Wanna Cry?

On May 12, 2017, the unprecedented outbreak of a ransom-ware attack took the world by surprise, affecting more than 200,000 systems in more than 150 countries (as of 16th May, 2017).

The attack, known as the WannaCry” ransom-ware attack (also known as WannaCrypt/WannaCryptOr 2.0/Wanna Decryptor) is an on-going cyber attack targeting the Microsoft windows operating system. The attack affected many National health Services crippling more than 70,000 devices including computers, MRI scanners, blood storage refrigerators and even theatre equipment. Nissan and Renault had to stop production as a result of the compromise of their systems due to the WannaCry ransom-ware attack.

What is WannaCry? : The things you need to know

WannaCry belongs to the class of ‘Trojan virus’ attacks called “Ransomware”.

Ransomware attacks work by blocking access to data and demanding payment from the user in order to regain access to his/her data.

In the case of WannaCry specifically, most or even all the system files are encrypted and the user is asked to pay a sum of $300 within 3 days in order to decrypt the files and re-gain access to the files. If the user doesn’t pay the $300 within 3 days, then the ransom amount goes up to $600. After seven days, if the payment has not been made, the files are permanently deleted.

Below is the screenshot of an affected system:

Image courtesy: https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/

Technical details of the attack:

Type of attack: Ransomware

Target OS: Microsoft Windows

Medium of spreading: Phishing e-mails

Vulnerability exploited: ‘Windows SMB remote code execution

CVE ID: 2017-0144

Microsoft Security Bulletin ID: MS17-010

CWSS Score of the vulnerability: 9.3

Impact: Critical


The Attack Vector & the Vulnerability

WannaCry is facilitated by the presence of the ‘EternalBlue’ and ‘DoublePulsar’ backdoors. Both are developed by the U.S. National Security Agency (NSA).

EternalBlue exploits the vulnerability in Microsoft’s implementation of Server Message Block (SMB) protocol. The vulnerability allows remote code execution by way of an attacker sending specially crafted messages to the Microsoft Server Message Board 1.0 (SMBv1).

This vulnerability is not a zero-day flaw in the sense that Microsoft already released a security patch two months before the attack.

Check out the Microsoft Security Bulletin for the patch:

Image courtesy: https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/

Unfortunately, not everyone installed the patch and those who didn’t, became the victims of the attack.


 The Impact

‘WannaCry’ ransomware has wrecked havoc across sectors like healthcare and telecommunications in more than 100 countries. Over the weekend, the ransomware hit systems in over 100 countries, including Russia and the UK. In Spain, major companies including telecommunications firm Telefonica have been infected. The most disruptive attacks were reported in the UK, where hospitals and clinics were forced to turn away patients after losing access to computers. Nissan and Renault had to stop production in UK as a result of the compromise of their systems due to the attack.

Image courtesy: https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/

The attack message was spread in a number of languages.

Image courtesy: https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/

In India, a few systems of the police department in Andhra Pradesh were impacted. The state government has been informed to follow the advisory by the Indian Computer Emergency Response Team (CERT-In). The Ministry of Electronics and Information Technology (MeitY) has also warned RBI, National Payments Corporation of India, NIC and UIDAI about the attack and to protect their systems from the attack in order to ensure the safety of the digital payments infrastructure of the country and has instructed CERT to look into the attack and its prevention & mitigation measures.

“MeitY is keeping a close watch on the developments on the ransomware and is working in close coordination with all relevant agencies,” it said in a statement.

Experts fear that the situation could get worse in India as a number of systems in India run on older versions of Microsoft windows and have not yet been updated.

“It is important that users keep their systems updated and take a proactive approach to security rather than a reactive one” Pradipto Chakrabarty, regional director at CompTIA India said.


The Kill Switch

On Saturday, May 13th, a 22 year old security researcher named Marcus Hutchins who goes by the blog name “Malware Tech” accidently slowed the spread of WannaCry when he promptly registered an unregistered domain which the attack sample queried. Read the full story in his blog post:



What Do The Experts Say?

Edward Snowden said that if the NSA had “privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, the attack may not have happened”.

According to Graham Cluley “The U.S. Intelligent Services could have done something ages ago to get this problem fixed and they didn’t do it”.

Arne Schönbohm, President of Germany’s Federal Office for Information Security, stated that “the current attacks show how vulnerable our digital society is. It’s a wake-up call for companies to finally take IT-security seriously”.

Microsoft president Brad Smith wrote, “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”

James Scott from the Institute of Critical Infrastructure Technology said that “health care sector staff has no cyber-hygiene training. They click on phishing links all the time. The sad thing is they weren’t backing up their data properly either, so that’s a big problem. They should be doing that all the time.” He also said that “you’re only as strong as your weakest link within your organisation from a cyber-perspective”.


What Can You Do?

Wanna Cry Ransomware Guidelines to stay safe:

  • Be careful to click on harmful links in your emails.
  • Be wary of visiting unsafe or unreliable sites.
  • Never click on a link that you do not trust on a web page or access to Facebook or messaging applications such as Whatsapp and other applications.
  • If you receive a message from your friend with a link, ask him before opening the link to confirm, (infected machines send random messages with links).
  • Keep your files backed up regularly and periodically.
  • Be aware of fraudulent e-mail messages that use names similar to popular services such as PayePal instead of PayPal or use popular service names without commas or excessive characters.
  • Use anti-virus and always make have the last update.
  • Make sure your windows have the last update close the gap.

If you don’t update your Windows, just turn off SMP. Follow these steps

  1. Go to control panel>Programs and features > Turn windows features on or off.

Image courtesy: https://answers.microsoft.com/en-us/windows/forum/windows_10-security/wanna-cry-ransomware/5afdb045-8f36-4f55-a992-53398d21ed07

  1. Uncheck the box that says “SMP 1.0/CIFS File Sharing Support”.

Image courtesy: https://answers.microsoft.com/en-us/windows/forum/windows_10-security/wanna-cry-ransomware/5afdb045-8f36-4f55-a992-53398d21ed07

  1. Restart your computer.





How to Accidentally Stop a Global Cyber Attacks





Featured image courtesy: http://www.techrum.vn/chevereto/images/2017/05/14/1St4B.jpg