WannaCry

WannaCry: An In-Depth Look at What Happened and How to Prepare

Posted by · May 18, 2017 9:42 am

Friday morning, the world came face-to-face with a new ransomware threat named WannaCry. The exploitative malware affecting organizations in over 150 countries, quickly spread through systems and navigated its way past security gaps. Though it wasn’t a targeted attack on any particular company, institutions using Microsoft operating systems no longer supported by Microsoft security updates found themselves most vulnerable.

We wanted to take a more in-depth look at this attack, at how it occurred, vulnerabilities users may not be aware of, and ways to preemptively protect against these types of attacks in the future. So we reached out to one of our leading community experts on the topic, Thomas Zucker-Scharff, for a detailed look at this recent global attack.

Experts Exchange: What is your position and expertise with ransomware mitigation?
Thomas Zucker-Scharff: I am currently working as an IT specialist in a cancer center. Although my actual job includes much more than malware mitigation/prevention, it seems to have become a large part of what I do on a daily basis. With the current state of malware (in which ransomware is only one component), I am constantly either preventing computer “fires” or putting them out.

Over the years I have read and assembled hundreds of whitepapers on computer security in general, and ransomware in particular. Currently, my office is a display case for computer security and ransomware posters and information, and this has been the case for a few years now.

EE: What ransomware protection methods are you most passionate about?
TZS: I feel fervently, and have for some time, that ransomware is not another minor annoyance but rather something that should be prevented at all costs. The easiest way to deal with a ransomware problem is not to have it in the first place. Barring that rather rosy scenario, the best solution when hit by ransomware is a complete erasure and restore from a versioning backup that was recently tested. I feel this to be the preeminent method of battling any malware infection.

EE: The WannaCry ransomware attacked an older, end-of-life version of Microsoft, no longer supported in security updates. How can people working for institutions with outdated programs protect their files?
TZS: There are many ways in which one can protect oneself to begin with. It is probably best to start there, since one will not have a problem if it is prevented. So what steps can anyone take? Some are rather simple and in some cases free.

  1. Although it only protects you from one variant of ransomware, it is worth creating a blank text file called myapp.txt, putting it in the root directory of your boot drive (c:\) and renaming it to myapp.exe. Be sure that you can see the extensions of your files, so that you don’t end up with a file called myapp.exe.txt. This is similar to installing the Russian language option on your computer. In both cases, the ransomware variant in question will check for a certain component (myapp.exe or the Russian language installation) and if it is found the ransomware will not execute. In the latter case, the ransomware will actually self destruct.
  2. Although you can also buy this application, running the free version is a step in the right direction. The program is called Cryptoprevent and it is from FollishIT.com. Just run the basic install and let it sort through your current applications to determine which software applications are permitted to be running on your computer.
  3. Run a program similar to WinPatrol Plus which monitors files and folders on your machine to detect unusual behavior and warns you before changes can be made.
  4. Run a dedicated anti-ransomware tool (this is in addition to your current Antivirus or Endpoint solution), WinPatrol Anti-Ransomware (WAR), BD Anti-Ransomware, MBAM Anti-RansomWare (MBARW) beta, Sophos Hitmanpro.Alert/CryptoGuard/InterceptX, and Kaspersky Anti-Ransomware for Business are just a few of them.
  5. The most important aspect of your anti-ransomware protection is far and away your backups. Do not underestimate the power of offline backups, they can save your company literally millions of dollars.
    1. Versioning: Make sure you use a versioning backup solution (Code42’s Crashplan and Druva’s inSync come to mind). This will allow you to go “back in time,” like Time Machine for the MAC, so you can recover your files from an unencrypted backup. MACs should use two Time Machine drives, with the same procedure as delineated below.
    2. Multiple Copies: Whether you are doing this yourself for a single computer or for your company for a datacenter, you will still need to keep two copies of your backups current and tested. One should always be offline, while the other is “online”, then flip the sequence.
    3. Test, test, test, test and test some more. All backups should be tested regularly by attempting to restore at least some files. A backup you cannot restore is useless.

EE: How do programs like WannaCry succeed in undetection?
TZS: There have been many malware incursions that target/use unpatched systems and software. The most recent of these was the WannaCry attack. Although it was amateurish at best, it worked well enough to bring down a significant amount of systems.

The best method of protection in such a scenario is to use some of the prevention methods I outlined above. Endpoint security will generally catch most things with the heuristics built into the programs. Multi-layered security protocols are another good preventative method. As long as only one endpoint solution is doing active scanning/on-access scanning, you can use multiple solutions so that if one does not catch the culprit, the other may. On top of that using other applications to warn you of changes is helpful.

Many think of ransomware attacks as complex, but WannaCry was very simple in its approach. Why is this important?
Some of the best protection can come from using the Principle of Least Privilege (POLP) to its fullest advantage. This means that hardly anyone should be logging into a machine for daily use as the administrator. A standard user with a few extra privileges, or with knowledge of the local administrative password, should not have any problems.

