Malware is nothing new and WannaCry is no exception. What makes it different however is its inclusion of some Government Developed hacking tools that make it pretty potent. Although it is the new kid on the block that has caused some serious problems for companies and organization in recent months it can be avoided. In the following article, we'll explore what WannaCry actually is, where it came from and methods of preventing infection and dealing with it if you do become infected. It should be noted that malware can change fairly quickly over time and some of the following methods may have become obsolete at the time of reading. Paid for anti-virus products and OS updates are good, but they are not sure-fire methods of keeping yourself immune.
So what is WannaCry Ransomware?
WannaCry, or WannaCry Ransomware attack (Wannascrypt, WCry, WannaCryptor 2.0, WannaCrypt, WCrypt) is an ongoing cyber attack from a worm that targets Windows operating systems. This piece of malware first appeared in April 2016 and it uses National Security Agency (NSA) developed hacking tools. It generally includes a zero-day exploit that explores firewall, Windows system and antivirus software vulnerabilities. Encrypting Ransomware is nothing new but this new strain managed to lock down systems around the globe on May the 12th 2017.
Zero-day exploit vulnerability is an undisclosed computer software vulnerability that can be used by hackers to adversely affect computer programs, data and even other computers on the same network. Once infected your files are encrypted and to decrypt them you need to pay a ransom in bitcoins. Bitcoin is a form of cryptocurrency or digital currency if you are not aware.
WannaCry targets users big and small, large companies are not immune from it. Most of the larger organizations attacked include Telefonica, a Spanish broadband, and telecommunications provider with operations across Europe, Asia, and the Americas. The National Health Service in the United Kingdom is another high profile example. FedEx, Deutsche Bahn, and LATAM Airlines are other larger organizations that have been affected by WannaCry. Reports indicate that over 150 countries have shown a significant amount of activity from the malware.
Example ransom message [Image Source: LinuxAndUbuntu]
What does it do?
Once it has breached the user's security, the ransomware encrypts the user's files. This encryption is virtually unbreakable. Once infected the malware posts a message on the user's screen informing them that they need to pay a ransom to decrypt their files. This is usually around $300 in Bitcoin. The message also includes two clocks on the screen to tell the user how much time remains. If the timer runs out, the user must pay double the ransom. The time limit is usually around 3 days. There is also a countdown that warns of permanent deletion of encrypted files which is usually a week.
How dangerous is it really? Are people over-reacting?
The last round of attacks took control of users' files and it spread to 100 countries including Spain, France, and Russia. Headlines were made when The UK's National Health Service was particularly badly hit. 48 NHS trusts became victims and 13 NHS bodies in Scotland were also exploited. The attack was so serious that some hospitals were forced to cancel procedures and appointments. Ambulances were relocated to hospitals where the computer systems were free from the malware.
The NHS's woes were due to it not applying the Microsoft patch to operating systems. What is worse is that the Government had known for some time that malware threat was real. Some systems even run on older now unsupported Windows XP Operating systems. They only account for around 5% of all devices at present and falling.
For an organization like the NHS encryption of files could be very problematic indeed. Files pertaining to patients' medical histories, for example, could lead to potential life-threatening issues. For companies, it could seriously hamper company operations who will have their data locked for a period of time. This will threaten company sales, reputation and potential for continued operations. For personal consumers, it could be just annoying or very serious for things like your own personal finances or loss of irreplaceable family photo albums.
Where did it come from?
The simple truth is no one really knows to date. The current version is actually the second incarnation of the original malware. The first variant appeared several months ago and spread through the normal means like phishing emails. Most methods require the victim to open an attachment to let the malware do its thing. The current version spreads much more rapidly and includes some US Government developed tools to exploit software vulnerabilities. In April ShadowBrokers posted the source code for this tool as well as other NSA tools online for anyone to see and use.
It has been claimed that SpamTech is responsible for the attacks, but there is no proof to date. SpamTech is a hacktivist group who have claimed responsibility for WannaCry. There are rumors that North Korean links have been found to WannaCry but this has yet to be proven.
On Monday 15th May, Google Researcher Neel Mehta tweeted out two file signatures. These showed file signatures from WannaCry and Contopee. The latter was the malware used in an attack on February of 2016 on the Central Bank of Bangladesh. It was so successful it managed to meet around $81 million dollars for the attackers. These leads were followed up by French Security researcher Matthieu Suiche who was based in Dubai. He quickly showed the similarities between Contopee and the earlier version of WannaCry from February 2017. The major difference was that both the earlier WannaCry and Contopee lacked the EternalBlue exploit. More on that later. This was also supported by Russian antivirus firm Kaspersky Lab.
