Still Wannacry?


By now, we’ve probably all heard of WannaCry and the effect it had on many organisations. Luckily for many, the outbreak seemed to come and go so quickly that many organisations had no time to react, with the outbreak ended almost as soon as it started.  Should we still be concerned about the attack now?

Ransomware attacks are becoming much more prevalent and common (ransomware attacks last year increased from one attack every two minutes in Q1 to one every 40 seconds by Q3 and is still increasing) and WannaCry is important because it brought this type of attack to the forefront of the public consciousness. One of the most interesting aspects of the whole WannaCry outbreak was the fact that it infected Windows systems through the EternalBlue exploit in the SMB (Server Message Block) protocol which was created by the NSA, the really interesting aspect of which is that patches had been released two months prior to the WannaCry incident, demonstrating just how cavalier some organisations are to desktop security.

So what is WannaCry, what does it do, how does it work, and how do we defend against it and what are the lessons learned??

WannaCry is a form of ransomware, which itself is a form of malware that encrypts files on computers and demands payment for the decryption key.

A flaw in some versions of Windows' SMB protocol allowed malicious packets to transmit from one infected machine throughout the LAN, making a single compromised machine the instigator of a LAN wide attack.

The transmitted packet itself contains DoublePulsar, which is an NSA-built backdoor. This opens the machine up to installation of the WannaCry payload. WannaCry then encrypts files and scans for other vulnerable systems on the network and spreads to them. As in all ransomware attacks, users are informed that they must pay a ransom to have their files decrypted. Usually in the form of a Bitcoin payment. With the ransom amount usually increasing in size after a few days. If the user has not paid the ransom and has not cleared the infection, the final demand includes the threat of permanent encryption. At this point many people give in and pay the ransom.

WannaCry only targets Windows systems which are vulnerable to EternalBlue, the SMB exploit developed by the NSA. WannaCry spread despite Microsoft releasing a security update for the vulnerability in March 2017. The update patched systems which are still supported by Microsoft. It is important to note here that the patch released by Microsoft on March 1st 2017 eliminated the vulnerability that was the main cause the infections.

Even though Windows XP was not included in the original patch due to it no longer being supported by Microsoft, it accounted for less than 0.1% of the total affected systems. 98% were running Windows 7 machines without the March 2017 security update. Due to its method of infection of scanning flat network segments, WannaCry was particularly effective on large networks resulting in many large businesses and government networks were hit including the National Health Service, Nissan, several telecom companies, universities as well as the Russian Ministry of Internal Affairs.

So why were so many organisations hit by WannaCry?

In a nutshell, because they weren’t patched. The $64,000 question of course is, why weren’t they patched? There are probably a myriad of answers but the most obvious one is that patching desktop systems is perceived as odious and users don’t like having to sit watching their systems for what seems like ages while the patches are downloaded and installed; one of the main reasons why Microsoft removed the ability to manually apply security patches to desktops. Having said that, many large organisations do phase their patching for desktops over a 60-90 day period due to the number of systems to be updated, giving a window of vulnerability. Many users put off installing the updates and patches until a convenient time, which is why it was prevalent in Windows 7 systems as the capability to manually install updates is retained within Windows 7. Windows 10 systems were hit much less severely because updates are installed automatically. Something which, as a Windows 10 user,  I find annoying but fully understand.

WannaCry was first detected on May 12, 2017, and by May 15, 2017 it had largely stopped spreading. Awareness of the existence of security patches helped, but the real interruption came just hours into the initial outbreak when a security researcher accidentally discovered a built-in flaw.  The WannaCry payload checks for the presence of a domain before executing its encryption process, and when the researcher, who goes by the name MalwareTech, found that the domain was available he purchased it. Almost immediately it started registering hundreds of hits per minute, and when affected machines saw the domain was answering WannaCry stopped its attack.

This discovery slowed the spread of WannaCry, and patching the SMB hole further minimized its spread, but it is still far from dead. Variants have already emerged that have had that particular flaw removed, but they still rely on the SMB flaw to be effective.

It's likely that attacks like WannaCry will continue  as it's just a matter of someone else finding a hole. And there's always a hole.


What should I do?

 Anyone wanting to avoid WannaCry and other forms of infection need to do several things:

  1. First, and most importantly, is to pay attention to Microsoft security bulletins and immediately install relevant patches. Network Administrators should ensure that desktop systems are patched regularly and as close to the release of the patch as possible. Unfortunately, the majority of attacks are against Microsoft systems (Microsoft ‘own’ the desktop so opportunity for infection is better for cybercriminals as there are many more targets to hit) so it’s important to replace old out of date systems with unsupported operating systems like Windows XP. Microsoft do not issue patches for Windows XP but did take the rare step of patching XP against the SMB attack.
  2. Earlier I mentioned that less than 0.1% of systems attacked were Windows XP. This doesn’t mean that it’s safe to use, it merely means that there are now many fewer XP systems still in use. But, if you have an XP system on your network and a new exploit appears, then what you effectively have is a system on your network that will not be patched, certainly not until after the outbreak as in the case with WannaCry. If you have more than one XP system, then you have a number of potential infection carriers on your network.
  3. Finally, it's essential to train users on good security practices. Ensure that users know what to look for with emails and attachments. They should be made aware of what a phishing attack looks like, suspicious email attachments as well as ‘questionable’ websites. In a WannaCry type of attack, it only takes one infected machine to spread the infection to every other vulnerable system on a network. If users don’t know what to look for, they can’t flag the problem and it’s much preferable to have users crying ‘Wolf’, or WannCry if you prefer, than having to deal with an infected network!  WannaCry infected systems on the local network segment therefore segmentation would help prevent WannaCry from spreading to all machines. Many SIEM/IDS/IDP solutions also picked up WannaCry due to their ability to aggregate/analyse logs from multiple systems, which was the case here at ProCheckUp.

 ProCheckUp can help you with advice on how to prevent and deal with infections like WannaCry and provides Security Awareness training services. Contact us.