WannaCry: A look under the hood of the World’s Biggest Ransomware Attack

  Author: Anushri Satavlekar, Security Television Network

Computer-savvy youngsters in the movie Hackers (1995) are seen collapsing entire stock exchanges, and individuals go about with titles like ‘Acid Burn.’ In Tron, the main character can breach a mainframe by being motorized with lasers; in The Matrix, altering code leads to immediate immortality making you the master of kung-fu. Nevertheless, for a long time, cybercrime was not as frightening or as extreme as it was portrayed on television and in movies. 

But, in recent years, the technological revolution has broken down communication barriers and established a transnational network of users and data. At the same time, it has made it relatively easy for malware and other cybersecurity risks to proliferate via networks.

Today, the internet is full of secrets; secrets that are just waiting to be picked up by astute hackers, but what if the hackers are seeking something greater, a bigger score that may have global ramifications? 

A spate of targeted attacks in the last few years has crippled both individuals and businesses. However, in 2017, one ransomware attack in particular fundamentally altered the international landscape and dynamic of how people perceive cyberattacks and security. In this paper, I am going to look under the hood of the world’s biggest ransomware attack – WannaCry, its definition, infection, implications on society, prevention, and strategies to avert future assaults. 

The 2017 WannaCry ransomware attack made ransomware a household term. WannaCry affected a quarter-million devices in over 150 countries. The NHS, Telefonica in Spain, FedEx in the United States, Deutsche Bahn in Germany, and LATAM Airlines were among the victims of the world’s greatest ransomware assault.

How does the WannaCry Attack work? 

You’re certainly wondering what WannaCry is and how it works. Imagine a typical day; you’re relaxing, sipping your daily Java fix, when all of a sudden, all of the icons on your desktop start dancing the Merengue. WannaCry ransomware has just infiltrated your system. After performing the worm dance over what you believed was a safe network, this so-called ransomware gains complete control of all your data. It does this via the use of good old-fashioned encryption. After that, you’ll get a friendly reminder to “pay up, or else.” But don’t worry; it will choose a few sample files at random to demonstrate WannaCry’s decrypting capabilities. Perhaps, it’ll include those lovey-dovey photos you took with your ex-girlfriend that you thought you deleted from your system. 

2017 WannaCry Infection and Origin 

The “WannaCry” ransomware attack occurred on May 12th, 2017, affecting an estimated 200 thousand or more endpoints in businesses all over the world. “WannaCry” exploited the vulnerability in Microsoft’s implementation of Server Message Block (SMB) protocol called “EternalBlue.”

WannaCry was unique because it would spread itself. It used a transport mechanism to search operating systems, use a backdoor exploit to gain access, and then install and execute a copy of itself without the user ever needing to let it in. And once it was in (all hell broke loose) it would immediately encrypt all data on the computer system, locking it up and turning the computer into a very expensive brick.

According to reports, the first incident was identified at 7:44 a.m. UTC and came from a Southeast Asian ISP. Cases were detected from Latin America over the following hour, then continental Europe and the United Kingdom, then Brazil and Argentina ISPs until 12:39 p.m. UTC.74% of all ISPs in Asia were affected, and by three and 28 PM UTC, the ransomware had taken hold of 65% of Latin American ISPs.

A world map shows where computers were infected by WannaCrypt ransomware in May 2017, as recorded by MalwareTech.com.

The vast bulk of the infected NHS machines were discovered to be running the supported but unpatched Microsoft Windows 7 operating system, culminating in the hacking. At least 80 of the 236 NHS trusts, as well as 603 primary care and other NHS organizations, including 595 GP practices, were hit, according to NHS England. According to the Department, NHS England, and the National Crime Agency, no NHS organization paid the ransom, however, the Department said that the disruption to services to the NHS was estimated to reach £92 million. 

Motivation of Hackers 

Given the social, economic, and political threats associated with cyberattacks, it’s vital to consider why hackers do what they do. While the pecuniary motivation behind cyberattacks like the WannaCry ransomware may appear clear, it is contended that the true motive is veiled in many scenarios. 

The WannaCry ransomware was designed to extort money from its victims. The victims were required to make a $300 payment within three days or a $600 payment within seven days. The data may be considered lost once the 7-day deadline has expired. The payments were to be made in Bitcoin, which is a safe and anonymous alternative to send money over the internet that employs blockchain technology. Three Bitcoin wallets were utilized in all, and the victims were reported to have made 327 payments totaling almost $130,000.

Implications on Society 

Because such a large and rapid ransomware attack had never been seen before many businesses who were unable to recover their losses were forced to shut down permanently. Some had to halt their networks and services, resulting in massive expenditures, some in the millions of dollars. Small and medium-sized companies, major corporations, the private sector and the governmental sector, railways, banks, small ministries, police, energy companies, ISP’s, healthcare were all targeted in the attack.