Contopee has been tied to the Lazarus Group. These were the attackers who nearly destroyed the computer systems of Sony Pictures Entertainment in 2014. That attack, in particular, was linked to North Korea by the US Government. Kaspersky does accept the similarities but also offer another potential for it being a "false flag" attack to pin on North Korea. Another security researcher, based in Berlin, Claudio Guarnieri also notes the similarities but points out that these two strains of malware have "code that is widely available and the basis might be reused or acquired".
How was the first version halted?
During the first round of WannaCry back earlier this year a 22-year-old security researcher managed to stop it in its tracks for a small outlay of $10. MalwareTech, who wished to stay anonymous, managed to look into a sample of the malware. He found that it connected to a specific domain that wasn't registered at the time. Well, what would be the first thing you do with this information? He bought it of course. That effectively activated a kill switch which ended the first spread of WannaCry. Good effort. Although his purchase inadvertently saved the day it doesn't mean the threat has abated.
MalwareTech told the BBC:-
"We have stopped this one, but there will be another one coming and it will not be stoppable by us. There’s a lot of money in this. There’s no reason for them to stop. It’s not really much effort for them to change the code and then start over. So there’s a good chance they are going to do it… maybe not this weekend, but quite likely on Monday morning."
Microsoft warns the world
A second version appears to be starting to do the rounds, however. Microsoft believes that it's up to countries and not just companies to fight back. Especially because it effects systems across the globe not just locally. Their Cheif Legal Officer, Brad Smith, noted that despite the patch created by Microsoft, many systems can still be vulnerable.
"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cyber security threats in the world today – nation-state action and organized criminal action.
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."
He is right of course. Exploits created and hoarded by Government Agencies have been shown to be less than secure from being leaked and stolen. WannaCry and future descendants might become so effective that we may not be able to combat it on a global scale.
[Image Source: Pixabay]
How does it spread?
It isn't yet entirely known how it spreads from the internet to computer systems or networks. WannaCry doesn't appear to rely on social engineering like most malware, like phishing emails for example. It appears to be able to move system to system of its own accord. Its rapid spread and lack of example phishing emails specific to the attack indicate that WannaCry likely works as a computer worm. This allows it to spread without the need for human assistance.
Computer worms are small software applications that reproduce themselves and travel across network connections. Worms usually do not infect computer files but copy themselves to folders or directories on a remote machine. They differ from computer viruses insofar that viruses need to infect a host file and not a stand alone program. Worms come in many variants and can be spread by emails, instant messages and file sharing for instance. Once they get into your system these worms try to install a backdoor to enable the installation of other malware. In these cases, the worm can be thought of as a beachhead for further attacks in the future.
Conficker, a particularly nasty worm, install botnet herders that group infected machines together for criminal activities. This could be pumping out spam or flooding web servers with useless data. Other worms can install "scareware" that attempts to trick users into paying for fake anti-virus software. You can also have banking Trojans that hijack online banking systems. Worms aren't always used for malicious purposes, however. But benign worms can clog networks as they spread and reproduce themselves on systems.
How does it infect your system?
Like most malware, some of the methods of infection should be well known to you but WannaCry also uses some new tools used by the NSA. These include the following. Phising, EternalBlue and DoublePulsar. Attacks from WannaCry generally include a combination of these three to find and exploit vulnerabilities in your system.
Your computer can be infected by WannaCry from email phishing scams as well as messages and phone calls where the attacker tries to steal your emails, passwords, credit card details etc. To do this they tend to create a replica website that the user commonly uses to capture this information which is then sent to the attacker. Cybercriminals may also do this by installing malicious software on your computer to steal the information that way. They can also use social engineering to convince you to install the software, sometimes via download, to hand over your information under false pretenses. Social Engineering doesn't seem to be used generally however, but stay alert for the possibility.
CrowdStrike's Vice President of Intelligence Adam Meyers warns that the initial spread of WannaCry seems to have come through spam. Emails containing fake invoices, job offers, and other lures were being sent out to random email addresses. The emails containing .zip files that once clicked initiated the WannaCry infection. Adam told Forbes "This is a weapon of mass destruction, a WMD of ransomware. Once it gets into an unpatched PC it spreads like wildfire,". "It's going through financials, energy companies, healthcare. It's widespread."
