ransomware wannacry cyber attack

Ransomware Wannacry, unprecedented cyber attack

Malware Ransomware Wannacry infected thousand of devices worldwide. It took control of computers and information: we are going to explain all you need to know about this malware type.

The facts

Last May 12, the largest ransomware cyberattack ever recorded was unleashed by using the variation of the ransomware/worm belonging to the Wannacry or WannaCrypt0r family, which has affected more than 350,000 systems almost all over the world in less than one week.

The computers were "hijacked" and the information therein encrypted. Victims received a demand for a payment of $300 in Bitcoin in order to retrieve the information. Telcos as well as transportation and manufacturing corporations and even health systems were affected.

Identifying the threat

The aggressive spread of this attack decreased considerably until a security analyst in the United Kingdom identified in the code related to this threat requests to a website that did not exist until then, which was registered by the analyst as his own in order to be able to make a map in real time and study the same. What the analyst did not expect is that the website stopped the spread of the malware on infected hosts by being in action.

Some speculate that this so-called “master switch” was programmed into the code by the attackers in order to stop the threat later.

Why did it spread so quickly?

The story of this cyberattack did not begin on May 12. There were reports of events strongly linked to this threat since March, when Microsoft issued the security bulletin MS17-010, documenting the actions required to correct a serious vulnerability detected in the Microsoft Server Message Block 1.0 (SMBv1) service, which was used in this attack as a gateway to initiate the propagation of ransomware.

The service runs by default on Windows operating systems as it is vital for file and printer sharing functions on networks. The effectiveness and virulence of this new attack takes advantage of this, thus initiating processes to scan entire network segments in search of other vulnerable systems, in order to compromise them and install and execute the malicious code, thus propagating in an exponential way.

The affected systems were not updated with the security patch issued by Microsoft in its MS17-010 bulletin. Almost two months after the vulnerability was announced publicly, the massive attack happened and due to the lack of updates, could spread so quickly.

This cyberattack confirms that the strategies of applying updates to the operating systems, must be improved in order to minimize the time of exposure to this type of threats. Applying patches on time is one of the main challenges for organizations' IT teams.

What can be done about it?

Reject any request for ransom for the encrypted information, this encourages this type of malicious activities to continue, by generating an economic benefit to the attackers.

There are improvements that have led to new protocols such as SMBv2 or SMBv3. The benefits of these variations include efficiency and security, so that organizations could deactivate the SMBv1 service, and thus reduce the attack surface that represents the use of this old protocol, unless they execute some applications that necessarily would requires its use.

Although the threat was contained, it is expected that new variations of this attack will be developed, eliminating the functionality of the “master switch” by which its exponential propagation was stopped, so it is of vital importance that organizations deploy the patch related to MS17-010 immediately. In addition to pay attention to future updates.

Additional precautions

Apply security updates and patches to operating systems as soon as possible. This must be done in addition to computer equipment, also on mobile devices and network equipment such as: routers, switches, firewalls and IoT devices.

Update obsolete operating systems that are no longer supported by the manufacturer, since there is no guarantee that security updates will be developed in order to correct the newly detected vulnerabilities.

As a general recommendation against ransomware attacks, it is very important for organizations to have a security architecture which allows them to protect the most common entry points for these types of threats: email, web traffic, and computer and mobile devices.

Written by:

Jorge Mora
Jorge Mora
Ingeniero de Preventa Especialista en Seguridad

Me fascinan la tecnología, el heavy metal, la seguridad informática, las películas de terror, las carreras de autos y casi todos los deportes. Sabía que estaba destinado a grandes cosas desde el momento en que me corrieron del laboratorio de cómputo de mi universidad por estar “experimentando”.