WannaCrypt, a simple explanation of the attack that took the NHS offline

Before we start, Microsoft have released an emergency patch for unsupported versions of Windows (XP, 2003, Vista, 2008) here and in March Microsoft released a patch for supported versions of Windows that stops the exploit used in the WannaCrypt attacks, details here 

WannaCrypt

Everything you need to know

WannaCrypt (aka WannaCrypt0r, WannaCry, Wcry) is a type of ransomware that proliferated very rapidly, with reports that it had affected several high-profile organisations as of 12th May.  Put simply, ransomware is an attack that encrypts files on a machine so they can’t be used, then demands a ransom be paid for them to be decrypted.  These types of attacks are common, but this month’s attacks in particular are noteworthy for a number of reasons.

Typically ransomware is what’s known as a Trojan, delivered via email, requiring hundreds of thousands (or potentially millions) of malicious phishing emails to be sent with attachments or links, and affecting those unfortunate enough to open the attachment or link.  WannaCrypt had an additional capability, a self-replicating payload (known as a worm) that meant that once it was in a network, it was able to propagate to other machines on that network.  In action, this meant that it only took one person in a business to be affected before everyone in that business was also affected. The worm also has the ability to self-replicate to other networks via the internet, depending on that network’s configuration.

There are multiple conflicting reports on whether WannaCrypt was delivered via email or another method, however, the large impact on businesses was largely caused by the self-propagating addition to the ransomware since several machines could be taken out of action if only one machine was initially infected.

The self-propagating fragment of the ransomware uses a vulnerability that was discovered by the US National Security Agency who also developed an associated exploit.  We do not know how long they knew about the vulnerability, but unlike security researchers the NSA tend to keep newly discovered exploits to themselves in order to use them for intelligence activities.  The particular exploit used by WannaCrypt was used internally as part of a toolkit codenamed ‘EternalBlue’.  Last year the NSA themselves were hacked by a group called the ShadowBrokers, who released details of EternalBlue to the public in April, which is why we are now seeing malicious attacks using the same methods.

WannaCrypt can affect all unpatched versions of Windows from XP to Windows 8.  Microsoft had patched the vulnerabilities exposed by EternalBlue in March before the exploit was publically released by ShadowBrokers and in the wake of the attack Microsoft released patches for unsupported versions of Windows (this is rare for Microsoft to patch older versions of Windows, but they did so due to the large scale impact of the WannaCrypt attacks).

Multiple organisations were affected by the attack, however it is not yet known (and unlikely we’ll ever know) if these were targeted directly or just randomly happened to be affected.  These include Telefonica in Spain, Fedex in the US and the NHS in the UK to name but a few.  Remediation and disaster recovery strategies were put in place in affected businesses, such as turning off all IT equipment and rolling back to pre-attack backups, actions which were hugely costly to those affected and may result in a loss of data in the organisation that may not be identified immediately.

WannaCry infections worldwide (Source: https://intel.malwaretech.com/botnet/wcrypt)

WannaCry infections worldwide (Source: https://intel.malwaretech.com/botnet/wcrypt)

As WannaCrypt started to spread uncontrollably, cyber security researchers started digging into the malware to see how it worked.  One of these researchers, MalwareTech, noticed that WannaCrypt contacts an external website before activating on a victim machine, however, when they looked to see who owned this domain it was unregistered.  They thought it would be useful to register this domain so they could understand how many connections it was receiving and consequently be able to estimate how many machines were being affected by WannaCrypt.  In an odd turn of events, WannaCrypt stops running if the domain has been registered when the malware starts running, therefore stopping the malware activating on internet-connected devices that were subsequently hit by it.  There’s many reasons for putting this ‘killswitch’ mechanism in malware, the leading theory is that it’s a way of understanding if the machine it’s affecting is being used in a test environment.  Since these test environments seldom have internet connections for security reasons, the malware is able to hide from the tests by not activating if there’s no external internet connection.  By registering this domain MalwareTech may have vastly reduced the infection rate of the initial version of the malware.

That’s not likely the end of the story for WannaCrypt, in the weeks since the initial infections were identified, variations with alternative killswitches have been created, and there’s even some variations with the killswitch removed entirely.  In essence, WannaCrypt is a combination of two attacks, Ransomware and a self-replicating worm; both of these attacks will continue to be produced by malicious actors.

So what can we do to stop these types of attacks going forward?  It goes without saying that good security procedures need to be adhered to, keep updating software as soon as possible and make sure not to open links or attachments we weren't expecting to receive.  From a business perspective the same advice applies but in situations where older software must be used, for example to control systems that have lifespans of several decades, a method must be in place to identify these vulnerabilities and put protections in place to stop them being attacked.  Tools such as Perception  can identify vulnerabilities on a network before they are attacked, giving businesses the chance to protect themselves where software updates aren’t possible.  If the worst does happen, these types of network monitoring tools can alert an analyst to exactly which files have been encrypted, and which hosts have been affected, assisting greatly in remediation activities.