EternalBlue is believed to have been developed by the NSA and it exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This was resolved in a March 2017 update for all currently supported Windows versions. These are Windows 7, Windows 8.1, Windows 10, Windows Server 2008, 2012 and 2016. Older operating systems that are no longer supported by Windows such Windows XP, Windows Server 2013 and Windows 8 are all potentially wide open to a WannaCry attack. Microsoft has decided to create a new patch to help these users update and protect their systems.
EternalBlue's use in WannaCry was confirmed by an independent malware researcher known as Kafiene. They noted in a tweet on the 12th May 2017 that "WannaCry/WanaCrypt0r 2.0 is indeed triggering ET rule: 2024218 "ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"
Kefiene told Forbes that they were not sure if the exploit was being used as the ransomware's primary method of infection. But it certainly seemed to be a key component.
This is a backdoor developed by the NSA to spread through a network and infect computers without the last patch for the operating system. DoublePulsar was leaked by Shadow Brokers in April 2017 and it has already been used to infect tens of thousands of computers. This malware targets Windows running machines and it's a backdoor through which other malware can be loaded onto the infected machine. Once infected the machines distribute malware, send spam and launch attacks on other computers. DoublePulsar is usually installed using the EternalBlue exploit.
How to spot potential threats and protect yourself
Microsoft has produced a section on spotting potential phishing emails. Here is an example.
[Image Source: Microsoft]
You should check for some simple things such as spelling or poor grammar. Cybercriminals tend to lack the resources of large companies who will have teams of editors to check the "readability" and accuracy of mass emails. Simple errors like this will be picked up and corrected prior to going out to users. If you notice these kinds of mistakes in an email it should be considered a potential scam.
Phishing emails will also tend to include links in the email. If you are already suspicious of the email and see links of this nature be sure not to click on them. You can check the link address by hovering your mouse over the link to see the address. If the revealed address doesn't represent the included link in any way or shows and IP address or .exe file the chances are it's a malicious one.
Phishing emails will tend to include threats of some kind in the body of the text. It could include things like your account will be closed if you don't respond. Cyber criminals will often use threats detailing that your security has been compromised in some way. You can read more on this here.
Phishing emails will also tend to spook popular websites or companies. They may even use graphics in the email that appear to be connected to a legitimate company website. These links, in fact, take you to a replicated site or pop up and will then often try to gather your personal information. The web addresses themselves will also generally resemble the names of well-known companies but slightly altered.
Educate yourself on scams
Cybercriminals have become very adept at pretending to be well known and trusted companies in their scams. This makes victims more likely to be caught off guard and provide personal information or even send them money. This can happen through emails but also through phone calls. They can pretend to be from a company's tech support team, or try to entice you through financial gain from lotteries. They may also try to trick you into convincing you that a company you regularly use requires you to update your credit card information or validate a purchase or software download, say. For companies like Microsoft, they may try to trick you by sending you emails about security updates, for example.
Most large companies will never send you unsolicited emails or calls that require your personal information. This is particularly pertinent for banks or other financial institutions and government bodies. If you ever receive messages or calls asking for this just delete them or hang up.
Beware of cybersquatting and fake web addresses
Cybersquatting or typosquatting can potentially lead to you being tricked into releasing your personal information unsuspectingly. If you accidentally type the wrong Internet Address into your web browser you could end up on a fraudulent website. Cyber criminals often register web addresses that are similar to the web address of a popular website. The key difference being they exploit common misspellings for the addresses. As an example, they may use micrsoft.com instead of the correct spelling. At first glance, you may not notice the error but it could be costly.
Scammers use these webs addresses to compete with popular sites to earn money through advertisements or for more nefarious desires. You might only be offered an advert for the official site or worse be tricked into thinking you are on the landing page for the desired site. These ads will generate income for the scammers whilst increasing the cost of merchandise for the scammed company. These sites may also try to get you to install malicious software programs and spyware which will infect unprotected computers.
Various Governments around the world have passed legislation to cut down on this kind of activity. The idea is to allow challenges to be made for cyber or typosquatting registered domains. ICANN has also attempted to make efforts to control this kind of activity but cybersquatters are still very prevalent on the web.
