WannaCry: Anatomy of a Ransomware Attack

As this is written, one of the largest cyberattacks in history is underway across the globe. 75,000 ransomware attacks in 99 countries are reported to be exploiting the Windows vulnerability “EternalBlue,” which Microsoft had released a patch for earlier this year. The exploit was made known as part of a trove of NSA spying tools leaked last month. The ransomware, nicknamed “WannaCry,” demands a payment of $300 worth in bitcoin to decrypt a user’s data and this ransom increases if the demand is not met after a specified amount of time.

The damage that WannaCry has inflicted so far is severe. Patients across the UK have been turned away from scheduled surgeries and medical procedures due to the attack. Victims of WannaCry include FedEx and the Spanish telecom Telefónica, with Kaspersky Lab reporting that most victims paid the ransom within the first few hours of the attack.

WannaCry is primarily targeting organizations and users who failed to install a security patch released by Microsoft this past March. A lesson learned too late for many, keeping systems updated and patched is a critical practice of loss prevention and a successful information security policy. For anyone uncertain if they have the best defense against malware like WannaCry, we recommend you read our comprehensive white paper, “Protect Your Data from Ransomware.”

UPDATE:  Was RDP a WannaCry attack vector?

As investigations into the origins of the WannaCry ransomware continue – where and when did WannaCry start infecting computers? – some details on its nature are emerging.  One of the more thorough, from the Malwarebytes blog, details what is known about the worm that spreads WannaCry.  In addition to the EternalBlue SMB vulnerability that is central to the spread of the worm, open RDP sessions could be contributing to its rapid propogation.

According to Malwarebytes, WannaCry “loops through every open RDP session on a system” and runs the ransomware as the session user.  In addition to taking advantage of the SMB vulnerability, WannaCry exploits open RDP connections – giving two paths for expansion.  At Barkly, Jonathan Crowe recommends that teams address SMB and RDP ports and block external traffic, if feasible.

At Netop, we try to make our customers aware of the inherent security vulnerabilities presented by RDP and other remote access tools.  Remote access points are by their very nature attack vectors – making sure that yours has advanced security features is just smart business.

UPDATE:  WannaCry isn’t dead yet

It appears that the “Killswitch” that was released over the weekend (check out the brilliant “How to Accidentally Stop a Global Cyber Attack” for details on how it went down) may have slowed down the spread but not completely stopped the progress of WannaCry.  Researchers have found multiple variants of WannaCry – some with different killswitch domains, some with no killswitch – that continue to target unpatched systems, according to The Hacker News.

So far, over 250,000 computers in more than 100 countries have been infected by the WannaCry ransomware.  The ransomware originally appeared in Spain and the UK on Thursday, May 11.