The WannaCrypt ransomware worm, or WanaCrypt or Wcry, exploded across 74 countries on May 12th, 2017, infecting hospitals, businesses, universities, national telecommunication companies and other organizations.
WannaCrypt is installed on Windows computers by a worm that spreads across networks by exploiting a vulnerability in Microsoft’s SMB file-sharing services. It specifically abuses a bug designed MS17-010 that Redmond patched in March for modern versions of Windows. Unpatched systems, or ones running legacy versions such as Windows XP, are therefore vulnerable and can be attacked.
This bug was previously exploited by the NSA to hijack and spy on its targets. Its internal tool to do this, codenamed Eternalblue, was stolen from the agency, and leaked online in April, putting this US government cyber weapon into the hands of any willing miscreant. Almost immediately, it was used to hijack thousands of machines on the internet.
Now someone has taken that tool and strapped it to ransomware: the result is a variant of WannaCrypt, which spreads via SMB and, after landing on a computer, encrypts as many files as it can find. It charges $300 or $600 in Bitcoin to restore the documents. It is adept at bringing offices and homes to a halt by locking away their data.
And it installs Doublepulsar, a backdoor that allows the machine to be remotely controlled. That’s another stolen NSA tool leaked alongside Eternalblue. The malware is also controlled via the anonymizing Tor network by connecting to hidden services to receive further commands from its masters.
Fortunately, a kill switch was included in the code. When it detects that a particular web domain exists, it stops further infections. That domain was created earlier today, halting the worldwide spread of the nasty.
The software nasty has today ransacked the UK’s national healthcare service, forcing hospitals to shut down to non-emergency patients; torn through Spanish telco Telefónica; and many other organizations. In what is looking like one of the biggest malware attacks in recent memory, the bulk of the infections are in Russia, including the state’s interior ministry; the virus has claimed high-profile targets around the world.
16 NHS health trusts in the UK were taken out by the malware. Prime Minister Theresa May said the code “has crippled” Brit hospitals, and that Blighty’s surveillance nerve center GCHQ is looking into the outbreak. The NHS is thought to have been particularly hard hit because of the antiquated nature of its IT infrastructure. A large part of the organization’s systems are still using Windows XP, which is no longer supported by Microsoft, and Health Secretary Jeremy Hunt cancelled a pricey support package in 2015 as a cost-saving measure.
Computers were locked in Aintree, Blackpool, Broomfield Hospital in Essex, Colchester General Hospital, all hospital systems in Derbyshire, Great Yarmouth, East and North Hertfordshire, James Paget hospital in Norfolk, Lanarkshire, and Leicester.
US companies have also been hit. FedEx told The Reg: “Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware. We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers.” Essentially, staff have been told to turn off their non-critical systems, and to keep it that way until the mess is cleaned up – which could take the whole weekend, or longer.
Meanwhile, Scottish Power was also reported as hit, but it told us that it just took down some non-essential systems as a precaution.
To counter the spread of the malware, security firms are pushing out file and network traffic signature to detect the ransomware-worm hybrid’s presence and kill it. Microsoft was quick off the ball and has pushed signatures for the malware for its systems.
“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” a Microsoft spokesperson told The Reg.
“In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows Update enabled, are protected. We are working with customers to provide additional assistance.”
NSA exposure puts us all at risk
As described above, the worm uses the EternalBlue and DoublePulsar exploits swiped from the NSA’s arsenal of hacking tools. It would have been great if the bugs targeted by the agency had been patches years ago; instead, they were patched by Microsoft in March just before the Shadow Brokers dumped the programs online in April. We assume either the NSA or the brokers tipped off the Redmond giant so that updates to kill off the SMB bug could be pushed out before the exploits publicly leaked.
So, yes, Microsoft issued security fixes to address the vulnerabilities attacked by those cyber-weapons, but as is the way with users and IT departments big and small, not everyone has patched, or can patch, and are now paying the price. The initial infection point appears to be spam emails with the malware hidden in attachments. The malware is a hybrid design that also has a worm element, allowing it to spread through internal networks for maximum infection possibilities.
According to an analysis by Payload Security, the malware drops a number of programs on the system, including Tor, and adds itself to the Windows Registry so it persists across reboots. It can fetch software modules to gain new abilities, and uses various techniques to hinder reverse-engineering: decrypted samples of the executables are available from the above links.
The code encrypts a wide variety of documents on a computer, including any attached storage, and snatches any keys for remote-desktop access. It deletes volume snapshots, and disables system repair tools. It also scans the infected system’s settings to work out the user’s language, and pulls up a ransom demand in the correct lingo for the victim. It changes the desktop backdrop, too, to grab the victim’s attention.
According to a study by Kaspersky, it appears the malware controllers are getting greedier as infection rates grow. The initial infections asked for $300 worth of Bitcoin, however later infection notices have upped this price to $600. A check on the Bitcoin strings show a few thousand dollars’ worth of Bitcoin have already been sent to the criminals.
“We have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia,” said Kaspersky’s research team.
“It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher.”
What is to be done?
This is just the first wave: there is nothing stopping someone from making a new worm that attacks the MS17-010 bug to silently compromise vulnerable systems, or adapting the WannaCrypt binaries to cause more damage.
So, what’s the solution? If you’re already infected then there’s not a lot you can do other than wipe the system and reinstall from offline unaffected backups – if you have them.
It’s possible that the malware writers will have screwed up and put the decryption key in the code itself – such slip-ups have happened in the past. Researchers are picking the code apart byte by byte trying to find such clues, but this looks like a reasonably sophisticated piece of software so that’s a long shot.
If you haven’t been infected, make sure your security patches are up to date. Kill off SMBv1 at the very least, and block access to it from outside your network. The exploits the malware uses have already been patched, and there’s no excuse for getting caught out as a private user. It’s understandable that IT managers with annoying corporate policies and heavy workloads have been forced to hold back patches, or are unable to apply them. If you can update your installations, drop everything and get patching.