Cengage Technology & Computing Blog
Showing results for 
Search instead for 
Did you mean: 
WCry Ransomware
Mark_Ciampa
Frequent Commentator
Information Security
Private Security
‎05-17-2017 01:59 PM
‎05-17-2017 01:59 PM

Over the past few days a malicious attack has shut down computers around the world. However, the quick actions by a security researcher prevented it from becoming a major catastrophe.

This global attack distributed one of the fastest-growing types of malware known as ransomware. Ransomware prevents a user’s device from properly and fully functioning until a fee is paid. The ransomware embeds itself onto the computer in such a way that it cannot be bypassed, and even rebooting causes the ransomware to launch again.

 

Ransomware continues to be a serious threat to users. One recent report estimated that $1 billion was paid in ransom in one year, yet only 42 percent of those who paid the ransom could then retrieve their data. Enterprises are also prime targets. A recent survey revealed that almost half of all enterprises have been a victim of a ransomware attack. Several recent well-publicized ransomware attacks demanding higher ransoms were against:

 

  • Hollywood Presbyterian Medical Center ($17,000)
  • Los Angeles Valley College ($28,000)
  • San Francisco's Municipal Transportation Agency ($73,000).

 

Crypto-Malware

 

An ever more malicious form of ransomware has recently appeared. Instead of just blocking the user from accessing the computer, this ransomware encrypts all the files on the device so that none of them could be opened. This is called crypto-malware. A screen appears telling the victim that his files are now encrypted and a fee must be paid in order to receive a key to unlock them. In addition, threat actors increased the urgency for payment: the cost for the key to unlock the crypto-malware increases every few hours or a number of the encrypted user files are deleted every few hours, with the number continually increasing. And if the ransom is not paid promptly (often within 36 to 96 hours) the key can never be retrieved.

 

On Friday (May 12 2017) a new strain of crypto-malware ransomware suddenly appeared around the world, locking up computers at banks, hospitals, telecommunications services, transportation agencies, as well as user's personal computers. The malware, known as Wanna, Wannacry, or Wcry, initially infected at least 75,000 computers in at least 74 countries. Russia was the victim of the highest number of attacks by a wide margin, followed by Ukraine, India, and Taiwan. Ransomware infections also spread through the United States. The Wcry ransom is $300 and users had 3 days to pay before it doubled to $600. If they did not pay in one week then the ransomware threatened to delete the files altogether.

 

EternalBlue

 

There were two elements that made this attack unique. First, the ransomware was written with ransom demands in over two dozen languages, so it clearly was intended to be a global attack. Second, the ransomware exploited a vulnerability called "EternalBlue", first uncovered by the National Security Agency (NSA) which was using it as part of its own arsenal in attacking and spying on other nations This EternalBlue code was stolen from the NSA and leaked to the world last month by a group calling itself Shadow Brokers. The Wcry ransomware copied virtually verbatim large sections of EternalBlue.

 

In the initial hours of the attack wide-spread concern quickly grew that this would cripple computers around the world and become a major cybersecurity attack. However, just a quickly as it started it suddenly died down. What happened?

 

How Was This Attack Taken Down?

 

A British security researcher who was following the initial attack received a sample of the malware code and quickly analyzed it. He saw that the malware contacted an attacker's command and control (C&C) server that was based on an unregistered domain. As part of the normal protocol of security researchers who try to limit attacks, he promptly registered the domain so that now he controlled it and not the attackers. As it turned out, this was a major stroke of luck. The attackers who wrote the code included an instruction to try to circumvent it from being analyzed. Wcry ransomware attempted to connect to the specific domain used by the attackers: if the connection is NOT successful the ransomware leaps into action and locks up the computer, but if it IS successful the malware exits. By registering the domain and taking control of it this British security researcher saved the day: all instances of Wcry did connect to the domain (after it was registered) and thus did nothing.

 

This significantly crippled WCry. As of the first of this week (May 15 2017) only 263 payments have been made to the three Bitcoin wallets linked to the code in the malware earning the attackers only $71,000. This is a far cry from what could have happened.

 

So what are the lessons learned?

