Cyber Hunter Blog

The campaign Wannacry (aka WannaCrypto,WanaCrypt0r, Wanna Decryptor,WCry, Wanna) became a global security threat late last week by reportedly affecting over 200,000 computers spread over 150  countries demanding a $300 to $600 ransom in Bitcoins. WannaCry is a specific ransomware program that locks all the data on a computer system and leaves the user with instructions on what to do next to regain control of their files.

Ransomware is a growing global cyber security threat, which can affect any organization that does not have the appropriate defenses. The most common ways for the malicious software to be installed on a victim’s systems is through phishing emails (ex. clicking on an e-mail link), malicious advertising on websites, and questionable applications and programs that exploit unpatched vulnerabilities in computers. The two types of ransomware that exist either:

1. Encrypt a user’s files on a computer or
2. Lock a user’s screen

Both types demand a payment (the ‘ransom’) in a cryptocurrency such as Bitcoin to return to normal operations. While ransomware against Windows operating systems has been a commonplace for some years, attacks against Mac and Linux systems have also been seen. According to FBI reports, the first half of 2016 saw an almost threefold increase costing a total of $209 million in ransomware variants compared to $24 million throughout 2015.  Of note, these statistics are based on known or reported attacks to law enforcement.

In the instance of WannaCry, the malware exploits a security vulnerability in Windows computers that Microsoft patched in March 2017 (SMB Server vulnerability (MS17-010) exploited by ETERNALBLUE) When the malware is executed, a user’s computer files are encrypted, demands a Bitcoin ransom to be paid to a certain address, within a specific timeframe or files will be deleted.

WannaCry appears to be leveraging the backdoor, DOUBLEPULSAR, to inject and run malicious code on an infected system, and is installed using the ETERNALBLUE exploit that attacks SMB file-sharing services on Windows XP to Server 2008 R2. That means to compromise a computer, it must be running a vulnerable version of Windows and expose an SMB service to the attacker. In cases where the system has not been previously compromised and implanted with DOUBLEPULSAR, the malware will use ETERNALBLUE for the initial exploitation of the SMB vulnerability. Recently, an embedded call back domain was sinkholed and now resolves to an IP address that hosts a website.

In all probability, over the next few weeks variants of this malware will be seen across the globe that have not be sinkholed and will be able to propagate across the internet. People should always exercise caution when opening unsolicited emails or visiting websites they are unfamiliar with. Never download an app that hasn’t been verified by an official store, and read reviews before installing programs.