Science & technology

WannaCry: The Story and Lessons

In the wake of last week’s cyber attack on the NHS and other large organisations around the world, Dr Mahdi Aiash explains how the WannaCry ransomware was able to do such widespread damage, and how it was ultimately stopped.

On Friday May 12th 2017, several organizations were affected by a new ransomware strain. The ransomware was very successful in part because it used an SMB vulnerability to spread inside networks. The vulnerability was patched by Microsoft in March for supported versions of Windows. The exploit, known under the name EternalBlue, was released in April as part of a leak of NSA tools.

The massive impact of the ransomware was due to three primary factors:

  • This variant of ransomware possesses the capability to spread itself as a so-called worm
  • It exploits a known vulnerability in Windows
  • It uses the Server Message Block (SMB) network protocol that is often unfiltered inside corporate networks.

WannaCry ransomware borrowed from leaked NSA exploits and spread across at least 75,000 PCs in less than 24 hours. Upon infection, files with specific extensions will be encrypted and the ransomware will install “DOUBLEPULSAR” backdoor to access the system remotely via port 445. The backdoor exploits unpatched vulnerabilities which have been addressed as part of Microsoft Security Bulletin MS17-010. The SMB protocol provides a method for client applications in a computer to read and write to files and to request services from server programs in a computer network or over the Internet.

Historically, SMB had a bad reputation of being unsecure (Null Session Attack). Its functionality within a network appeals to hackers and cybercriminals as it provides an easy way to spread and maximize the damage as traffic is often unfiltered inside corporate networks.

Image by Yuri Samoilov (CC 2.0)

WannaCry in Action

For cyber criminals to gain access to the system they need to download a type of malicious software onto a device within the network. This is often done by getting a victim to click on a link or download it by mistake from the web or an email attachment.

Phase 1:

Once on the victim’s machine and before starting malicious activities, the ransomware has a small piece of housekeeping to perform. A command in WannaCry’s code told it, each time it infected a new machine, to try to communicate with an obscure web address/URL: a long string of gibberish characters. Because the URL is inactive, the ransomware will expect no answer and this is a sign for it to proceed in action. If otherwise, the ransomware will go dormant. This very same feature that is believed to shield the ransomware turned out to be the attack’s Achilles heel, but for the first few hours, it would go unnoticed and WannaCry would be left to propagate unhindered.

Phase 2:

In this phase of infection, the ransomware inspects the file-sharing arrangements on the infected computer, and begins exploiting them. To do so, it deployed its secret weapon — or rather, a weapon that had once been someone else’s secret: a repurposed cyber spying tool known as EternalBlue, stolen from the US National Security Agency and leaked online in April.

EternalBlue exploits a security loophole in the form of a buffer overflow in the SMB implementation of  Windows operating systems that allows a malicious code to spread through structures set up to share files without permission from users.

Whose fault is it?

The vulnerability that allowed the propagation of the ransomware was known by the NSA for quite some time. This was disclosed by the Shadow Brokers leak in April and a sample exploit code was quickly released on Github which could be integrated as a module of the Metasploit which is a well-known exploitation framework. Unfortunately, with EternalBlue in use and the SMB vulnerability being unpatched, WannaCry has become one of the most destructive cyber-attacks ever seen.

It should not come as a surprise that the NSA (or any other agency) might have been aware of this type of “yet to be known” vulnerability. Such agencies might have been using these vulnerabilities in “safe mode” for surveillance against specific targets. However, it is just a matter of time before such a vulnerability becomes known to other “undesired” groups. Therefore, the NSA should have reported the vulnerability under the ‘responsible disclosure‘ term, unfortunately, this was not the case in this instance.

The attack raises a big concern as to whether there might be other unreported vulnerabilities that are currently being used for surveillance by government agencies which might lead to a similar destructive attack.

How has it been temporarily fixed?

A UK-based researcher known as a ”Malware Tech” shut the operation down, albeit by a stroke of good fortune! Upon analysis, he found that the ransomware’s programmers had built it to check whether a certain gibberish URL led to a live web page. One of the web domains used by the attackers hadn’t been registered. The researcher registered the site, took control of the domain (for $10.69) and started seeing connections from infected victims, hence his ability to track the ransomware’s spread. But in doing that he also took down the WannaCry operation without meaning to.

The ransomware analysis shows that as long as the probed, hardcoded URL/domain is unregistered and inactive, the ransomware spreads. But once the URL is active, the ransomware shuts down. Competing theories exist as to why WannaCry’s perpetrators built it this way:

Theory #1:

The functionality of probing an inactive URL was put in place as an intentional “kill switch” feature, in case the creators ever wanted to rein in the monster they’d created or in case something went wrong.

Theory #2:

This debates that hackers could have included the feature to shield the ransomware from analysis by security professionals in a “sandbox”.  Within the sandbox all malware requests (even to unregistered domains) will be intercepted and a response will be sent back by a number of dummy sandbox IP addresses. The ransomware in this case was probing an unregistered domain and hence expecting no response. If a response is received, the ransomware will assume that it works in a sandbox and hence should shut down. Once the probed domain is registered, it starts receiving and responding to requests from ransomwares all over the world. As a result, the communicating ransomware begin to assume that they are running in the middle of a forensic analysis, and shut down.

How to Mitigate Infection: Patch

Newer Windows Versions (Windows Vista, 7-10, Windows Server 2008-2016) can be patched with MS17-010 released by Microsoft in March. Microsoft released a patch for older systems going back to Windows XP and Windows 2003 on Friday.

At the network level, a number of steps could help:

  • Segment Network
    • Prevent internal spreading via port 445 and RDP.
    • Block Port 445 at perimeter.
  • Disable SMBv1
  • Implement internal “kill switch” domains/do not block them

It is crucial to notice that even if you have mitigated the effects of this particular strain of malware, it’s only a matter of time until hackers alter the behaviour or infection path. Patching this vulnerability will not remove the danger of ransomware. This flavour of ransomware uses a vulnerability that can be patched but there are other avenues that can be used by malware to cause havoc in your organization. WannaCry is similar to previous large-scale attacks and highlights the need for a collective effort from security researchers/experts, system/network admins, security agencies and security-tools vendors and providers to face cyber criminals. Hackers are not magicians; they simply make use of our mistakes. Following simple mitigation steps makes the next cyber attack less likely, BUT never impossible.

Find out more about studying Network Security and Pen Testing at Middlesex.