On the 12th of May 2017 a global malware attack was identified. Targeting Windows computers all over the world, it would encrypt a user’s data and demand a ransom payment in Bitcoin. Wannacry, as the malware became known, was one of the worst recorded cyber attacks on record. Within a day the ransomware was reported to have infected over 230 thousand computers in over 150 countries.
Once installed on a device within a network, WannaCry was able to identify and spread itself to other vulnerable computers across the network by copying and re-executing code on the new machine. It was found that WannaCry made use of tools (EternalBlue and DoublePulsar) developed by the NSA (United States of America National Security Agency) that were leaked to the public earlier that year. EternalBlue and DoublePulsar could be used stealthily and would remain undetected by the user. Using exploits in the Server Message Block (SMB) on vulnerable machines, EternalBlue was able to install and execute DoublePulsar which acted as a backdoor route, giving the malicious actor further access to execute malware. Unlike more typical forms of malware which require the user to grant the software permission to activate, WannaCry was able to spread without any interaction from the user. This made WannaCry’s ability to spread and encrypt data much more severe, resulting in entire organisations being put at risk from one compromised machine.
The British National Health Service (NHS) was one organisation that was significantly impacted. Most equipment was designed to be used with Windows machines, meaning that when the malware infected the systems, it affected both desktops and equipment such as X-ray machines, ambulance routing systems, and the phone systems. This resulted patients being turned away and members of staff having to resort to using their own devices, paper, and pens. Fortunately, NHS data systems were backed up and systems were restored and running again the next day with admissions and appointments being the hardest affected areas.
Prior to the Wannacry attack, testing of the NHS systems found they did not reach cyber security standards. Updating these systems only occurred once the threat was proved undeniable by this potentially disastrous attack. One of the largest threats to cyber security can be a lack of funding causing institutions like the NHS to rely on the use of outdated systems. Even so, further testing since the WannaCry attack has revealed NHS systems failed cyber security vulnerability inspections, raising concerns over future cyber attacks.
In order to discourage future attacks and because there were no reports of data retrieval after payment, cybersecurity experts advised victims not to pay ransom. This appeared to be the right call as upon further inspection of the code, it was discovered the ransom payment system did not keep track of who paid. If a victim did pay there was no way to associate their payments to their encrypted data. In addition to this, there was no automatic way to decrypt a victim’s files within the malware.
Within the code itself, a “kill switch” was discovered. The program would check to see if a website was accessible and if it wasn’t, the program would begin encrypting the victims data, giving the attackers a way to stop the attack if they wished. A security researcher by the name of Marcus Hutchins discovered this and was able to stop the spread by registering a domain in the name of the aforementioned website, thereby stopping the malware from replicating.
Analysis by the FBI determined that the computer used to create the ransomware had Hangul (the Korean iconography) fonts installed and that the timezone was set to UTC+09:00, the timezone used within Korea. Security researchers including cyber-security companies Kaspersky Land and Symantec pointed out similarities in code between WannaCry and previous attacks by Lazarus, a notorious North Korean hacking group. Although this could be credited to a reuse of code or an attempt to frame North Korea, many countries including the UK, USA, and Japan; alongside private sector organisations such as Microsoft concluded that North Korea was likely responsible for the attack; The US going as far as to say they had evidence to suggest Kim Jong Un commanded the malwares release.
The attack was later described as being fully preventable. Microsoft developed patches but attacks were still occurring, likely due to a slow uptake in the patches being deployed. Kaspersky Labs estimated 230,000 computers were affected from 150 countries and the attack caused $4 billion worth of damage. Furthermore, a study in late 2018 suggested just under 30% of all ransomware attacks used WannaCry. This suggests that cybercriminals were still able to make use of new variants despite how long the malware had been patched for, likely owing to the fact that the malware was comparatively simple to iterate upon.
The best ways to mitigate a WannaCry attack involves the training of staff to identify suspicious links, email attachments, websites, and storage devices; alongside a more diligent security patching policy. IT departments should also ensure that portable devices used by employees have VPNs installed so they are protected if using public Wi-Fi. IT departments should also ensure that all devices on the network are up to date so any known vulnerabilities are patched. Finally it is important to have regular and tested data backed up so any data lost can be easily restored.
If you are worried you may be susceptible to cyber attacks, we at Awen Collective specialise in asset and vulnerability discovery, ensuring the security of your networks. Feel free to contact us for a no obligation chat today!