Investigative Article: Stolen US hacking tools "Wanna Cry" are wreaking havoc across the world.
Spanning 150 nations and infecting over 200,000 computers, Everything you need to know about Wanna Cry ransomware. Feature length investigative article published on Venture Media.
Over the weekend an unprecedentedly large worldwide cyber attack took place, spanning across 150 nations, infecting over 200,000 computers. Cyber security experts warn that today could be cataclysmic as employees across the world return to work and boot up their computers.
So what exactly is 'Wanna Cry/Wanna Crypt/WanaCrypt0r/WannaDecryptor'?
Wanna Cry is a unique type of 'virus' that preys on an exploit in the Windows operating systems that don't yet have the most recent update.
The 'virus' is more specifically known as ransomware. Ransomware is a type of malware when downloaded encrypts the victims files, demanding a ransom to be paid (usually through anonymous digital currency Bitcoin) before the user affected can access their files again.
What makes Wanna Cry so unique is that the ransomware can spread from computer to computer, without a human being needing to take action - for example downloading a file that contains a virus, or clicking on an infected URL link.
Several cyber security analysts told the Financial Times a tool known as "Eternal Blue" was part of the massive trove of hacking tools leaked by the hacking group known as "The Shadow Brokers."
First coming to light in 2016, The Shadow Brokers announced to the world they had stolen a treasure chest of hacking tools developed by US spies working for the National Security Agency (NSA.) After failing in their attempts to auction off the tools, the hacking group released the exploits to the public.
Wanna Cry is a modified version of existing ransomware, now using the NSA exploit 'Eternal Blue' as a means to supercharge their malware. Essentially upgrading what was already a dangerous tool, to a weapon of mass destruction.
Upon becoming infected with the Wanna Cry ransomware, the victims files are encrypted and locked. A screen then pops up demanding a payment of between $300-600 in order to regain access to the victims files.
Upon execution of the malware, three questions pop up meant to serve as a poorly written FAQ guide on how to regain access to your files.
First answering, "What Happened to My Computer?"
The hackers statement responds "Your Important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service."
The malware screen then goes on to answer "Can I Recover My Files?"
"Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time. You can decrypt some of your files for free. Try now by clicking <Decrypt>. But if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled. Also if you don't pay in 7 days, you won't be able to recover your files forever. We will have free events for users who are so poor that they couldn't pay in 6 months."
Lastly instructing victims on "How Do I Pay?"
"Payment is accepted in Bitcoin only. For more information, click <About bitcoin>. Please check the current price of Bitcoin and buy some bitcoins. For more information, click <How to buy bitcoins>. And send the correct amount to the address specified in this window. After your payments click <Check Paypment>. Best time to check: 9:00am - 11:00am GMT."
The malware was first brought to light this weekend when we reported that a number of NHS hospitals had been infected, causing many services to be shut down, responding to emergencies only.
NHS Digital released a statement to LBC saying “At this stage we do not have any evidence that patient data has been accessed.”
“NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations.”
“This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.”
By the end of the day major corporations also found themselves within the victim count.
European telecommunications company Telefónica and US delivery service Fedex also reported that a number of their computers had been infected by the ransomware Wanna Cry.
The main aim of this malware was not to target specific users, but to try and squeeze as much money as possible from as many victims as possible. Originally estimated to rake in millions in pounds, reports state the hackers have only so far made "$33,319.59" as of yesterday.
For computers that haven't yet been updated, an unsuspecting hero has saved the day.
A UK Cyber Security Researcher known only as "Malware Tech" has "accidentally" activated a kill switch reportedly stopping the spreading infection. The researcher explained to The Guardian: “I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”
After registering the domain the researcher reported that he noticed a large amount of incoming connections to the domain name. The hackers had coded in this "kill switch" in case they wanted to cease the world wide spreading infection. The Cyber Security Researcher went on to explain:
“The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain,” he said. But the following hours were an “emotional rollercoaster”.
“Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freakout until I realised it was actually the other way around and we had stopped it."
Fear not, the malware only infects computers that have not updated to the most recently updated Windows operating system. This event should show as a reminder to always keep your computer updated to the most recent operating system.
