Stolen government hacking tools, unpatched Windows systems, and shadowy North Korean operatives made WannaCry a perfect ransomware storm
WannaCry is a ransomware worm that spread rapidly through across a number of computer networks in May of 2017. After infecting a Windows computers, it encrypts files on the PC’s hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them.
A number of factors made the initial spread of WannaCry particularly noteworthy: it struck a number of important and high-profile systems, including many in Britain’s National Health Service; it exploited a Windows vulnerability that was suspected to have been first discovered by the United States National Security Agency; and it was tentatively linked by Symantec and other security researchers to the Lazarus Group, a cybercrime organization that may be connected to the North Korean government.
How does WannaCry infect PCs?
The attack vector for WannaCry is more interesting than the ransomware itself. The vulnerability WannaCry exploits lies in the Windows implementation of the Server Message Block (SMB) protocol. The SMB protocol helps various nodes on a network communicate, and Microsoft’s implementation could be tricked by specially crafted packets into executing arbitrary code.
It is believed that the U.S. National Security Agency discovered this vulnerability and, rather than reporting it to the infosec community, developed code to exploit it, called EternalBlue. This exploit was in turn stolen by a hacking group known as the Shadow Brokers, who released it
Even if a PC has been successfully infected, WannaCry won’t necessarily begin encrypting files. That’s because, as noted above, it first tries to access a very it can access that domain, WannaCry shuts itself down. It’s not entirely clear what the purpose of this functionality is. Some researchers believed this was supposed to be a means for the malware’s creators to pull the plug on the attack. However, Marcus Hutchins, the British security researcher who discovered that WannaCry was attempting to contact this URL, believes it was meant to make analysis of the code more difficult. Many researchers will run malware in a “sandbox” environment, from within which any URL or IP address will appear reachable; by hard-coding into WannaCry an attempt to contact a nonsense URL that wasn’t actually expected to exist, its creators hoped to ensure that the malware wouldn’t go through its paces for researchers to watch.
WannaCry and Windows 10
As noted, Microsoft released a patch for the SMB vulnerability that WannaCry exploits two months before the attack began. While unpatched Windows 10 systems were vulnerable,
A key reason why Boeing was able to recover so well was that patches for the vulnerabilities that WannaCry exploits were readily available. The fact that they weren’t already in place before the attack explains why WannaCry can still do damage more than a year later. Few organizations are effective at keeping up
All EternalBlue-based malware exploits the same Windows vulnerability, so the fact that these attacks are increasing suggests that plenty of unpatched Windows systems are still out there. It’s only a matter of time before an attacker finds them.
Zip Password: www.masterscyber.com