WannaCry ransomware in 150 countries – What makes this variant different?

Those who haven’t been living under a rock in recent days are familiar with at least one of these designations: Wcry, WannaCry, WanaCry, WannaCrypt, WannaCrypt0r, and Wana Decrypt0r. This is a ransomware variant that has infected many computer systems around the world and has caused significant damage in this way, for example by shutting down hospital systems in the United Kingdom . Ransomware infections are nothing new, so the question that arises in this case is what makes this variant different from other types.

WannaCry consists of two components: a ransomware component and a worm. The first component has been around for some time and was spotted by security company Trend Micro in April , for example . At the time, there was nothing special about the malware yet. That changed when the people behind the malicious software added a new component, which greatly increased the spread of the ransomware. Normally, everyday ransomware variants are capable of infecting network locations, but in the case of WannaCry, something else is going on.

Spread via Windows vulnerability

The worm component of WannaCry exploits a vulnerability in Windows systems, which is identified as MS17-010 . An exploit for the vulnerability was recently released in a dump by the Shadowbrokers, an individual or group that has long been publishing NSA hacking tools . Named Eternalblue, the exploit exploits a vulnerability in the SMB protocol, which could allow an attacker to remotely execute code on a vulnerable system. The exploit was most likely written by the NSA and was exposed by its publication. As a result, the code was available to everyone, including ransomware makers.

Once infection takes place, the ransomware encrypts important files on the computer and the worm component looks for vulnerable systems to further spread the infection. The SMB protocol is suitable for this, as its purpose is to make files and services accessible over the network. In office environments, the chance of using this service is therefore high.

Maarten van Dantzig, researcher at Dutch security company Fox-IT, explains  that the SMB exploit was most likely how the ransomware was initially spread. In addition, the malicious software targeted vulnerable systems that could be accessed via the internet. When asked whether distribution also takes place via phishing e-mails, Van Dantzig says: “No e-mail has yet been found that spreads this malware.” He goes on to explain that with each infection, the worm scans random IP addresses on the Internet to find more targets. This observation also emerges in an analysis by security company McAfee, which writes that the malware can also spread via the internet in this way. Kaspersky goesassumes the spread of WannaCry started on Thursday, given the number of probes to port 445.

patches

After the Shadowbrokers published the NSA tools, it turned out that Microsoft had already patched most of the vulnerabilities at the root of the various exploits in March . It is not yet clear who reported the leaks to the Redmond company. In addition, following the events surrounding WannaCry, Microsoft has decided to also release patches for operating systems that are no longer officially supported, such as Windows XP and Windows Server 2003. For users who have a vulnerable system and are unable to apply the patch it is also possible to disable the SMB service . Windows 10 users are not vulnerable.

The fact that a large number of systems have nevertheless become infected indicates that not all organizations have a working update policy, as civil rights organization Bits of Freedom, among others , scoffs . According to the organization, the fact that certain ICT environments are more complex than others does not mean that important security updates can be ignored.

The ransomware itself

If we look at the ransomware itself, it is a variant that encrypts various file types and provides the extension ‘wcry’. A pop-up then informs that decryption is only possible if victims transfer the equivalent of $300 worth of bitcoins to a specified address. In total, the malware uses three bitcoin addresses, in contrast to variants that create a separate address per infection. So far, about 29 bitcoin have been transferred to the three addresses , amounting to a total amount of about 46,500 euros. Other sources assume five different bitcoin addresses. Website Quartz has a Twitter botcreated that tracks live payments. Victims have three days to transfer the requested amount. The pop-up claims that the ransom will be doubled after that. Symantec recently calculated that the average price for decryption has risen sharply in recent years: from about 300 to almost 700 dollars.

Victims are advised not to pay the ransom. There are several reasons for this. For example, a payment maintains the revenue model of internet criminals, a general argument that is often used in the discussion about ransomware. In the case of WannaCry, there is an additional reason. For example , Hacker House researcher Matthew Hickey points out that decryption requests with this variant must be approved manually and that it is therefore unlikely that this will happen for all requests. Researcher Mikko Hypponen claims that some victims got their files back after paying. In the meantime, several third-party services appearing that offer decryption for WannaCry should be treated with suspicion. Onetool on GitHub makes it possible to recover encrypted files, but only if the victim has the RSA key.

No information has yet come out about the people behind the malware. As with other ransomware variants, it is difficult to assign responsibility. This is partly because the malware communicates via Tor and payments are made via bitcoin.

The remarkable thing about the current variant of the malware is that there is a URL in the code, which was discovered by security researcher MalwareTech . This URL is referred to as ‘killswitch’. The researcher himself raised the possibility that it is a weak attempt at analysis in a sandboxedenvironment, as it may prevent an unregistered domain from appearing as active. Once the malware connects to the domain, it does not encrypt files. Because the domain is now registered, MalwareTech may have prevented a large number of new infections. This happened without him knowing in advance what consequences registering the domain would have. A Twitter account that tracks activity from the Mirai botnet showed on Saturday that the botnet was deployed to launch a DDoS attack against the URL in question, though the effect was unclear.