Lots of pieces of medical equipment was locked, and many NHS employees were unable to access their files, making it impossible to recover or update patient records. Numerous medical appointments, including surgical operations, had to be canceled. Many patients in need of emergency attention were sent to practitioners who had not been afflicted by the ransomware attacks.

Accidental Hero

Researchers had discovered vulnerabilities or loopholes in the program identified as kill switches, which may have prevented the spread of the malicious software. However, hackers had already retaliated by altering the code, culminating in a cat-and-mouse game in which researchers had to hunt for a new kill switch. 

A kill switch is a mechanism for remotely – and suddenly – switching off a device or piece of software in an emergency, such as when it has been stolen or accessed without authorization. A kill switch is a feature in malware that allows the user to disengage from the software and prevent authorities from uncovering their identity. 

In the instance of WannaCry, a 22- year old researcher going by the handle MalwareTech unintentionally activated the kill switch while attempting to build a sinkhole to analyze the program. WannaCry incorporated code that evaluated to see if a given domain was registered. It shuts down if it receives a response from the domain. If it didn’t, it kept working. As a result, MalwareTech registered the domain name.

Security Firm Reports Major Ransomware Attack affects Hundreds of US Companies

This kill switch was most likely put in place to keep investigators from analyzing the program in a confined virtual environment known as a “sandbox.” These generally reply to any efforts by malware to communicate by sending signals from registered domains. WannaCry was fooled into thinking it was in a sandbox and shut down to protect itself when it received a response from the domain.

Rise of Ransomware 

One of the most ubiquitous types of malwares is ransomware. It was the sixth most pervasive malware in 2017, according to a Verizon Data Breach analysis. Even while the number of assaults reduced between 2016 and 2017,  ransomware variations rose 101.2 percent, according to the 2018 SonicWall Annual Threat Report. According to Verizon’s analysis, ransomware accounted for 72 percent of all healthcare malware assaults in 2016, with financial services being the only industry targeted more than healthcare. 

The Operation’s Legal Character

A data breach notification legislation has been passed in 52 jurisdictions in the United States (including 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands).  Under these rules, any individual whose personally identifiable information (PII) has been obtained or accessed, or is reasonably anticipated to have been acquired or accessed, may be compelled to notify the organization. While most states require citizens to get a notice based on the aforementioned legal criteria, certain states additionally require notification to public authorities such as the state attorney general. The subtleties and differences among these legislations must be reviewed and evaluated until a consistent federal norm is adopted.

The new EU General Data Protection Regulation, which took effect on May 25, 2018, requires companies to notify supervisory authorities as soon as they become aware of a data breach (no later than 72 hours) unless the breach is unlikely to pose a significant threat to the affected persons. Because the penalties for breaking this law are so severe—up to 4% of worldwide annual revenue or €20 million (whichever is greater), any late notice will have to be justified. 

Federal and state agencies throughout the world, today, are concentrating more on whether organizations have sufficient cybersecurity safeguards in situ even if they have been the victim of a cyberattack.

Prevention 

Once a system has been hit with the “WannaCry” malware, the “worm” approach is deployed to disseminate the malware to other machines in the same network. Dealing with such attacks might be exceedingly difficult, but there are two main options to deal with them. The first is to take corrective action once the computer has been infected, and the second is to take preventive action before infection occurs.

Ransomware Gangs: the Newest Form of International Cyber Criminals

Post-attack measures are often restricted, especially if the ransomware is unidentified and the data cannot be decrypted. This is exactly what happened with the “WannaCry” infection. While security professionals have published several tools to help users combat it, such as “WannaKey” and “WannaKiwi,” these programs have limited capabilities and may not be able to recover files in most settings.

Individually, “WannaCry” assaults may be avoided by being extremely careful when opening emails from unfamiliar senders, particularly if they contain attachments, as these are the most prevalent routes of infection. Personal computers, like organizational systems, can be secured from assaults by installing security and operating system patches and anti-virus and anti-malware software.

Conclusion

WannaCry’s outbreak ushers in a new age of ransomware attacks. The failure of a major information system casts a gloom over society. The imaginative faculties of cybercriminals seizing control of the traffic control system or the medical health care system are program is scary as bombs or nuclear power plants. The WannaCry ransomware attack is a significant security catastrophe that requires everyone to pay heed to the fundamentals of maintaining computers abreast. The detection approach used by security defenders on the constructed hacking weapon binary grows increasingly granular as malware developers try to adapt modular hacking weapons to new versions of malware. 

There is also a huge debate as to why WannaCry’s kill switch existed at all given that it was so easy to uncover and overturn. The concern is that WannaCry was merely a ruse to get defenders to respond. That means subsequently, more lethal versions could be unleashed and we should be ready to confront them; albeit, this time with the objective of halting these attacks in their early stages.