On May 12, 2017, an extremely powerful new variant of ransomware called WCry 2.0 (WannaCry, Wanna Cryptor, etc.) spread to many organizations around the globe, affecting nearly 100,000 victims in 90+ countries in its first day. WCry 2.0 infected at least 16 UK hospitals, causing some to turn away patients. It affected telcos in Spain, Fedex, the Russian Ministry, and even the computers that displayed train schedules in Frankfurt.
At a high-level, this new ransomware variant looks very similar to others. However, it also exploits a Windows networking flaw to spread more aggressively, like a worm. Specifically, it leverages a flaw that the Shadow Brokers leaked from the NSA called ETERNALBLUE, which Microsoft identifies as MS17-010. This worm-like network spreading capability is likely what helped this ransomware spread more quickly than many other ransomware variants.
While it’s still unknown who the original attackers are at this point, the techniques used suggest that this was actually a normal criminal ransomware campaign. I don’t believe these attackers are specifically targeting NHS, or telcos. Rather it’s a criminal malware campaign that seems to be especially effective, likely due to its use of the leaked NSA flaw.
What are the key takeaways from the WCry attacks? What can we learn from all this
1. Patch quickly – This ransomware allegedly uses an old Windows SMB networking flaw to spread automatically within networks. Specifically, the MS17-010 vulnerability related to recent NSA exploit leaks (ETERNALBLUE). Microsoft fixed that flaw back in March, so if you had patched it then you’d be safe from this aspect of the attack.
2. Reexamine outdated software – If you still leverage outdated systems, you can’t patch. Some of the hospitals infected by this variant still use Windows XP, which is unsupported. Microsoft released a “highly unusual” patch for Windows XP and other older Windows versions for this vulnerability. However, If you use outdated software, you need to realize you are putting yourself at risk since you normally can’t fix vulnerabilities. Granted, there are circumstances that make it hard for organizations to get rid of old systems. Nonetheless, you should realize the risk outdated software poses, and if you can’t get rid of it, realize you’ll have to do more to protect it. If you still can’t update, Microsoft has instructions for how to totally disable SMBv1 on your system.
3. Develop disaster recovery and business continuity plans – Incidents like these show us how dependent we are on our computers and digital information. Whether because of an electrical outage, a flood, a break in, or a ransomware attack, your digital systems are at risk of being knocked offline. That’s why every organization needs a disaster recovery and business continuity plan. Obviously, data backup is a very important part of these plans. Major incidents like this ransomware example seem to suggest that many businesses and organizations haven’t spent much time planning for a disaster. While having a plan won’t make a disaster any more pleasant, it should at least allow you to recover more quickly. If you can only do one thing, at least backup your data.
4. Utilize layered defense – No defense is perfect, and different defenses can catch different aspects of an attack. Your best chance at protecting yourself is to implement layered defense. Traditional antivirus (AV) can help, but new malware, like WCry 2.0 and other recent examples, can often get past these defenses in the first few days or hours it’s released. While you should use AV, you need to bolster it with other defenses as well. For instance, Intrusion Prevention Services (IPS) could have caught and blocked the Windows SMB exploit this attack uses. Web and email security services may have blocked the sites distributing this threat, or caught the malicious files in emails used to spread it. Most importantly, advanced malware detection products can catch these new malware variants immediately, well before signature solutions catch up.
5. Invest in advanced malware protection – Traditional malware is pattern-based. The system must first see a new piece of malware before it can create a signature to stop it. This sort of reactive security will not immediately catch new malware variants like WCry 2.0 right away. Furthermore, attackers regularly repackage their malware to continually evade these signatures. That’s why more modern malware detection solutions use behavioral analysis to catch malware instead. Ransomware can change the way its file looks, but it can’t really change what it does. Advanced malware solutions can often catch brand new malware variants like this one immediately. While no solution is perfect, if you really want to catch the latest malware, you need more advanced solutions that leverage behavioral detection to catch new threats.
If you’re a victim of the latest ransomware, what are some tips?
• First, remove infected computers from your network as quickly as possible. The WCry attacks leverage a Windows networking vulnerability to spread to many computers in a network. You want to separate compromised computers from the rest of your network as quickly as possible to avoid further infection.
• Second, keep your encrypted files for a few weeks. If you don’t have backups, there is still a very small chance you can get your files back. A lot of modern ransomware uses solid encryption ciphers that the industry can’t break. However, there are still plenty of malware authors that mess up. At least one researcher has tweeted that WCry 2.0 might have done its encryption in a way that researchers might be able to crack. Don’t bank on this, but keep your encrypted files around just in case a researcher does figure out a way to recover them.
• Most importantly, don’t pay the ransom. But, I can’t hold everyone to this. If you are a hospital trying to save critical patients, you have a different set of priorities than most. Nonetheless, realize that every victim that pays this ransom reinforces that these attackers’ tactics are lucrative. The reason ransomware is so prevalent is because criminals are still making millions from it. Paying the ransom ensures that criminals will continue these attacks in the future.
This incident makes me think of two security predictions I had for 2017. The first was to expect a “ransomworm” — ransomware that leverages worm-like exploits and techniques to spread internally. My other prediction was that the “Cyber Cold War” would have civilian casualties. By that, I meant that vulnerabilities and exploits that nation states have been stockpiling would eventually get used in an attack against a private business or organization. Two days into the outbreak, Microsoft published a blog post calling for “urgent collective action to keep people safe online” and criticizing the practice of governments stockpiling vulnerabilities.
In general, I do not think nation states should conceal flaws from manufacturers in order to stockpile zero day exploits. There is no guarantee that a malicious criminal actor, or an adversarial nation state won’t also find the flaw. Thus, hiding it from the vendor leaves everyone at risk! Furthermore, the NSA leaks prove that nation states can’t even safeguard their zero day repositories. As a result, many private companies suffered from an exploit that may had been fixed much earlier if it wasn’t hidden. I think nation states should spend more time fixing all the security and software holes, rather than hiding them to use for their own purposes. Eventually, all vulnerabilities leak.