WannaCry Ransomware Outburst
May 2017 by ENISA
On May 2017, multiple companies and organisations around the world were hit by variations of a crypto-ransomware dubbed WannaCry / WannaCrypt / WanaCrypt0r / WCrypt / WCRY (here on called WannaCry for simplicity). The ransomware also acts as a worm and once it infects a system, it then self-propagates throughout the rest of the network. The ransomware campaign caused chaos due to its massive distribution, affecting more than 150 countries and infecting over 190,000 systems. Interestingly the attack was mounted on Friday 12th May 2017, just before the weekend, making it very difficult for companies and organisations to quickly react and resolve the crisis.
Background & Attack vector
Ransomware is one of the top threats identified in ETL 2016. Crypto ransomware is a type of malware that encrypts a user’s data and asks a ransom (in bitcoins) in order to decrypt them.
Users affected by WannaCry have their files encrypted. Each file is encrypted with a different encryption key. The criminals send a message to the affected user that they must pay a ransom of $300 (around €275) in Bitcoins. However, even after paying there is no guarantee that the files will be decrypted. According to the ransom note left by the ransomware, failing to do so within three days the ransom would be doubled ($600, approximately €550). Users unable to pay within six months would have their files decrypted for free. At the time of writing this paper the amount that the attacker received (from a review of his bitcoin wallets by ENISA) was approx. $50,000 (€45,000) paid by 199 victims
Ransomware usually spreads via phishing e-mails containing malicious attachments or hyperlinks. This deployment technique uses social engineering in order to mislead the recipient to activate the malware in their system.
In the case of WannaCry the initial threat and entry vector is not clear. There are two possible scenarios:
Phishing/spear-phishing was used as an initial attack vector followed by the worm-spreading functionality of the ransomware which exploited a Microsoft Windows vulnerability.
Internet scanning for systems vulnerable to a Microsoft Windows vulnerability and remote exploitation of the vulnerable systems.
The latter scenario is most probable due to the mass and rapid spread/deployment of the ransomware around the globe.
Infection & Propagation
What’s particularly interesting about the WannaCry ransomware variant is its successful worm-spreading functionality. It exploits an known SMB vulnerability (Server Message Block is a Microsoft Windows protocol for file-sharing over a network) and once a system becomes infected the ransomware propagates to the rest systems of a network and infects them if they are vulnerable. Moreover, it also scans for public IPs in its attempt to infect external networks as well. WannaCry ransomware exploits an SMB vulnerability (EternalBlue/DoublePulsar) that was revealed in the recent “Shadow Brokers” leak in April 2017. The leak contains hacking tools/cyber weapons allegedly owned or developed by the NSA.
Figure 1: Timeline of events
The fact that the ransomware essentially also acts as a worm is the main reason for its speed of propagation. This is not the first time such a worm-spreading approach has been seen. Conficker (2008) is another example of a worm exploiting an earlier Windows SMB vulnerability MS08-067 with a similar worm spreading technique, which effectively infected millions of computers around the world. The key difference is that WannaCry is encrypting files in the infected systems making the effects of the infection even more devastating. WannaCry is not the first “ransomworm” (ransomware and worm) either, Zcryptor and Alpha had worm spreading capabilities.
A few hours after the outbreak of the ransomware a security researcher managed to constrain the rapid spread of WannaCry by registering a domain identified in the binary code of the malware, which was used as a kill-switch. The registration of the domain enabled the kill-switch and slowed down the malware propagation. Since the malware was not proxy aware (ignoring the proxy settings of the machine), the kill-switch was not as effective as was initially thought to be. A few other variant/s with different kill-switches have already been identified.
ATM
Deutsche S-Bahn infected by WannaCrypt
WannaCry has spread through a massive campaign affecting over 190.000 organisations and companies around the world from different sectors. To name a few: Spanish Telecommunications company Telefonica, UK’s National Healthcare Service (NHS), Deutsche Bahn systems, Renault and Nissan and manufacturing plants, Universities etc.
Figure 3 Live map with ongoing infections 15.05.2017 15:30 GMT+2
Recommendations
If your system has been hit by the ransomware do not pay the ransom. It is highly probable that paying the ransom will not lead to the decryption of your files. There is evidence that people who have already paid the ransom have not had their files decrypted.
If are already hit by WannaCry ransomware and you are running one of the following Microsoft versions:
Windows 7 , Windows 8, Windows 8.1, Windows 10 with UAC and had shadow copies enabled prior to the infection you might be able to restore your files from shadow copy.
DO NOT click YES on the UAC prompt window appearing during infection.
See image below:
Figure 4 UAC WANACRY bypass prompt
The malware does not have a valid way of bypassing UAC so your shadow copies are never deleted.
You can disinfect the machine and then proceed in restoring all of your files using your shadow copies which are intact using this guide.
If your systems have not been hit by the ransomware, please apply the following recommendations as soon as possible:
Back-up and protect your systems and files
Patch your system with Microsoft’s patch which addresses the SMB vulnerability. Microsoft has published this patch since March 2017. In the event of the massive spread of the malware affecting legacy Microsoft Systems (e.g. Windows XP, Windows Server 2003) and Microsoft Windows 8, Microsoft released patches for these versions of Windows as well.
Update your Antivirus signature database to the latest version. Antivirus firms are now detecting all the current variations of the ransomware.
Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445 from untrusted sources. Additionally, filter NetBIOS port 139 and RDP port 3389 in order to refrain WannaCry from infecting other devices in the same network segment.
CCN-CERT (Spanish CERT) has developed a Vaccine, which prevents WannaCry from executing and encrypting a system if the systems gets infected by WannaCry afterwards. Users can use this tool as an added layer of security besides the rest of the recommendation and not instead of them
If you are unable to patch your system disable SMBv1:
Powershell command:
PS H:> Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
or
Manual removal using Windows Add & Remove programs feature:
Add Remove Programs -> Turn Windows features on or off -> Untick SMB v.1
or consult:
Microsoft offers instructions on how to do this.
For detection purposes there are available different types of indicators of compromise.
Proactively please follow best security practices ensuring a good security hygiene:
Keep your operating system and installed software always up-to date
Apply security patches/updates as soon as they become available
Backup your systems/files following the 3-2-1 scheme. Verify that backups are fully operational
Do not open suspicious e-mails and attachments
Restrict access to network resources, block unnecessary ports, disable unnecessary services and segregate your network separating core operational systems from the rest of the network
General Recommendations for protecting against ransomware are provided in ENISA’s Info Note about Locky ransomware. More information on prevention measures against ransomware are provided here and here.
Observations & Conclusions
Even though the patches were available since March 2017, the impact is quite significant. It should be noted that the similar Conficker malware infection millions of users. This is because in particular cases patching is not that straight forward due to the type of work and characteristics of the systems in certain types of environments. For example, critical financial systems used by banks, stock markets or other organizations running legacy systems that would not risk in deploying such patch due to the potential negative impact.
The evolution of ransomware has been significant. From simple ransomware that locked the users’ systems, ransomware quickly moved to crypto-ransomware, then to ransomware with wiping capabilities (being able to spot and erase system backups) and finally to ransomworms with worm-spreading capabilities. It is now clear that after WannaCry the trend of ransomworms will rise and many improved copy-cats will appear aiming for a share in this lucrative business. Self-propagating ransomware and other types of malware with remote code execution capabilities are going to be the next big threat of cyber security. Adding the inherently insecure IoT devices to the equation, the consequences are more than foreseeable. Thus the world and Europe must learn from current events and be in a position to respond when the next crisis arrives.