IT Project

Summer Holiday
Sarthak Gupta Class X ‘A’ Roll No. 33 Homework
 Date 12 May 2017 – 15 May
2017
(initial outbreak)
Location Worldwide

Also known as Transformations:

Wanna → Wana
Cryptor → Crypt0r
Cryptor → Decryptor
Cryptor → Crypt →
Cry
Addition of "2.0"
Short names:
Wanna → WN → W
The WannaCry ransomware attack was a
Cry → CRY worldwide cyberattack by the WannaCry
Type Cyberattack ransomware cryptoworm, which targeted
computers running the Microsoft Windows
Theme Ransomware encrypting
files with $300 – $600
operating system by encrypting data and
demand (via bitcoin)
demanding ransom payments in the Bitcoin
Cause WannaCry worm cryptocurrency.
Outcome Over 200,000 victims The attack started on Friday, 12 May 2017,
and more than 230,000 and within a day was reported to have infected
computers infected more than 230,000 computers in over 150
countries. Parts of Britain's National Health Service (NHS), Spain's Telefónica, FedEx and
Deutsche Bahn were hit, along with many other countries and companies worldwide.
WannaCry spreads across local networks and the Internet to systems that have not been updated with
recent security updates, to directly infect any exposed systems. A "critical" patch had been issued by
Microsoft on 14 March 2017 to remove the underlying vulnerability for supported systems, nearly two
months before the attack, but many organizations had not yet applied it. Those still running exposed
older, unsupported operating systems such as Windows XP and Windows Server 2003, were initially
at particular risk but the day after the outbreak Microsoft took the unusual step of releasing updates for
these operating systems too. Almost all victims were running Windows 7.
Much of the attention and comment around the event
was occasioned by the fact that the U.S. National
Security Agency (NSA) had discovered the
vulnerability in the past, but instead of informing
Microsoft, had built the EternalBlue exploit for their
own offensive work. It was only when the existence of this
was revealed by The Shadow Brokers that Microsoft
became aware of the issue, and could produce a security
update.

Shortly after the attack began, a web security researcher who blogs as "MalwareTech" discovered an
effective kill switch by registering a domain name he found in the code of the ransomware. This greatly
slowed the spread of the infection, effectively halting the initial outbreak on Monday, 15 May 2017, but
new versions have since been detected that lack the kill switch. Researchers have also found ways to
recover data from infected machines under some circumstances.
Within four days of the initial outbreak, security experts were saying that most organizations had
applied updates, and that new infections had slowed to a trickle.
Several organizations have released detailed technical writeups of
the malware, including Microsoft, Cisco, Malwarebytes, and
McAfee.
The "payload" works in the same fashion as most modern
ransomware: it finds and encrypts a range of data files, then
displays a "ransom note" informing the user and demanding a
payment in bitcoin. It is considered a network worm because it
also includes a "transport" mechanism to automatically spread itself. This transport code scans for
vulnerable systems, then uses the EternalBlue exploit to gain access, and the DoublePulsar tool to install
and execute a copy of itself.

"Kill switch"
The software contained a URL that, when discovered and registered by a security researcher to track
activity from infected machines, was found to act as a "kill switch" that shuts down the software, stopping
the spread of the ransomware. The researcher speculated that this had been included in the software as a
mechanism to prevent it being run on quarantined machines so that it is harder for anti-virus
researchers to investigate the software; he observed that some sandbox environments will respond to all
queries with traffic in order to trick the software into thinking that it is still able to access the internet, so
the software queried an "intentionally unregistered domain" to verify it was receiving traffic that it should
not. He also noted that it was not an unprecedented technique, having been observed in the Necurs
trojan.
On 19 May it was reported that hackers were trying to use a Mirai botnet variant to effect a distributed
attack on WannaCry's kill-switch domain with the intention of knocking it offline. On 22 May
@MalwareTechBlog protected the domain by switching to a cached version of the site, capable of
dealing with much higher traffic loads than the live site.

EternalBlue
The network infection vector, EternalBlue, was released by the hacker group called The Shadow
Brokers on 14 April 2017, along with other tools apparently leaked from Equation Group, which is
widely believed to be part of the United States National Security Agency.

EternalBlue exploits vulnerability MS17-010 in

Microsoft's implementation of the Server Message
Block (SMB) protocol. This Windows
vulnerability was not a zero-day flaw, but one for
which Microsoft had released a "critical" advisory,
along with a security patch to fix the vulnerability
two months before, on 14 March 2017. The patch was
to the Server Message Block (SMB) protocol used by Windows, and fixed several versions of the
Microsoft Windows operating system, including Windows Vista onwards (with the exception of
Windows 8), as well as server and embedded versions such as Windows Server 2008 onwards and
Windows Embedded POSReady 2009 respectively, but not the older unsupported Windows XP and
Windows Server 2003. The day after the WannaCry outbreak Microsoft released updates for these
too.
Windows 10 did not have the vulnerability.

DoublePulsar
DoublePulsar is a backdoor tool, also released by The Shadow Brokers on 14 April 2017, Starting
from 21 April 2017, security researchers reported that computers with the DoublePulsar backdoor
installed were in the tens of thousands. By 25 April, reports estimated the number of infected computers
to be up to several hundred thousands, with numbers increasing exponentially every day. The
WannaCry code can take advantage of any existing DoublePulsar infection, or installs it itself.

