On Friday, May 12, 2017, cybersecurity firm Avast reported on a massive ransomware attack that hit more than 75,000 victims in 99 countries and that had risen to over 126,000 in 104 countries by Saturday afternoon. While most of the targets were located in Russia, Ukraine, and Taiwan, other victims have been identified in Europe.
Most notably, Spanish telecommunications company Telefonica was a victim, as were hospitals across the United Kingdom. According to The Guardian, the U.K. attacks hit at least 16 National Health System (NHS) facilities and directly compromised the information technology (IT) systems that are used to ensure patient safety.
The WanaCryptOR, or WCry, ransomware is based on a vulnerability that was identified in the Windows Server Message Block protocol and was patched in Microsoft’s March 2017 Patch Tuesday security updates, reports Kaspersky Labs. The first version of WCry was identified in February and has since been translated into 28 different languages.
Microsoft has responded to the attack with its own Windows Security blog post, where it reinforced the message that currently supported Windows PCs running the latest security patches are safe from the malware. In addition, Windows Defenders had already been updated to provide real-time protection.
“On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed,” Microsoft’s summary of the attack began. “While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the malware, known as WannaCrypt, appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install MS17-010 if they have not already done so.”
The statement continued: “Microsoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing Windows Defender Antivirus to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.”
Avast further speculated that the underlying exploit was stolen from the Equation Group, which has been suspected of being tied to the NSA, by a hacker group calling themselves ShadowBrokers. The exploit is known as ETERNALBLUE and named MS17-010 by Microsoft.
When the malware strikes, it changes the name of affected files to include a “.WNCRY” extension and adds a “WANACRY!” marker at the beginning of each file. It also places its ransom note into a text file on the victim’s machine:
Then, the ransomware displays its ransom message that demands between $300 and $600 in bitcoin currency and provides instructions on how to pay and then recover the encrypted files. The language in the ransom instructions is curiously casual and seems similar to what one might read in an offer to purchase a product online. In fact, users have three days to pay before the ransom is doubled and seven days to pay before the files will no longer be recoverable.
Interestingly, the attack was slowed or potentially halted by an “accidental hero” simply by registering a web domain that was hard-coded into the ransomware code. If that domain responded to a request from the malware, then it would stop infecting new systems — acting as a sort of “kill switch” that they cybercriminal could use to shut off the attack.
As The Guardian points out, researcher, known only as MalwareTech, registered the domain for $10.69 was unaware at the time of the kill switch, saying, “I was out having lunch with a friend and got back about 3 p.m. and saw an influx of news articles about the NHS and various UK organisations being hit. I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”
MalwareTech registered the domain on behalf of his company, which tracks botnets, and at first, they were accused of initiating the attack. “Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freakout until I realized it was actually the other way around and we had stopped it,” MalwareTech told The Guardian.
That likely won’t be the end of the attack, however, as the attackers might be able to alter the code to omit the kill switch. The only real fix is to make sure that machines are fully patched and are running the right malware protection software. While Windows machines are the targets of this particular attack, MacOS has demonstrated its own vulnerability and so users of Apple’s OS should make sure to take the appropriate steps as well.
In much brighter news, it now appears that there is a new tool that can determine the encryption key used by the ransomware on some machines allow users to recover their data. The new tool, called Wanakiwi, is similar to another tool, Wannakey, but it offers a simpler interface and can potentially fix machines running more versions of Windows. As Ars Technica reports, Wanakiwi uses some tricks to recover the prime numbers used in creating the encryption key, basically by pulling those numbers from RAM if the infected machine remains turned on and the data has not already been overwritten. Wanawiki leverages some “shortcomings” in the Microsoft Cryptographic application programming interface that was used by WannaCry and various other applications to create encryption keys.
According to Benjamin Delpy, who helped develop Wanakiwi, the tool was tested against a number of machines with encrypted hard drives and it was successful in decryption several of them. Windows Server 2003 and Windows 7 were among the versions tested, and Delpy assumes Wanakiwi will work with other versions as well. As Delpy puts it, users can “just download Wanakiwi, and if the key can be constructed again, it extracts it, reconstructs it (a good one), and starts decryption of all files on the disk. In bonus, the key I obtain can be used with the malware decryptor to make it decrypt files like if you paid.”
The downside is that neither Wanakiwi nor Wannakey works if the infected PC has been restarted or if the memory space holding the prime numbers has already been overwritten. So it is definitely a tool that should be downloaded and held at the ready. For some added peace of mind, it should be noted that security firm Comae Technologies assisted with developing and testing Wanakiwi and can verify its effectiveness.
You can download Wanakiwi here. Just decompress the application and run it, and note that Windows 10 will complain that the application is an unknown program and you will need to hit “More info” to allow it to run.
Ransomware is one of the worst kinds of malware, in that it attacks our information and locks it away behind strong encryption unless we pay money to the attacker in return for a key to unlock it. There is something personal about ransomware that makes it different from random malware attacks that turn our PCs into faceless bots.
The single best way to protect against WCry is to make sure that your Windows PC is fully patched with the latest updates. If you have been following Microsoft’s Patch Tuesday schedule and running at least Windows Defender, then your machines should already be protected — although having an offline backup of your most important files that can’t be touched by such an attack is an important step to take. Going forward, it is the thousands of machine that have not yet been patched that will continue to suffer from this particular widespread attack.
Updated on 5-19-2017 by Mark Coppock: Added information on Wanakiwi tool.