Last Friday, over 230,000 computers in 150 countries experienced the wrath of a well-coordinated ransomware attack, known as WannaCry. The virus locked up data on computers, affecting hospitals, private institutions, and private citizens, demanding ransom payments for the release of their data.
What is Ransomware?
Ransomware is a malicious piece of software often used by cyber criminals to extort money from their victims. Often times, a user can be tricked (phished) into running this piece of malicious software. The software will scan the contents of the user’s computer and encrypt them. The attacker will then demand money for the decryption keys. This amount for a single computer often ranges from $50 to hundreds of dollars.
In the last year or so we’ve seen an expansion of these types of attacks targeting companies instead of individual users. The ransomware is the same but the infection mechanisms are more advanced. When targeting a company, the attackers will use an initially infected machine as a beach head for infecting other computers on the network often targeting sensitive assets like file servers or authentication services.
What happened last week?
Last week’s attack was a bit different than normal incidents of ransomware. Ransomware has traditionally been delivered via phishing infecting individual computers one at a time. The initial vector for delivering the ransomware was through a wormable vulnerability in a common listening service. This means that by infecting a single host, that host can then infect any other host it has access to, exponentially growing the amount of computers potentially compromised.
State actors were involved with this attack. Ransomware has traditionally been a tool used with criminal entities. It’s anybody’s guess as attribution is very difficult in the cyber domain but my guess is on North Korea, Russia, or entities affiliated with them. The thing everyone is pretty sure of at this time is where the exploit (software allowing the infection in the first place) came from. The exploit was leaked as part of the “Shadow Brokers” incident a few months ago. The leak alleges the exploits, including this one, came from the National Security Agency and were used by the United States government for offensive operations against foreign targets.
Who’s at risk?
Anyone running computers that aren’t regularly updated (patched) is the most basic answer. This attack specifically targeted Windows-based computers that had a known vulnerability on a listening service (i.e. other computers can connect to that service for things like file sharing). What was interesting was how many unpatched computers were publicly accessible on the Internet. These services would normally only be available on an internal network.
While it’s common to have a single computer infected with ransomware on an internal network, the mechanism for infecting the other hosts allowed it to be wormable. This greatly increased the impact as once one machine was infected, it was able to rapidly spread to all the other machines on the network.
Here’s how to protect yourself: Patch. Patch. Patch. Keeping Windows Update on and automatically patching. This is done by default on Windows 10. And don’t think that because you have a Mac that you’re in good shape. Microsoft released a patch two months prior to this worm breaking out. Many Mac users are months behind and could be susceptible to an issue like that in the future.
An additional mitigation is enable two factor authentication on services you care about and create robust backups periodically. In the case you get hit with ransomware, you’ll be able to recover your data and won’t have to worry about it spreading to other services you care about.
UPDATE: According to Bitdefender, as of today (5/19/2017), the same group that leaked the exploit (tool to deliver the ransomware) has announced they are creating a new service to monetize additional exploits they are claiming to have. Given the group’s track record, it is likely they may have additional exploits like the one that was used in WannaCry. Don’t be shocked to hear about another leak in the coming months from the Shadow Brokers or their new Shadow Brokers as a Service (SBaaS) offering.
John Terrill is a seasoned information security executive who is the founder of Drawbridge Networks (currently a Grand Central Tech company). Drawbridge Networks was recently acquired by OPAQ Networks, where John is now leading security strategy and the cyber defense program. Prior to Drawbridge, John was the Global Head of Application security at BlackRock. Follow him at @youbetyourballs.