Looking at WannaCrypt
Written by Lisa Waldron on 15/05/2017
WannaCrypt, aka WannaCryptor or WannaCry, is relatively new ransomware that has been recently hitting organisations and services right across the world. Over 74 countries were affected, including most famously, our NHS.
For those of you that don’t know, ransomware is a type of malware that encrypts your files with very strong encryption, effectively holding your system for ransom (hence the name). As soon as you’re infected, it races through your hard drives and network locations. And this is exactly what WannaCry has been doing.
The group behind the WannaCry is the infamous Shadow Brokers – they hacked the NSA in the US and made the NSA’s hacking tools available to the public. WannaCry uses an NSA-found vulnerability in Windows.
How does WannaCry work?
WannaCry works by exploiting a vulnerability in the SMB protocol, codenamed EternalBlue, which allows attackers to take control of a system. This wouldn’t be the first time SMB has been taken advantage of for attacks, as the way it is implemented can cause a variety of security vulnerabilities. Once on the system, WannaCry scans the network in an attempt to affect other hosts, known as self-propagation. Within a space of a day it managed to spread itself across many different countries around the world.
But it didn’t rely on EternalBlue alone. A backdoor codenamed DoublePulsar was also used – once EternalBlue exploits the SMB vulnerability, DoublePulsar is used to run malicious code on the infected host. Whilst not directly linked with WannaCry, it is indirectly linked through its use of EternalBlue.
Can it be stopped?
As with most malware and ransomware, the answer is usually a no. However, there’s a twist in the tale of WannaCry. A security researcher found a strange domain name hard-coded into WannaCry, which was programmed to cease spreading when it found the domain active. The researcher bought the domain, made it live and temporarily ceased. Alas, malware authors can patch just as fast as sysadmins, and new versions of WannaCry without the killswitch were soon propagating. In the high-profile case of the NHS, this allowed vital time for patches to be installed.
What systems are affected (and how can I protect myself)?
Any Windows system prior to Windows 10 can be affected, however just because you may have an operating system prior to Windows 10 doesn’t mean you can’t do anything to help prevent your chances of being infected by the malware.
Since the ransomware initially uses SMB to gain access, the best thing to do would be to disable SMB on your machine. If you absolutely need SMB within your environment then configure your firewall to disallow SMB access over the internet – this can be done by blocking TCP ports 137,139 and 445, as well as blocking UDP ports 137 and 138. Also make sure that you install any new security updates if you haven’t already, and be wary of any suspicious emails/links.
What to do if your systems are infected
Unfortunately, there’s not much you can do. Received wisdom within computer security suggests that you should never pay the ransom, as this would ultimately be giving the group what they want, re-enforcing this kind of behaviour. Also, others may be encouraged to follow suit upon seeing the supposed success of ransomware. Your best bet is to restore from backups. If you don’t have backups, can’t afford the Bitcoin ransom, or find out after you’ve paid that they’re not going to decrypt your files… well, you’ve just learnt the hard way.
The only thing you can do from now on, is to be more vigilant when it comes to the security of your systems, which leads to the next section….
How to be better protected... next time
Always keep your systems up to date
This is absolutely essential. Some of us are so quick to dismiss system updates but this event is a solid example as to why we shouldn’t. Patches are available for a reason – keep your systems safe.
Not only is patching your systems important but also make sure that you are using the most up-to-date systems as well, in regards to the most recent operating systems. WannaCry exploits vulnerabilities in older versions of Windows – Windows 10 is invulnerable to this exploit. Despite this, we do understand that not every business can simply upgrade their systems as soon as a new operating system comes out, but it’d be best to not skip more than 2 new iterations of an operating system. If you do (or even if you don’t), make sure that you’re always installing the latest security updates upon their release.
Make sure you have back-ups of important data
Whether that’s through having a second (or in some cases, third) back-up server to failover to, storing important data on an external drive, or storing data on a secure cloud platform. This helps to ensure that any important files aren’t completely lost.
Use anti-virus software
This will help you spot any malicious files or activity on your system, as they may not always be easy to spot yourself. Most anti-virus software also has scanning capabilities, which acts as a further check to ensure that you have no malicious files on your computer.
Maintain security awareness
Most ransomware infections, and malware infections in general, as a result of people clicking on stuff they shouldn’t. Do not click on suspicious any links or files. Think twice about every email you receive. Be wary of who is sending you the email and thoroughly check the email address of the sender – at first glance the email address might look legitimate but upon further inspection you might find that a letter is missing or that the address doesn’t follow the usual naming convention that you would expect.
All in all, the world needs to learn to adapt a new mentality towards computer security. Too many organisations simply dismiss the idea of a possible hack as it ‘may not happen to them’. But the problem is, very clearly, very real.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.