that people would launch a cyber attack of any form on something like the NHS. They were saying things like “It’s like stealing money from an old lady” and “People could die as a result”. I can’t disagree with them. However, the fact is, it wasn’t a targeted attack. The malware itself was self-propagating meaning it basically spreads by itself. Meaning that any computer that is vulnerable is at risk of getting infected.
The malware abuses a vulnerability in Microsoft code (which is described in MS17-010). This vulnerability affects the SMB (Server Messaging Block) version 1 which is used for sharing files over the networks. In order for a network to be infected ports 139 and 445 need to be open to the internet. The computer also has to be listening for inbound connections. This means that it is highly unlikely for a home user to get infected as the ports won’t be forwarded through the router. However, if the ransomware is also distributed via email attachment (or hidden in a download etc.) then you can still be infected as it doesn’t need to introduce itself to your device – you do it for it. Also, if one computer on a network gets infected the ransomware can quickly spread to all others (if they are vulnerable).
WannaCry (though it has various names) encrypts all files on a target computer which match its list of file extensions (all the common files). It then demands a ransom of $300 which is to be paid via bitcoin to one of the 3 hard-coded Bitcoin addresses. (Here’s a Twitter bot that posts when a payment is made to any of these addresses and the totals. $50,504 at the time of writing). If payment isn’t made within three days the cost doubles and after 7 you apparently won’t be able to recover files ever.
The futility of Anti-Virus
We all should have at least an anti-virus program installed on our computers. However, traditional anti-virus software operates using signatures. The problem here is that the AV vendor has to release signatures before the AV can block a threat. This effectively renders AV useless at instantly blocking new threats. Thankfully there are anti-ransomware programs which monitor for file encryption which work rather well. Anyway, this is a topic for another day.
This is probably the worst part about all of this, Microsoft released a patch for this vulnerability two months ago. If organisations had just updated their computers then this wouldn’t have been possible. Problem is, it’s not that easy. Updating computers in organisations can be quite the nightmare due to management, time and or budget constraints. Lets look at this from another perspective. The vulnerability WannaCry abuses was discovered by the NSA and leaked in a data breach by the ShadowBrokers. It’s known as “EternalBlue” and the NSA had developed a tool for abusing it. WannaCry also installs a backdoor which can be used for accessing the computer remotely by the malicious party. This backdoor is known as “DoublePulsar”.
When the ransomware finds a new host to propagate to it first checks to see if the domain “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com” if available. If it successfully connects then it doesn’t proceed, however, if it can’t connect then it proceeds to download and install both EternalBlue and DoublePulsar. Malware researcher @MalwareTechBlog accidentally discovered that this was a killswitch when he registered the domain to track the malware’s infection rates. This stopped the spread of the original version of the ransomware. Though I believe there’s a new version already that doesn’t contain this killswitch.
How to stay safe
Unfortunately there’s no way to guarantee you’ll never get infected but if you do the following you can stay as safe as possible:
- Stay current with updates
- Use the latest version of the operating system
- Have a robust backup strategy – (I recommend Backblaze for a simple solution)
- Don’t open suspicious attachments or email
- Don’t expose ports to the internet wherever possible
- Restrict access to network resources, if the ransomware can’t access it, it can’t encrypt it.