It was a rough weekend for anyone running out-of-date Windows systems, as a new form of ransomware named WannaCry (aliases: WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) was unleashed. On Friday, May 12th, the large-scale cyberattack was launched and was able to infect over 230,000 computers in 150+ countries. Some of the most notable infections so far are Telefonica in Spain, National Health Service (NHS) in Britain, FedEx, Deutsche Bahn, and LATAM Airlines. WannaCry is not currently targeting mobile devices, but we felt it was still important to shed some light on what’s going on and how to protect yourself.
So, what happened?
Like so many other cyber-attack stories it began with email phishing. A user somewhere in Europe opened up an email and ran an attachment which allowed WannaCry to install onto their system. Once this happened, WannaCry would run two workloads. The first workload would encrypt the contents of this user’s system, locking them out until a bitcoin ransom was paid. There are no reported instances, however, of a system being unlocked after a ransom was paid.
The second workload would examine the file-sharing settings on the system and begin exploiting them. The code for this second workload was actually the result of a repurposed cyber espionage tool known as EternalBlue, which was stolen from the US National Security Agency and then leaked online recently (read about the recent CIA cyberespionage leak). EternalBlue exploits a loophole in Windows operating systems which can allow malicious code to spread directly through shared resources like SharePoint and Dropbox.
To make matters worse, this ransomware is deployed in such a way that the payload is never directly exposed on the hard disk and thus not vulnerable to anti-virus scans. As bad as this attack was, there was a slight reprieve from the attack, when a cyber security analyst known by the Twitter handle MalwareTech found (and activated) a kill switch in the code most likely left in by accident. While this stopped existing versions, there are already newer versions with this kill switch deactivated.
To help combat the spread of WannaCry, Microsoft also released patches for their Windows operating systems (including versions which aren’t currently supported any longer like Windows XP and Windows Server 2003) which would plug some of the vulnerabilities which WannaCry exploits.
How was this able to happen?
There are three major reasons why WannaCry was able to succeed the way it did. First, end users still aren’t wary enough about opening attachments when they aren’t sure what they are, who they’re from, etc. It is crucial that users not execute email attachments unless they’re 100% confident it’s legitimate.
Second, users also don’t keep their computers up-to-date nearly as routinely as they should, and don’t often take the right precautions to prevent attacks like this from infecting their systems. It is thus equally crucial to keep all of your operating systems (desktop, laptop, and phone) up to date and set to update automatically when needed. In addition to this, maintaining up-to-date anti-virus and/or anti-malware software also helps prevent infection.
Third, and perhaps the most responsible for this case and an issue that’s been getting more scrutiny lately, involves nation’s intelligence agencies finding these security holes, creating tools to exploit them, and then stockpiling them. Each nation ends up with a vault full of exploit details and tools which they can use to target victims when needed. Since their goal is to infiltrate (or cause harm) to competing nation’s systems, they have no real incentive to report the security holes they find to the manufacturers to fix. Unfortunately, and as in this case, if the intelligence agency gets hacked, these tools can be leaked into the wild and then used against the general public.
How can I protect myself?
Given a huge part of this attack is based on intelligence agencies activities, is there anything a typical user or enterprise can do to protect themselves? The good news is yes, there are. Here are a number of things you can do to protect yourself as a standard end user:
- Immediately apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017
- Keep your Windows OS set to automatically update and check to make sure it is doing so regularly.
- Install anti-virus and/or anti-ransomware software and keep it up to date.
- Do not open attachments that are executable, especially from someone you don’t know or if you were not expecting such an attachment.
- Backup crucial files to disconnected systems, such as an external USB hard drive that is only connected to your PC during backup or recovery operations.
And, for IT staff looking to protect their end users, there are additional measures that should be taken:
- Use spam filters to prevent phishing e-mails from reaching your inbox
- Authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and Domain Keys Identified Mail (DKIM) to prevent e-mail spoofing.
- Scan all incoming and outgoing e-mails to detect threats and filter out executable files
- Configure access controls including file, directory, and network share permissions with least privilege in mind.
- Manage the use of privileged accounts and implement the principle of least privilege: no users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
- Deploy and ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
- If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.
- Develop, institute and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
- Have regular penetration tests run against the network, no less than once a year, and ideally, as often as possible/practical.
- Test your backups to ensure they work correctly upon use.
WannaCry is not currently a threat to mobile devices, but it helps to illustrate the complexity of defending against today’s cyber threats, and reinforces the need for a strong, proactive, thorough security strategy that Skycure recommends. Skycure does the two most important things to protect our customers from vulnerabilities:
- Instantly notifies users when an OS update is available for their device (including Android)
- Proactively protects against unknown exploits that leverage undisclosed vulnerabilities
If you (or your company) has been infected by WannaCry or any of its variants, the FBI urges you to reach out to FBI CYWATCH immediately by email email@example.com or by phone 1-855-292-3937.