Check if the sites are secure
Most anti-virus software will do this automatically and some web browsers include this as standard. If you visit a "dodgy" website you will get a warning message telling you such. A good way of determining if a site is "safe" is the use of SSL certificates. You should notice a padlock symbol or at the very least it will be a https rather than a http address. SSL stands for Secure Sockets Layer and it is a standard security technology that establishes an encrypted link between the user and the website server.
This allows sensitive information like credit card details to be transmitted securely between you and the website server. This prevents eavesdropping and collection of your data unwittingly. SSL certificates are usually a premium service bought by companies for their domains. They form an integral part of an online businesses website and provide a trusted environment for customers. Browsers will usually give visual cues that they are in place and your connection is secure.
While the presence of these is a good indicator, it by no means guarantees that the site is not malicious. It simply means that the site is probably safe. Recently cyber criminals and scammers have begun to employ valid SSL certificates on their phishing websites. Unfortunately, many certificate authorities do not have a particularly stringent vetting process. These sites usually have an SSL certificate for long enough to allow a phishing campaign to be conducted. They then rinse and repeat with new website's ad infinitum. So be warned. Blocking unsecured websites will at least help you from inadvertently arriving on these sites but be careful of apparently safe ones too.
Windows Operating Systems
Be sure to install updates from Windows for your operating system. Especially those relating to security upgrades. It might also be worth considering upgrading your operating system if you are running on older, now unsupported, versions. Microsoft has produced a patch for Windows XP for example, so be sure to check regularly for new patches. Like all malware, it is constantly changed over time to overcome implemented "resistances" to it, so be sure to keep on top of updates and patches. If you have the latest updates for supported Windows operating systems you should be immune, for the time being.
To do this open the start menu and type "Windows Update", then select Windows Update from the results. You can then easily follow the on-screen instructions to get and install updates for your OS.
The original WannaCry does have trouble infecting 32-bt versions of Windows XP, Vista, however. Remotely at least. This will not be a permanent immunity so be warned. "The worm that spreads WannaCry does not work for XP," Jerome Segura, lead malware intelligence analyst for Malwarebytes, told Tomsguide.com on May 19th, 2017. "You'd have to install the ransomware by other means, which is why there aren't many infections on XP at all." Although WannaCry primarily attacks Windows computers and cannot yet infect macOS/Mac OS X or Linux, it can infect computers that run Windows emulators or virtual machines as well as Macs that can boot into Windows.
Note on getting the correct patch
If you do install the update for older Windows products, be sure to choose the correct link for your specific version of Windows XP etc. Pay particular attention to whether it is X86 (32-bit) or x64 (64-bit). If in doubt open the start menu, click control panel and change the view to Small icons. Then click on System. This should display a page detailing information about your computer and OS.
Protecting your personal data or critical files
One effective means of protecting your data would be to keep it stored or backed up on removable drives (which you actually remove) or other backups. You could simply keep it saved in a cloud type storage system. Whichever method you use, make sure the backup process is automated and isolated from your main means of internet connection. Physical detachment from the computer and the internet will keep the data isolated, backed and protected. You could also invest in recovery software.
Backing up your data, whichever method or methods you use, will pay you dividends during disaster events like a malware infection. The presence of recent versions of your documents and data will save you a lot of time, stress and money if the worst does occur. You can use free cloud backup services and upload your most important data regularly or indeed only ever access and edit them online. GoogleDrive, Apple iCloud and Dropbox are good examples and they are free to use but do have a limited data storage allowance. But who said you need to be limited to one account?
I use GoogleDrive pretty much exclusively for "mission critical" files or documents I need to have 24/7/365 access to. These include things like my family photos, finances, legal stuff etc. None of these are saved on my physical computer and they are also backed up on a removable hard drive that I only ever connect to my computer when offline. Paranoid much I hear you ask? They tend to have both desktop and mobile apps so you can access and edit these documents from anywhere with internet access. Very useful. If a company like Google can be breached by malware we have bigger problems to worry about, don't we?
[Image Source: Pixabay]
How to protect your computer from worms in general
There are three basic steps users can take to protect their computers against worms. First of all, for day-to-day regular computer use, user accounts should be set as "limited user". This prevents software from being installed without permission. Administrator accounts should only be used to install, modify and delete software.