We spoke to a Cyber Investigations Consultant to find out more about the attack. Source requested to remain anonymous due to their line of work.
Venture: First of all I think one of the most worrying questions is, How were so many NHS hospitals infected, do they not have the security to prevent these kind of attacks?
Cyber Investigations Consultant: So the NHS, like almost all public sector bodies, struggle with funding. It's likely that funding actual healthcare takes precedence over IT infrastructure. As such, both hardware and software is often out of date or poorly maintained. They have basic security controls but no central security centre - each trust will have their own security policies. If they were a large private sector organisation they would likely have a Security Operations Centre, or 'SOC', with data being fed from servers, client systems, network devices - and analysts monitoring for alerts. Such a system is not in place.
I believe the NHS has a mandatory level of security that enables it to uphold security nationally but this time it wasn't enough. I mean, Microsoft released a patch for the vulnerability WannaCry exploited in March.
Most organisations will generally have a maintenance weekend where systems are down while updates are installed, about every three months. It's likely this patch was queued for the next round of maintenance - it's unfortunate that the attack hit before that happened.
Venture: Do you think the NHS will increase its security and update it's systems more frequently as a result of this attack?
Cyber Investigations Consultant: Yes - it's a big wake up call.
The recently set-up National Cyber Security centre is meant to be responsible for enforcing 'critical national infrastructure' cyber security. Usually that's power grids and nuclear plants, railway systems.
They'll likely be all over the NHS like a rash now to get them up to the same standard as critical infrastructure systems.
Venture: So in terms of national cyber security, how far behind are other public sectors security infrastructure?
Cyber Investigations Consultant: I couldn't possibly comment in detail, but generally the UK is hot on cyber stuff. Especially when it comes to military/critical infrastructure systems police systems are probably fairly weak. Though they run such basic systems it's hard for anybody to exploit them.
Venture: How likely are authorities to be able to track down who initiated this attack?
Cyber Investigations Consultant: Almost impossible technically. Tracking down with 1's and 0's will be nigh-on-impossible. But people are always the weak link, people brag. I doubt the 'attackers' knew how far this would spread.
Venture: In terms of damage, are we over the hump, or is the worst of Wanna Cry still to come?
Cyber Investigations Consultant: The coverage WannaCry has had in the news has forced almost all semi-competent infrastructure engineers to patch their systems.
There's likely be a surge today as people return to work from the weekend, bringing portable devices, personal devices, connecting them to corporate systems.
But even then, it hops around using a vulnerability in an old version of SMB so patched systems should be fine. The malware itself is fairly basic - it just found a pretty big hole and went ham on it.
Venture: What can people do in layman's terms to prevent common malware infections?
Cyber Investigations Consultant: So obviously anti-virus is all everyone knows, but Anti-Virus software will only prevent malware which has already been detected by AV vendors.
Having multiple Anti-Virus applications/databases is a good idea on corporate systems because different vendors will have different databases which pick up different things.
Prevention - the usual - don't click dodgy links, don't install dodgy applications, be aware and ultimately always back your stuff up if it's important. Windows 10 has good security built in. It's Windows Defender Anti-Virus is usually pretty good and it's firewall is by default quite tight
Corporate systems - SIEM tools, intrusiton detection systems, file integrity monitors.
Venture: What advice do you have to people that are infected with ransomware?
Cyber Investigations Consultant: If you notice it starting to encrypt, pull the power immediately. Ransomware runs in memory - if there's no power, it can't run. You can then get your files back by whipping the hard drive out and copying them over, or booting to an alternate operating system/command line.
If the system can't be shut down, kill the process immediately. WannaCry wasn't clever enough to block command line or powershell consoles, so a simple 'stop-process' or wmic process kill did the trick.
If it's already been infected, wipe the system and restore from one of those regular backups you keep (right?)
It's very unlikely a decryption program will be released but there have been some in the past.
If your files really are important you could pay the money - you'll likely actually get the decryption key.
These attackers run ransomware as a business - sometimes as a service (RaS) - if they didn't give genuine keys when people paid then nobody would pay.
But obviously I don't condone anybody funding these people - they're generally behind a lot of disturbing stuff.
