![\"\"](\"https:\/\/www.vskills.in\/certification\/blog\/wp-content\/uploads\/2017\/06\/WannaCry-Ransomware-Analysis-01.png\")
<\/a><\/p>\nFigure 1: Example of WannaCry Ransomware Demand<\/p>\n
By around 4:00 PM on Friday, there were reportedly around 36,000 detections, which were spreading globally. There had been some conjecture on social media that a PDF was the cause of the infection, but this was found to be benign. Currently, there is speculation that the initial vector of the attack was through a phishing email. While this is a likely cause, this has not yet been confirmed, and it may take some time before the root of the infection comes to light.<\/p>\n
After numerous malware analysts around the world started to dissect WannaCry, it quickly came to light that WannaCry makes use of \u201cEternalBlue\u201d, the exploit, and \u201cDoublePulsar,\u201d the backdoor\/implant. The relevance of this finding is key, because back on the April 14th, a hacking group called \u201cShadow Brokers\u201d leaked a series of files that they claimed were stolen from the NSA.<\/p>\n
EternalBlue essentially is the exploit found in WannaCry that takes advantage of exploiting a core Windows networking protocol called Server Message Block (SMB). As SMB is so intertwined with numerous versions of Windows, this exploit can affect Windows XP up through Windows Server 2016.<\/p>\n
For reference, this vulnerability was addressed in Common Vulnerabilities and Exposures (CVE) ids CVE-2017-143 through 148. Microsoft did, in fact, release a patch for this vulnerability on March 14th (in Security Bulletin MS17-010); however, companies that did not apply this patch have been vulnerable ever since. Despite Windows XP being already past end\u2013of-life, Microsoft issued an emergency patch to address this vulnerability on Friday night. This was done as a good-will deed in order to help customers who are still running Windows XP to avoid the spread of WannaCry.<\/p>\n
By Friday night, the National Crime Agency, Interpol, and numerous other organizations around the world had issued statements to notify and warn businesses in their corresponding countries of the wide-scale attack. Below is a map of infections that had occurred between Saturday (May 13th) and Sunday (May 14th). By that time, around 60,000 computers in 74 countries were infected. Companies in many industries were affected including: global shipping, auto manufacturers, health care, and educational institutions.<\/p>\n
By Saturday afternoon, Edward Snowden had commented on the drama underway. Snowden made a clear statement about NSA involvement in the attack: \u201cDespite warnings, @NSAGov built dangerous attack tools that could target Western software. Today we see the cost.\u201d<\/p>\n By Sunday evening, the BBC had reported that there are now more than 200,000 computers infected in over 150 countries, according to Europol. Microsoft later blamed WannaCry on \u201cNSA Vulnerability Hoarding Program.\u201d<\/p>\n As of Monday morning, BlockChain reports the following statistics showing how many transactions and the resulting BitCoin balance for each of the three BitCoin addresses supplied within the malicious file. This translates to approximately $51,290 in revenue for attackers.<\/p>\n Figure 3. Bitcoin Payments for WannaCry Ransom (via https:\/\/blockchain.info)<\/p>\n When the malicious file is run, a number of things happen. First, a call is made to a host. If the connection is successful, the program exits. (Refer to the \u201cKill Switch\u201d section further down for more.) A Windows service called the \u201cWindows Security Center Service\u201d is created, and shadow copies (which are a snapshot\/backup technology built into Windows) are then deleted.<\/p>\n There are notably three unique Bitcoin addresses, which are used to collect the ransom funds. The communication is first setup using Tor, which is a known program that helps achieve anonymity online.<\/p>\n Files are then modified and all users are given full access rights, and then encrypted. Each file name is appended with the extension WNCRY. For example, if you have a Word document saved as \u201cfinance.docx,\u201d this would then be renamed and encrypted to become \u201cfinance.docx.wncry.\u201d<\/p>\n As WannaCry uses Microsoft Enhanced RSA and AES cryptography, what this essentially means is that only after the ransom is paid (which is between $300 and $600), the files will then become decrypted and readable once more. Despite reclaiming files, the integrity of the system by this time would be severely impacted\u2014the user or company would still be looking to restore from backup, until such time that a decryption tool is released.<\/p>\n A researcher known as \u201cMalwareTech\u201d on Twitter discovered that the domain name that WannaCry tries to first connect to was unregistered. After researching further, he decided to register the domain name. This had a fast-acting impact, because doing so essentially stopped WannaCry from running any subsequent steps. The only caveat of the kill switch is that infected systems that connect through a proxy server out to the Internet are, in fact, still vulnerable.<\/p>\n Due to the widespread impact and scale of this attack, it is advised that anyone running Windows XP through to Server 2012, apply the MS17-010 emergency patch issued on Friday.<\/p>\n For Windows environments that are still utilizing the SMB networking protocol, it is strongly advised that you consider whether it is viable to disable SMB version 1 at the earliest opportunity. Caution should be taken as there may be legacy applications in the environment that depend on SMBv1.<\/p>\n In addition, it is recommended that any hosts that are externally accessible over SMB have inbound traffic for ports 139 and 445 blocked, even at the host firewall level.<\/p>\n – LogRhythm<\/p>\n \u00a0<\/p>\n Students or Professionals engaged in cyber security, can use the below links to be updated on Security related issues<\/p>\n Tutorials for Cyber Security<\/a><\/p>\n Practice Test on Cuber Security to assess your knowledge<\/a><\/p>\n<\/a><\/p>\nFigure 2: A Map of WannaCry Infections as of Sunday, May 14th (via @malrhunterteam)<\/pre>\n
<\/a><\/p>\nHigh-Level Technical Overview<\/strong><\/h4>\n
The malicious file then extracts numerous other files, which include multi-lingual files containing the ransom note in 28 different languages, a background display image which gets set as the background\/wallpaper for the infected system (shown below), and several other files which play a part in the encryption, communication and decryption stages.
<\/a>Figure 4. Background Image Used for Infected Systems<\/pre>\nThe Kill Switch<\/strong><\/h4>\n
Advice for Defending Against WannaCry<\/strong><\/h4>\n