A hostage situation of a different nature rocked the world on May 12 this year when a ransomware program, aptly named WannaCry, tore through Windows computers globally holding the files of countless businesses captive and demanding $300 in Bitcoin for their release. Still reeling in the reverberations of the first attack, WannaCry 2.0 launched a day and a half later. In the wake of these virtual crises, the cyber community is grappling to gain an understanding of the WannaCry attacks while everyday web users search for lessons to take from this event in hopes of preventing it from happening to them
Though it may have seemed like it at the time, WannaCry did not happen overnight. It was actually about five years in the making, its origins going back to Microsoft and network software the company created titled SMB V.1. The software had what appeared to be an innocuous flaw when it was first released. Microsoft amended the software and released updates and patches, but as is the case with many software upgrades, some users ignored it. Some of those users happened to be large organizations and hospitals.
Ransomware viruses are normally contracted through a malicious download or spam email. Once downloaded, the ransomware ransacks the computer’s files, encrypting them so that when the user opens any file, all they see is alphabet soup and a ransom note demanding payment in return for removal of the virus, in the case of WannaCry, $300 in Bitcoin.
WannaCry kicked its infection up a notch, though, in that it does not require downloading; the virus spreads itself without the click of a file or link. The unpatched, un-upgraded SMB V.1 software is the only requirement for infection.
So who found and developed a virus to take advantage of the Microsoft vulnerability? The answer is startling. The National Security Agency (NSA) either detected or bought the knowledge of the flaw. For reasons unknown, the NSA then wrote code to exploit the SMB V.1 bug, designing the new program called ETERNALBLUE to infiltrate any computer with the flawed software. Later in 2013, a mysterious hacker group calling themselves the Shadow Brokers managed to obtain ETERNALBLUE and released the program, along with other sensitive NSA-collected information, to the worldwide web at large. The specific individual or group who launched the WannaCry attack in May that targeted over 90,000 computers in 99 countries is not yet known.
Finally, and perhaps most alarmingly, WannaCry is not simply ransomware. It also has worm properties. While the malware is holding the victim computer hostage, it is also worming its way through data and obfuscating it. This means it can detect anti-malware on a device, elude it and write new code.
Two days after the first WannaCry was dispersed, new versions of the virus began to surface. The appearance of new strands is alarming for two reasons: newer versions do not indicate a kill switch and newer versions appear to come from new assailants.
The original WannaCry’s downfall was the presence of a kill switch. Once the virus was downloaded, it would scan the victim computer for the previously-existing presence of itself. The virus came equipped with an unregistered command and control domain, an uninhabited URL. WannaCry would attempt to contact this domain and if the computer had not yet been infected, the connection would fail and the virus would continue on in its path of destruction. If the virus was already installed on the victim computer, the domain test would connect and the attacking virus would kill itself. A user going by the handle Malware Tech discovered that if they claimed and occupied the uninhabited domain, the virus would connect during the domain check, assume the computer was already infected and commit program suicide, thus allowing a means to escape infection.
WannaCry 2.0 and newer variants were launched by different assailants, contain new kill switches, meaning the old hashes are useless or do not include a kill switch at all, making them that much more difficult to extinguish.
As the attacks keep coming, it is important to take from these incidents what wisdom is available in an attempt to prevent such widespread espionage in the future.
Do Not Negotiate with Cyber Terrorists
Though it is a personal or organizational decision whether or not to pay a ransom, there is no guarantee that complying with ransom demands will result in the release of one’s files. Compliance also encourages blackhats to continue with the extortion, possibly targeting an even wider audience.
According to a Twitter account tracking the transactions associated with WannaCry, only 337 payouts have been made as of this publication for a total of about 52 BTC or around $134,000 USD. Not much considering the global targeting, so stay strong.
Always Install Security Patches & Updates
If working on a Windows computer, first and foremost, take advantage of the path offered through Microsoft.
As a lesson, though they may seem an inconvenience, always install updates from the manufacturer; the installation of security updates would have thwarted WannaCry from the get go. With the exception of the SMB protocol Windows 10, which automatically updates, any version of Windows should be enabled for updates manually.
Keep firewalls enabled. These programs are designed to keep out unauthorized network access. Though they are not failsafe, they are the first defense in a cyber attack and work to deter less sophisticated intrusions.
Backup Files Frequently
It’s smart to create a specific system for backing up files, on a specific day of the week or month, to ensure the process is not forgotten. With files backed up, in the event that malware attempts to encrypt file data, the backups of the files will not be affected.
Cyber attacks and malware are ever-present. Staying in the loop with tech producers of computers and software, like Windows, Android, Mac, iOS and Linux, will keep you informed of online hazards to be aware of and updates on the best means of defense.
Perhaps the most important lesson to learn here is that in this golden age of technology, it’s up to the everyday web surfers to proactively protect themselves.