 

As with many attacks, WCry's initial success was based on an oft-repeated user mistake: not keeping their computers patched. The vulnerability in Windows that was exploited by WCry (Apple computers are not impacted) was actually patched back on March 14. Had users patched their computers, Wcry could not have spread as it did. Microsoft also took the unprecedented step of creating a patch for the Windows 8, Windows XP, and Windows Server 2003 operating systems, even though those software versions are no longer supported.

 

Apply the Patch Now

 

It appears that there are some variations of WCry still circulating without the "kill switch," so vigilence is still the word. If you have a Windows 10 computer you can apply the patch here.  and if you have an older Windows verion you can apply the patch here

 

To read the technical details of the attack you can go here

 

To read about the attack from information written by the British researcher go to the Ars Technica site here.  

 

Stay secure!

2 Comments
Admin
Admin
Psychology
Expert
Podcasting

Thanks for this info Mark.  I'm on a Mac - do you think this kind of malware hack is eventually going to hit Macs? 

Mark_Ciampa
Frequent Commentator
Information Security
Private Security

Hi, Michael:

Thanks. I'm afraid "eventually" is already here: ransomware attacks on Apple Macs have been around since last year.

 

As long as we're talking about Apple Macs (which are great products), here's my story.

 

Last month I was on an airplane flying to a city to make a security presentation. I happened to be seated next to a young lady, and we struck up a conversation. She had a PhD in chemistry and was a director for a pharmaceutical firm that was involved in developing several new drugs (pretty impressive). When she asked why I was traveling and I told her, she pulled out her Apple iPhone and said something like, "Tell me about security. Apples are safer, aren't they?"

Maybe she will hear about what happened recently. Over a four-day period earlier this month (May 3-6, 2017) attackers compromised a download server for the popular open source media-encoding software HandBrake (it is used to rip a film from a DVD). Despite the fact that HandBrake versions are available for Linux, Apple macOS, and Microsoft Windows, attackers chose to compromise only Apple Mac version of HandBrake. Unsuspecting users who downloaded the Mac version received a Trojan that installed the malware Proton. Proton, which is reported to selling for $63,000 on attacker dark web sites, offers a range of features, including a keylogger that has the ability to silently turn on the computer's webcam and upload videos and screenshot images, a backdoor with remote login access, and the ability to steal files.

 

Once the compromised HandBrake was downloaded and installed, the victims of this latest attack were instructed to enter their Mac administrator password. This was then uploaded to a command and control or C&C server controlled by the attackers. The malicious software then transmitted several sensitive files to the C&C server. These files included web browser data (that stored form auto-fill data), password keychains, and even the vaults for the password manager 1Password. Because the attackers were able to steal the user’s password (by asking for it), they could then unlock the keychains and perhaps even compromise other passwords to decrypt files.

 

And on top of it all, because it was a zero-day attack (meaning there was no prior warning) none of the 55 most widely used Mac antivirus software detected it.

 

The infected HandBrake site was one of two from which users could download the infected app, so it's hard to say precisely who may have been a victim. And if a user was attempting to update an older version of HandBrake (0.10.5 or earlier) by downloading this app they too may have been infected (versions 1.0 and higher are OK). If you think you may have downloaded HandBrake during this time, you can also look for the process "activity_agent" in the OS X Activity Monitor; if it's there, you are indeed infected. Another way is to look for the file "proton.zip" in the ~/Library/VideoFrameworks.

HandBrake certainly isn't the first Mac Trojan. Last year the Transmission torrent app was similarly compromised to deliver ransomware to Apple Mac computers. And for a long list of recent Apple security vulnerabilities and patches you can go to https://support.apple.com/en-us/HT201222

Of course, such attacks are not isolated on Macs. Earlier this month Microsoft revealed that an unnamed editing application for Windows was used to infect companies in the financial and payment processing industries.

 

So what did I tell my airplane seatmate who asked the question, "Apples are safer, aren't they?" I smiled and tried to briefly explain that Macs, Windows and Linux systems all have their fair share of security vulnerabilities. The worst thing you can do is to think that your computer is safe and secure. That only leads to complacency and relaxed vigilance, which opens the door for attacks to flow in.

 

I hope that my airplane partner saw this news. Maybe I can find her business card that she gave me and send to her this information.

 

You can read HandBrake's information about the attack at https://forum.handbrake.fr/viewtopic.php?f=33&t=36364

 

Stay secure!

 

Mark