On 12th May 2017, Cybercrime hit a new record infecting more than 2,30,000 computers widespread across 150 countries throughout the globe within a span of 48 hours. This ransomware cyber attack is an astounding reminder of the importance of cyber security in 21rst century.
SO WHAT IS WanaCry?
The WannaCry ransomware also known as WannaCrypt aka WanaCrypt0r 2.0 or Wanna Decryptor is a ransomware computer worm which primarily targets the Microsoft Windows operating system, encrypting all data in the system and demanding ransom payments to decrypt the data in the cryptocurrency bitcoin which is virtually impossible to trace.
The initial delivery of the ransomware is likely to be through phishing attacks or other simple mechanisms, like by clicking on a link or opening up an archive or maybe sent via an email which is likely cause of infection on the system. When executed, the malware would encrypt the system’s data and then would attempt to exploit the SMB vulnerability to worm out to other computers on the same network or random computers on the Internet. The payload WannaCry ransomware is an executable file which displays a message informing the users that their data has been encrypted, and demands a payment of around $300 in bitcoin within 72 hours and double within 144 hours after which their data would be permanently lost.
Microsoft had issued a patch nearly two months before the attack on 14th March 2017, to remove the vulnerability for all supported systems but many organizations had not yet applied it.
HOW DOES THIS RANSOMWARE WORK?
The ransomware uses exploits such as EternalBlue, DoublePulsar and many other tools which were apparently leaked from NSA, by the hacker group which goes by the name “The Shadow Brokers” on April 14th 2017. EthernalBlue exploits use the vulnerability in Microsoft’s SMB (Server Message Block) Protocol. SMB is designed to enable access to shared directories, files, printers and serial ports, among other resources within the network and also through the internet.
The EternalBlue is part of the same exploitation framework such as DoublePulsar. DoublePulsar is a persistent backdoor that can infect endpoints to provide unauthorized access to its operators. It enables a remote attacker to send malware into the target endpoint and execute it without the owner’s knowledge or permission. DoublePulsar’s ability to open the backdoor and inject arbitrary Dynamic Link Libraries (DLLs) into the user-mode process zones relies on exploitation of the SMB protocol.
According to wikipedia.org, the attack affected many National Health Service (NHS) hospitals in England and Scotland and up to 70,000 devices which includes computers, MRI Scanners, blood-storage refrigerators and theatre equipments. The Organizations affected by this ransomware also includes Government of Kerala, West Bengal and Gujarat, Andhra-Pradesh Police, Ministry of Internal Affairs of the Russian Federation, Hitachi, Renault and many more.
According to Kaspersky Labs, the four most affected countries were Russia, Ukraine, India and Taiwan.
Nived Velayudhan | Technical Consultant | ipsr Solutions Limited