Secondly, network firewalls either on a local computer or network should be turned on. This limits unauthorized network activity. The computer's operating system should also be set to automatically install system updates. Users are usually set to default as Administrators so beware of this. To do this, go to control panel and select "User Accounts". From here select "Manage Users" and create a limited account for every user of the PC. Use this account for everything you would normally use the PC for. For installing programs etc create an Administrator User and only use it for that purpose.
Lastly, you should get yourself a robust anti-virus software and have that also set to automatically update itself and scan your system. Free anti-virus is better than none but paid products usually add extra important features to aid with downloading attachment scams and malicious web site screening. Here and here are some reviews of the best anti-virus products currently on the market.
Be suspicious at all times
As previously mentioned WannaCry spreads from one company network to another. Most Ransomware infects computers by tricking the users into opening malicious attachments to emails. Also be suspicious if the attachment comes from an email from someone you know. Cyber criminals can create "spoof" email addresses or hijack other people's email accounts. If the email is unexpected or out of character you should treat it as a potential threat. You can save the attachment to your desktop and have your antivirus scan it prior to opening it. Some antivirus software packages will do this automatically on receipt of the email anyway.
It should go without saying but don't download pirate movies, music, and software. It is not certain whether WannaCry was spread this way but other malicious files are common on file sharing sites. Ransomware is usually injected into media files or software installers, so be careful. If you are intent on using these services be sure to scan them prior to opening them. But we know you would never use digital goods without paying for them, don't we?
Check or change your network settings
WannaCry exploits flaws in Microsoft Server Message Block SMB protocol to spread. SMB allows computers on the same network to share files, printers and other objects. It is pretty easy to turn it off, however. To do this go to your control panel and look for "Network and Sharing Center". Open it and click "Change Advanced Sharing Settings". Look for the "Home or Work", "Public", and "Domain" and select the items labeled "Turn off network discovery". You should also "Turn off file and printer sharing" and "Turn off public folder sharing".
What to do if your computer is infected
You might be unsurprised to know that there is little you can do. Given the nature of the of malware, once it's breached your system your options could be limited. Your files will have become heavily encrypted and the code will be nearly impossible to crack. Bleeping Computer suggests you might be able to recover some files using the free Shadow Explorer utility. But this simply locates your computer's automatic backups. Symantec does note that once ransomware encrypts your files it deletes most of the user's files afterward. For this reason, you may be able to recover them using a common undelete tool. Any files stored on your desktop or Document folder as well as removable drives are usually fully overwritten and sadly, can not be recoverable.
Paying the ransom may also not be a solution. The ransomware has the appearance of being hastily assembled. It is not obvious that any kind of method of paying the ransom will automatically unlock your files. It appears, instead, that the cyber criminals will need to manually unlock their victim's files. Doing this would reveal their location to authorities across the globe, so they are unlikely to do this.
You can also try to recover your computer to a pre-infected backup. This will lose any recent edits to your files and data but at least you won't have lost everything. Windows has had this functionality since Windows XP and it can get you out of a lot of scrapes. If there is no backup available and lost/encrypted files are important yo you, you can, of course, employ the services of a computer professional.
Don't pay the ransom!
"Paying the ransom does not guarantee the encrypted files will be released," warns the US Department of Homeland Security Computer Emergency Readiness Team. "It only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed."
Isn't that nice to know! Mathew Hickey, A British software researcher uncovered WannaCrypt's dodgy payment system. He told Wired that the ransomware's creators may not be able to actually withdraw the ransom funds.
"I absolutely believe this was sent by someone trying to cause as much destruction as possible," Hickey said to Wired.
The final word
WannaCry is a serious potential threat to your personal information and data but it can be kept at bay with some relatively simple habits. Prevention is always better than cure in so many aspects of life. If you get into the habit of keeping your OS and antivirus up to date and not exposing yourself to potential infection sources, you should have little to worry about. If you want to be overly careful you can make sure the data isn't there in the first place to be encrypted and held to ransom. Online Cloud or traditional backup techniques or storage will also help you if your defenses are breached.
Simple housekeeping techniques like regular backup will save you tons of time, stress and money if you do get infected in the future. Remember if the worst does happen DO NOT PAY THE RANSOM! Trying to use methods like system or file restores to previous uninfected states might cure the issue but having untainted copies off your computer is a much better solution.
We hope this article serves to help you understand what WannCry is and why it is so heavily reported on at the moment. We also hope that the article, at least in part, helps you protect your personal data. Feel free to add your comments below or make your own suggestions on how to protect your computer.