Page 58 - Cyber Warnings
P. 58
WannaCry Ransomware: Dangerously Different
by Jason Matlock, Security Analyst, Sword & Shield Enterprise Security
This article originally appeared on Sword & Shield Enterprise Security blog on May 15, 2017.
Friday, May 12, 2017, will be remembered for what was the largest ransomware attack in
internet history.
The world watched as critical systems were affected by a piece of ransomware called
WannaCry or Wcry for short.
By the time the dust settled, more than 200,000 computers in 150 different countries were
infected by WannaCry ransomware.
Thanks to a security researcher named MalwareTech, a kill-switch was discovered that
effectively stopped Wcry from spreading further. But, is it over?
As the weekend ended, the fear, when people returned to work to power on their computers,
was that the WannaCry Ransomware would again begin spreading. In addition to this, there is a
strong possibility that new versions of either Wcry or another similar piece of ransomware will
show up without the kill-switch available and cause another widespread infection.
Let’s take a quick look at how Wcry is spreading. For this, we need to turn back in time a bit to
the Shadow Brokers’ release of NSA exploits back in April, specifically to one named
“EternalBlue”, which we explained in a previous blog.
“EternalBlue” attacks a vulnerability in SMBv1, allowing a malicious person to remotely execute
code on the victim’s computer.
It seems that Wcry’s authors are using this vector as the initial entry into a computer where the
ransomware is then delivered and executed, infecting the machine.
Once a machine is infected, Wcry then looks at other computers on the network to infect. This
method of propagation is what allowed Wcry to infect so many computers in a relatively short
amount of time.
In March, Microsoft released security update MS17-010, which addresses this SMB
vulnerability. At that time, the patch was only available to current versions of the Windows
operating system, so anyone who was using Windows XP, Server 2003, or Windows 8 was still
vulnerable.
Because of the widespread infection of Wcry, Microsoft revised their policy to support end-of-life
software and released patches for those operating systems on Friday.
58 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
