Did you hear about 'Wanna Cry'?

Good morning everyone,

The next two or three days will see highs closer to normal for this time of year, but we'll  get into the high 20s by the end of the week. I don't know if I can stand the weather getting this hot already...can't it wait till after rainy season to get so hot and humid? Please!

On Friday, May 12, 2017, the world was alarmed to discover that cybercrime had achieved a new record. In a widespread ransomware attack that hit organizations in more than 100 countries within the span of 48 hours, the operators of malware known as WannaCry/WanaCrypt0r 2.0 are believed to have caused the biggest attack of its kind ever recorded.

Perhaps more than anything else, this ransomware onslaught is a resounding reminder of security basics, especially where it comes to Microsoft product patching. Those who applied critical Microsoft Windows patches released in March were protected against this attack. Another basic protection is the possession of current, offline backups of data. For ransomware attacks like this one, having a viable backup will enable a successful incident response, leaving attackers high and dry and unable to collect money for their evil doings.

What is WannaCry?

WannaCry, WanaCrypt, or Wcry for short, is ransomware that works like other malware of its type, with a few intricacies that highlight the sophistication of its operators.

First, the malware uses exploits that were supposedly leaked by a group that calls itself “ShadowBrokers.” The result of leaking exploits very often gives rise to malicious actors who use them for their nefarious purposes – which is what happened in this case.

Second, the malware uses strong, asymmetric encryption,employing the RSA 2048-bit cipher to encrypt files. Using this method is considered relatively slow when compared to symmetric encryption, but it is very strong and virtually impossible to break.

Third, the malware’s architecture is modular; a feature known to be used in legitimate software, but also in complex malware projects. Most ransomware is not modular, but rather simplistic, and carries out its tasks without any modularity. What this means is that the authors behind Wcry are more likely to be a group of people, rather than just one developer, and even possibly one of the organized cybercrime gangs that distribute malware like Dridex and Locky.

Bottom line, we are not dealing with amateurs. This widespread attack is of high severity, and although the vulnerability being exploited by the attackers should have been patched a while back, many organizations have been hit and the count keeps rising.

The Wcry outbreak started showing up on May 12, 2017, but in reality, it relies on a number of elements that have been around for a while, and even gave a sneak preview a week ago when it showed up in Trojan.Win32.CryptoFF attacks in Peru.

One of the ways by which WCry mass-spreads to unsuspecting users is through indiscriminating email spam. The messages may use common ploys such as fake invoices, delivery notices, or some alarming note urging the recipient to open a .zip file attached to the message. When the recipient launches the file, the Wcry infection deployment begins.

Current State of Affairs

So far, Wcry is known to have hit hospitals, rail systems, telecommunications, and courier services, but many other organizations and individuals have been hit as well.

On the victims’ side, the outbreak has hit critical infrastructure in some countries, like Germany and Russia, and in the UK, the healthcare sector received a hard hit that goes way beyond disabling hospitals. Hospitals in the country had to turn away patients, reroute ambulances, paralyze emergency services, reschedule surgeries and appointments, which will all take a toll on operations for some time. With the number of affected systems, incident response and remediation are unlikely to be complete for a while.

According to reports, the geographical spread of Wcry at this time is most prevalent in Russia. Other constituents on the top ten list of the targeted geographies are the Ukraine and India – countries where it could be more common to find older, unpatched versions of Windows in use. The Europol has indicated that the attacks is of unprecedented scope.

At the time of this writing, more than 130,000 systems in over than 100 countries were already compromised. However, that number is expected to rise starting today when many workers go back to their offices after the weekend and find that their computers have been affected. We'll start to hear about it later today if there were some attacks here in Japan.

Have a great day!

Post a comment

Private comment