The Ransomware Wannacry on Friday 12th May Lessons Learnt
Your probably already well versed in what ransomware is, you know you have to keep systems patched, have users that are your main vulnerability in all your security methods to stop this happening to the systems you administer. You either know or hope you do the steps to perform if this does happen, and it’s happening more and more.
The Ransomware attack on Friday 12th May was global news, it affected IT systems across 74 countries including the NHS in the UK, Fedex in the US and Telefonica in Spain. Russia was also hit particularly hard.
So, what happened?
Contrary to initial beliefs it is now thought that the method used to infect systems was not an email attachment, and the systems that were most affected were not legacy Windows XP and 2003 Servers, it was in fact unpatched Windows 7 and 2008 servers. That's because the malware's implementation of EternalBlue is ineffective on Windows XP and Windows Server 2003: it simply wouldn't work reliably. The delivery method was a simple search for web exposed SMBv1 systems which had not yet applied Microsoft’s March fixes.
As we know a UK based infosec bod found the kill switch by chance and thus stopped the spread of the attack. The part which in not yet fully understood is who did this and why? Monitoring of the bitcoin accounts that the ransom monies were to be paid in to show that this totalled around $90,000, not a small amount but compared to the number of infected computers was it worth it? Especially as they pretty much hit every country meaning they have limited places to hide.
So in summary, the outfits infected by Wannacry were most likely infected using EternalBlue via an external SMBv1 service – So: never use SMBv1, never expose your file servers to the internet – and then the DoublePulsar backdoor was deployed to take full control of the box and allow it to be remotely controlled. From that foothold, Wannacry could be deployed, using both cyber-weapons to move through the organization's Windows 7 and Server 2008 computers.
There is nothing stopping someone releasing the virus again but without the kill switch of course. There have been some reports that this has been done already. Making sure you are up to date with patches is essential as well as end user education thus trying to stop the initial execution of code within your systems. Double check to ensure smb is not accessible from outside your network too.
How can FCS help?
As well as the above you could look at Email Security software to help filter emails before reaching the end user and your systems. Our Backup service is Air Gapped from your systems so if the worse does happen you can be sure your data is safe and recoverable offsite with us. Lastly most organisations cannot afford to be without their key systems for very long. The NHS had to revert to pen and paper in some areas for a while. We can provide a Disaster Recovery solution for some or all your IT systems. A simple dashboard gives you the ability to recover your systems offsite in our data centers, quickly and simply.
Here are some quick links to much more technical details:
· Cisco's Talos team has dissected the malware, describing its components.
· A scrapbook page linking to samples of the malware, its command-and-control addresses, Bitcoin wallet addresses for ransoms, and so on.
· A decrypted sample of the software nasty is here.
· An exploit for MS17-010 written in Python with example shellcode. This is based on the Eternalblue tool stolen from the NSA, and was developed by infosec biz RiskSense. It reveals that the SMB server bug is the result of a buffer overflow in Microsoft's code. A 32-bit length is subtracted into a 16-bit length, allowing an attacker to inject more data than they should into the networking service and ultimately hijacking the system. Disabling SMBv1 disables the bug, and is recommended in any case. You should also firewall off SMB ports 139 and 445 from the outside world, and restrict access to the service where possible on internal networks.
· A recent comprehensive guide to WannaCry/WannaCrypt covering the spread and examining if its still a threat today can be found here.
· MalwareBytes has a study of the worm component, here.