Using products, whether they be Operating Systems or software, that are no longer being patched is largely unnecessary. Many of the circumstances where this is done a substitute can be put in place instead. For instance, instead of running Windows XP, run a Linux distribution like Ubuntu and run Windows XP in a virtual machine.

One of the biggest “problems” that IT departments have is mitigating the “human factor.” What does that mean? If a user, knowingly or unknowingly, agrees to let a program make changes to their computer without knowing why it is doing so, the battle against any malware incursion has been lost. User education is one of the most important features of any security policy. If users don’t know what to look for, then we can’t blame them for missing it. A user who clicks on a link or opens an attachment in an email has bypassed most security measures. One can mediate this, but it becomes more cumbersome to the user. Faronics’ Deepfreeze software is excellent for this. It creates a pristine image of your system and every time you reboot you are back to the same image. The problem is that ANY changes made while the computer is in the “frozen” state, are lost on reboot. The benefit is that if you do get encrypted or attacked in any way, all you need to do is reboot.

EE: How did the network exploitation vector used in this attack allow the ransomware to spread?
TZS: A complete explanation of how the SMB vector was used in the attack can be found here.

EE: Is there still a lingering risk with WannaCry? If so, how would you recommend individuals proactively safeguard their files and hardware?
TZS: I have been asked a number of times in the past few days if people who have not been hit need to worry. I tell them yes, it may not be this particular version/variant that gets onto their computers, but something will. In terms of this particular “attack,” by all reports it was a mistake. The WannaCry ransomware was poorly written. How was it poorly written?

  1.  There was a URL Killswitch, embedded into the code, that basically stopped the attack completely.
  2.  The software did not, as most ransomwares do, have an automated way to collect the Bitcoin ransom they requested.
  3. The creators of WannaCry made it so they would have to manually send out a different key to each person who paid the ransom.

More than anything it seems this was either released before it was ready or just had a greater spread than what was anticipated. So do we have to worry about WannaCry, or more specifically this version of WannaCry, hitting us again? This is not likely, given what is known so far.

Part of the general malware problem that was made clear with this ransomware variant is the increasing use of either Ransomware as a service (RaaS) or ransomware “kits” by ransomware purveyors. One can easily buy precoded ransomware on the dark web. This, unfortunately, makes it a lot easier for criminals to use and profit from ransomware. This was a precoded piece of ransomware that was not completely finished when it was released.

According to this report by Matthew Hickey, a researcher at London-based security firm Hacker House, “the malware doesn’t automatically verify that a particular victim has paid the demanded $300 bitcoin ransom by assigning them a unique bitcoin address. Instead, it provides only one of four hardcoded bitcoin addresses, meaning incoming payments don’t have identifying details that could help automate the decryption process. Instead, the criminals themselves have had to figure out which computer to decrypt as ransoms come in, an untenable arrangement given the hundreds of thousands of infected devices.”

Experts Exchange member Andrew Hancock had the idea to track these bitcoin wallets through this twitter feed, or by following each separate wallet, for the latest update on the total amount collected.

The separate links are as follows:
https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw 
https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

At the time of this article being published, the total has reached:

EE: Is the threat greater or different for at-home tech users, and how can they protect their personal devices?
TZS: I believe that home users should be more concerned than users at work. At home you don’t have an IT department to constantly think about and deal with problems such as these. Most of the suggestions I have made can be easily implemented by the average home user.

Probably the best thing to put in place at home is to purchase one of the pieces of dedicated anti-ransomware software I suggested above. They all have a little bit of a learning curve. The best, in my opinion, is Sophos’s Hitmanpro.alert/Cryptoguard (InterceptX is an entire product that uses the same technology). I have used hitmanpro.alert on my own computer for several years now, even before Sophos purchased Surfright, which originally created the software. Training the software is fairly simple, it will pop up with questions as it learns what you use and how you use it. The software then takes care of virtually everything you need when it comes to malware protection.

EE: How can those affected by WannaCry mitigate the attack without paying the ransom?
TZS: One thing that has been learned is that paying the ransom in most cases of ransomware infections is immoral but in this case it is worse. Since there is no way for the creators of the ransomware to known exactly who paid them, the chances of paying and getting a working decryption key is less than likely. So how can one retrieve one’s files? The best ways I have already delineated. There is one other solution that anyone who has been caught by the WannaCry ransomware should watch for: Keep any eye on decryptors at the No More Ransom Project page at nomoreransom.org.

EE: How will your featured Course of the Month for June equip attendees with a better understanding of ransomware’s dangers and protection techniques?
TZS: I go into the nuts and bolts of ransomware and how you can mitigate against it in my course on Ransomware, which will be a June Course of the Month, “How to Prepare for and Navigate a Ransomware Attack”, here on Experts Exchange. After this course you will be able to more fully understand how ransomware can get into your systems and how to prevent such an occurrence. At the end of the course, I have links to a sampling of the tools I use to mitigate all malware attacks, including ransomware.

For more information on what the experts are saying about this attack, visit the discussion online.