WannaCryptor, aka WannaCry, is one of the
biggest cybersecurity stories of 2017. In fact, you could go as far as to
suggest one of the biggest in years. Since news first broke on Friday,
broadcasters, journalists, bloggers, commentators, experts and security
vendors, to name but a few, have reported on, discussed and analysed this
global threat with a level of attention unseen before.
While this all welcome, it can sometimes feel like
information overload. Aware of this, we’ve put together this Q&A, bringing
together some of the key points. There’s enough information to know all the
salient points without getting too lost, but also plenty of links if you want
more detail on certain areas related to the story.
What is WannaCryptor?
WannaCryptor, and its variants,
is a type of malicious software known as ransomware,
an increasingly popular attack method deployed by cybercriminals that involves
the illegal encryption of files and devices. A ransom is demanded for the ‘safe
recovery’ of said files and devices.
According to Michael Aguilar, a business security
specialist at ESET, WannaCryptor, also known as WannaCry and Wcrypt, is “unlike
most encrypting-type malware: this one has wormlike capabilities, allowing it
to spread by itself”. He also offers some sage advice in his post on
how to protect yourself. ESET clients were already protected by ESET’s network
protection module.
The ransomware message that appeared on the screens
of infected computers can be displayed in several languages, depending on
geolocation, but the English version read: “Ooops, your files have been encrypted!” The
authors of the malware added that it was futile to look for a way to access the
files without their assistance (if, in fact, they can even do this). Of course,
this comes with at a cost – $300 in bitcoin per infected computer.
What happened?
In the UK, news outlets in the country reporting
that multiple NHS sites had been hit with a massive cyberattack. Services
were disrupted, with doctors, GPs and healthcare professionals unable to access
computers or files – in effect, bringing parts of the NHS to a
standstill.
However, it’s unclear how much of the disruption
was due to the precautionary shutting down or isolation of systems rather than
direct breaches.
NHS Digital, which is the information technology
arm of the Department of Health, was quick to issue a statement.
It stated: “This attack … is affecting
organizations from across a range of sectors. At this stage we do not have any
evidence that patient data has been accessed.”
Soon enough it became clear that the cyberattack
was, in fact, global in scale, affecting close to 150 countries (including, to
name but a few, Spain, the US, India, Russia and China) and impacting all sorts
of organizations and government agencies.
For example, In Spain, the telecommunications giant
Telefónica was hit; In Russia, the interior ministry reported infections; and
in the US, FedEx confirmed that it also had fallen victim to the ransomware
attack.
Over the weekend, internal and external security
specialists responded swiftly to the attack, including NHS Digital,
ESET, Microsoft
and the UK’s National Cyber
Security Centre, all of which has gone a long way to limiting the
damage and reach of WannaCryptor.
Further, ‘luck’ has also played a part in at least slowing down the
malware. An individual, based in the UK, who goes by the moniker
MalwareTech, accidentally activated what was
later discovered to be a kill switch in the malware.
As he tweeted on May 13th: “I will confess that I
was unaware registering the domain would stop the malware until after I
registered it, so initially it was accidental.” For more detail on this, please
check out his subsequent blog, titled How to
Accidentally Stop a Global Cyber Attacks.
This is, by no means, the end. The story is still
unfolding, with new infections
still being reported across the world, though seemingly with ‘less
energy’ than the initial outbreak. Still, many are calling for vigilance, as,
due to the complexity of this ransomware, aftershocks
are likely.
How did this happen?
It’s currently unclear what the original source is
for this malware, but it’s likely that WannaCryptor was either delivered by
email – hidden in an attachment – or via a backdoor (suggesting that
a system had already been compromised).
In this particular instance, the malware has
exploited a vulnerability in older (Windows XP, Windows 8.0, Windows Server
2003) and/or still-supported versions of Microsoft’s Windows operating system
where the MS17-010
update wasn’t applied. Computers that have been infected have, for whatever
reason, not updated the operating system with the latest version. The MS17-010
update has been available for supported systems since March 2017, and was made available
for Windows XP/Windows 8.0/Windows Server 2003 on May 12th.
The case has highlighted many flaws within some
organizations, security agencies and governments, including poor and untimely
information sharing; inefficient and slow to react cybersecurity efforts and
financial underinvestment, all of which have created a perfect
hailstorm of opportunities for cybercriminals to exploit.
What are experts, decision makers and
organizations saying?
Rob Wainwright, executive director of Europol, said in an
interview with British broadcaster Robert Peston: “We’ve seen the
rise of ransomware becoming the principal cyber threat, but this is something
we’ve never seen before – the global reach is unprecedented.”
In an official company
blog, Brad Smith, president and chief legal officer of Microsoft,
described the WannaCryptor as a “wake-up call for all”. He added: “We should
take from this recent attack a renewed determination for more urgent collective
action. We need the tech sector, customers, and governments to work together to
protect against cybersecurity attacks. More action is needed, and it’s needed
now.”
Mark Porter, council chair of the British Medical
Association, noted:
‘We need to quickly establish what went wrong to prevent this happening again
and questions must also asked about whether inadequate investment in NHS
information systems has left it vulnerable to such an attack.”
MalwareTech, the so-called accidental hero,
concluded in his blog: “One thing that is very important to note is our
sinkholing only stops this sample and there is nothing stopping them removing
the domain check and trying again, so it’s incredibly important that any
unpatched systems are patched as quickly as possible.”
The UK’s health secretary, Jeremy Hunt, who has
been criticized for his silence on the attack, said three days after news broke: “According to our latest
intelligence, we have not seen a second wave of attacks. And the level of
criminal activity is at the lower end of the range that we had anticipated and
so I think that is encouraging.”
David Harley, a senior research fellow at ESET,
said: “If you didn’t take advantage of the patch for supported versions of
Windows (Vista, 7, 8.1 and later) at the time, now would be a good time to do
so (a couple of days earlier would have been even better). If you’re running
one of the unsupported Windows versions mentioned above (and yes, we appreciate
that some people have to because of hardware or software compatibility issues),
we strongly recommend that you either upgrade or take advantage of the new
update.”