Attribution
Cybersecurity companies Kaspersky Lab and Symantec have both said the code has some similarities
with that previously used by the Lazarus Group (believed to have carried out the cyberattack on Sony
Pictures in 2014 and a Bangladesh bank heist in 2016—and linked to North Korea). However, this
could also be either simple re-use of code by another group, or an attempt to shift blame—as in a cyber
false flag operation. North Korea itself denies being responsible for the cyberattack.
Linguistic analysis of the ransom notes indicated the authors were likely fluent in Chinese and proficient
in English, as the versions of the notes in those languages were probably human-written while the rest
seemed to be machine-translated.

CYBER ATTACK
On 12 May 2017, WannaCry began affecting computers worldwide, with evidence pointing to an
initial infection in Asia at 7:44am UTC. The initial infection was likely through an exposed vulnerable
SMB port, rather than email phishing as initially assumed.
When executed, the malware first checks the "kill switch"
domain name; if it is not found, then the ransomware
encrypts the computer's data, then attempts to exploit the
SMB vulnerability to spread out to random computers
on the Internet, and "laterally" to computers on the same
network. As with other modern ransomware, the payload
displays a message informing the user that files have been
encrypted, and demands a payment of around $300 in
bitcoin within three days, or $600 within seven days.
Organizations that had not installed Microsoft's security update were affected by the attack. Those still
running the older Windows XP were at particularly high risk because no security patches had been
released since April 2014 (with the exception of one emergency patch released in May 2014). However,
the day after the outbreak Microsoft released an emergency security patch for Windows XP. As of
May 2017, less than 0.1 percent of the affected computers were running Windows XP.
A Kaspersky Labs study reports that 98 percent of the affected computers were running Windows 7.
According to Wired, affected systems will also have had the DoublePulsar backdoor installed; this will
also need to be removed when systems are decrypted.
Three hardcoded bitcoin addresses, or "wallets", are used to receive the payments of victims. As with all
such wallets, their transactions and balances are publicly accessible even though the wallet owners remain
unknown. As of 25 May 2017, at 7:40 UTC, a total of 302 payments totaling $126,742.48
(49.60319 BTC) had been transferred.

Advice on ransom
Experts advised against paying the
ransom due to no early reports of
people getting their data back after
payment and as high revenues would
encourage more of such campaigns.

A number of experts highlighted the NSA's non-disclosure of the underlying vulnerability, and their
loss of control over the EternalBlue attack tool that exploited it. Edward Snowden said that if the NSA
had "privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, [the
attack] may not have happened". British cybersecurity expert Graham Cluley also sees "some
culpability on the part of the U.S. intelligence services". According to him and others "they could have
done something ages ago to get this problem fixed, and they didn't do it". He also said that despite
obvious uses for such tools to spy on people of interest, they have a duty to protect their countries' citizens.
Others have also commented that this attack shows that the practice of intelligence agencies to stockpile
exploits for offensive purposes rather than disclosing them for defensive purposes may be problematic.
Microsoft president and chief legal officer Brad Smith wrote, "Repeatedly, exploits in the hands of
governments have leaked into the public domain and caused widespread damage. An equivalent scenario
with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen."
Russian President Vladimir Putin placed the responsibility of the attack on U.S. intelligence services,
for having created EternalBlue.
On 17 May United States bipartisan lawmakers introduced the PATCH Act that aims to have
exploits reviewed by an independent board to "balance the need to disclose vulnerabilities with other
national security interests while increasing transparency and accountability to maintain public trust in
the process".

The installation of the official Microsoft patch and security software updates can protect computers
from attacks of the WannaCry ransomware, Russian security software company Kaspersky Lab has
said. A massive number of organisations across the globe have been targeted by the malware since May
12.
Hackers used the Trojan encrypter WannaCry to lock computers and demand a payment for the
decryption.
According to a statement provided by Kaspersky, its computer system monitoring tool has detected 11
kinds of such malicious programmes that WannaCry uses to encrypt computer files. The cyber security
provider warned against using the means of decryption offered on the Internet or received in emails, as
WannaCry’s encryption algorithm cannot be decoded with existing methods, which, worse still, may
cause even greater harm to the infected computer and others connected to it, thus accelerating the
propagation.
Currently, the only right approach in case of a WannaCry infection that has been found effective is
system reinstallment at the expense of encrypted file, Kaspersky said. “If you find that your computer
has been infected, you should turn it off and contact the information security service for further
instruction,” Kaspersky said.
Noting that precautions play a crucial part in
defending against the WannaCry virus,
Kaspersky suggests users install an official patch
from Microsoft that closes the vulnerability used
in the attack as well as upgrade the security
software scanning critical areas at all time to detect
potential infection as early as possible. It is also
suggested to create file backup copies on a regular basis and store copies on storage devices that are not
constantly connected to the computer.
For computers within corporate networks, once an attack is spotted, disconnection of the invaded
computer from the Internet and internal networks needs to be done immediately. In addition, while
unpatched Windows computers can be remotely attacked with the Eternal Blue exploit and infected by
the WannaCry ransomware, the lack of existence of this vulnerability does not really prevent the
ransomware component from working, Kaspersky said.
“Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the
outbreak,” it said. At present, network security companies, including Kaspersky, are developing more
effective means of fighting the WannaCry virus and decoding maliciously encrypted files, and relevant
information will be released in a timely manner, Kaspersky.