Reflecting on the Wannacry ransomware attack, here’s a lesson learned and why most organizations still ignore it.
In the early afternoon of Friday, May 12, 2017, the media broke the news of a global computer security attack by malicious code capable of encrypting data residing in information systems and demanding a cryptocurrency ransom to recover them , Wannacry ransomware.
Italy was also slightly affected by the attack, the case being handled by the Postal Police Computer Crime Operations Centre (CNAIPIC)) https://www.commissariatodips.it/profilo/cnaipic/index.html, timely alert https://www.commissariatodips.it/notizie/articolo/attenzione-false-e-mailmessaggi-relativi-ad-assunzioni-in -enel-green-power/index.html On the day of the event, some useful actions are recommended to prevent further possible spread.
Ransomware reported in Microsoft bulletin https://www.microsoft.com/en-us/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/, once used Phishing and social engineering methods delivered via email or directly from public networks by exploiting protocol flaws in connected devices, continue:
- Encrypt computer data using RSA public key asymmetric encryption technology;
- Breeds in affected networks via NSA code called EternalBluewhich exploits a vulnerability in the network file sharing protocol SMB (Server Message Block) used by Microsoft Windows systems.
chain of infection
The infection chain is divided into four stages:
- The malware is installed via a dropper that executes by opening attachments of deceptive emails, possibly fake pdf or doc files, or directly from the Internet without user interaction, exploiting the vulnerability described in point 4.
- Once copied to the computer, the downloader will attempt to connect to a site, and only if the connection fails will it proceed to install two components, a combination lock and an exploit.
- The task of the combination lock is to encrypt the data of the affected system;
- If not properly updated, the vulnerability will infect the victim’s local network through an SMB protocol vulnerability.
Cryptolocker and Exploit Components
The encryption scheme implemented by WannaCry uses an asymmetric encryption mechanism based on public and private key pairs generated using two prime numbers. The public key is used to encrypt the data of the affected system, while the private key is the subject of extortion.
The operating algorithm is RSA. Its validity is based on the fact that it is mathematically easy to calculate the product of two even very large prime numbers, but the reverse process, decomposing the product to find out which two prime numbers are used as factors, is much more involved. hard.
To spread the ransomware in the victim’s network, the exploit component exploits a vulnerability in version 1 of the SMB (Server Message Block) protocol used in some Microsoft operating systems, designed to provide access to files, printers, serial ports, and various communication between network nodes. In this way, Wannacry spreads over the affected network in the same way as the worm:
- In fact, the first stage of infection is carried out via an executable that scans the network for vulnerable Windows systems on TCP port 445 of the SMB protocol.
- In the second stage, once it gains access to the computer, the malware creates and executes a copy of itself on the system. In the second stage, once it gains access to the computer, the malware creates and executes a copy of itself on the system.
Due to a SMB protocol flaw (classified by Common Vulnerabilities and Exposures numbered CVE-2017-0144) that allows a remote user to execute arbitrary code locally, if the relevant operating system does not use Microsoft security patch MS17-010 https://learn.microsoft.com /en-us/security-updates/SecurityBulletins/2017/ms17-010?redirectedfrom=MSDN, the attack succeeded precisely because the affected operating system was not updated beforehand.
Why did the creators of Wannacry choose Bitcoin to pay the ransom?
For ransom payments, Wannacry requires the cryptocurrency Bitcoin. In fact, the familiar red lock screen launched by the @[email protected] program and appearing on the infected PC’s monitor displayed detailed instructions on how to conduct payment transactions on the wallet, identified by a string of 34 alphanumeric characters.
While the transaction is absolutely transparent and traceable, it does not allow the account holder to be traced precisely because of the typical properties of digital currencies: anonymity, transparency, speed and non-repudiation.
How did the infectious disease stop?
Malicious code spreads only when it is verified that the public site does not actually exist:
Subsequently, only registering the domain created the conditions for the malware to stop spreading (kill swich).
The spread of this ransomware is considered the most serious cyber attack in terms of contamination rate and scope, rendering public offices and companies (especially healthcare facilities) inoperable.
What should we learn from this?
To reduce the risk of exposure to malware threats and improve security, preventive behavior policies are recommended at all levels, ensuring that computer systems are regularly patched, but most importantly sharing information with everyone that has been exposed. Indeed, every discovery is worthless without making it available to others.
Of course, as Wannacry spreads globally, it marked a breaking point that laid the groundwork for new ways of envisioning future ransomware attacks.
Unfortunately, contemporary events seem to confirm this.
To restore functionality without having to decrypt files and pay a possible ransom (not recommended), it is always recommended to adequately protect backups, adopt a backup strategy according to the 3-2-1 rule: keep at least 3 copies of company data in 2 different formats, 1 of which replicas are offline and offsite.
To try and prevent cyberattacks including ransomware, it’s always a good idea to keep your system updated, activate 2FA authentication for access, use a solid antivirus and always be vigilant (awareness).
About the Author: Salvador Lombardo
An electrical engineer and Clusit member, he has championed the principles of awareness education for some time and has been a contributor to several online magazines on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education raises awareness” is his slogan.
Follow me on Twitter: @securityaffairs and Facebook
(security affairs – Hacker, Wannacry)