A ransomware is a software which scrambles information stored on a computer system to make it inaccessible. The process of scrambling is done through known methods of encryption. The purpose is to then ask for an amount of money to decrypt valuable information.
So how does ransomware work?
How does it get through?
Imagine you hired the best architects and got a palace built for your yourself. Little known to you or the architects, there exists a weak wall near your garage. This can be broken by application of minimal force and people can get in through that and steal your expensive car. They can also disrupt your telephone and gas lines to cause you further harm. Or worse even, plant a bomb below your bedroom. Scary isn’t it?
Something similarly keeps happening with all software companies. They hire the best developers to write the most intricate codes, and little known to them they leave out vulnerabilities which can be brute forced and broken. Now people can get in and cause all sorts of mayhem.
If these vulnerabilities are unknown and not solved, they are called ‘zero-day exploits’. I will write a detailed post on zero-day right after this one, so stay tuned, or better subscribe from the right sidebar >>
A ransomware may or may not use a zero-day exploit to leverage the attack. A ransomware might just promise you a lottery ticket, free coupons, facebook or gmail hacking, etc.
What does it do?
A ransomware is a simple software which encrypts and decrypts data based on a condition. Once the ransomware is loaded onto the computer using a vulnerability, it will instantly encrypt and make the data unusable.
It may ask for a password to decrypt. Or, It may show a message communicating the condition for decryption. It may also ask for payment, it may ask for release of a prisoner, it may ask for change in politics, anything.
Once the condition is met, a password is provided which can be used to unscramble the information and make it usable again.
What is WannaCry?
Just last month I was thinking there is not much interesting things to write about. I was not wrong but impatient.
WannaCry gets onto the system through common phishing tactics. An email containing an attachment is circulated. Upon downloading the attachment it instantly freezes the system and asks for a payment of $300 in BTC. If not paid within three days, the payment amount is doubled to $600.
However, it promises to hold events (time periods) when data can be decrypted for free by clicking the decrypt button, after expiry of six months. This is for poor people 🙂
WannaCry got first reported on Friday the 12th of this month (May, 2017), and within a day it spread over to a quarter of a million computers across the globe.
How did it start?
WannaCry reportedly used a vulnerability on older Microsoft Windows operating systems. Mostly Windows XP and 7 attacks were reported. Microsoft held that systems running updated versions of Windows 7 and above were immune to it.1 There has been no reports negating this.
Who got affected?
It started with the crippling effect on Britain’s National Health Service. Unlike in the US where people pay for healthcare in hefty bills, medical service in UK is free of cost. Therefore, outdated systems dying for lack of attention.
While Microsoft ended support for Windows XP in April 2014 many UK agencies missed that. A Freedom of Information Act request by Citrix in December, 2016, reported 90 percent of UK hospitals had computers running outdated Windows XP.2
As it was not a targeted attack, it spread on to many other parts of the globe, some reports on Middle Eastern banking systems also surfaced.
To Microsoft’s credit they had already released the security updates back in March, here is a compilation of all the relevant security updates.3 If you have not updated your system you should go through them.
|“EternalBlue”||Addressed by MS17-010|
|“EmeraldThread”||Addressed by MS10-061|
|“EternalChampion”||Addressed by CVE-2017-0146 & CVE-2017-0147|
|“ErraticGopher”||Addressed prior to the release of Windows Vista|
|“EsikmoRoll”||Addressed by MS14-068|
|“EternalRomance”||Addressed by MS17-010|
|“EducatedScholar”||Addressed by MS09-050|
|“EternalSynergy”||Addressed by MS17-010|
|“EclipsedWing”||Addressed by MS08-067|
Microsoft also released a malicious software removal tool specifically for WannaCry on 22nd May for a permanent resolution.
Other quirky solutions
A young cyber security expert from London figured that the WannaCry malware repeatedly tries to connect with a website. If the website responds it shuts down. So he bought the website and made it respond.
For instance, a malware may check if http://aabbccdd.com is live or not. Depending on that there can be further instructions for the malware to commit.
This shows that WannaCry was not remote controlled. It means it is an independent malware which is supposed to run and spread all on its own.
It would be unfair to not talk about National Security Agency of the United States, Shadow Brokers, and the lesser known philosophy behind hacking.
A lot of internet develops due to constant work by different anonymous groups. As soon as one attack is launched, and gets enough attention, the global internet fortifies against it. Much like our bodies’ immune systems. Therefore, more the attacks, better the internet gets in the long run.
Sometimes attacks are just attention-seeking in nature, and sometimes they are deadly. In my opinion, WannaCry was seeking attention towards larger societal flaws. If it meant to cause real damage it would not have been made into a ransomware virus asking for $300 to $600. Also total revenue from WannaCry is said to be around $50,000 at max. It uses technology which can be used to target core banking companies and siphon off millions of dollars never making it to global media. Or worse, target nuclear plants where a lot of devices still run on outdated Microsoft products.
Attention sought for what?
The National Security Agency of the United States has been in the offensive since its inception. It is unofficially known that 90% of NSA’s budget goes into development of offensive weapons. The NSA constantly researches and adds to it’s library weapon grade software. The EternalBlue vulnerability used in WannaCry is just one among million options that NSA has for itself. Other deadly offensive weapons released in the past include the billion dollar STUXnet virus, which was recently linked to NSA.
Especially in EternalBlue’s case, NSA had found it long back but decided not to report it to Microsoft. It was the Shadow Brokers group who stole a considerable part from NSA library and reported it to Microsoft. Enabling it to release an update in March 2017, much before the breakout of the virus.
When hacker groups like Shadow Brokers get hold of such software they either report it for money or release it on the internet. The public quickly gets immune to it, thereby spoiling the weaponry NSA spends millions to build. And the best part is that NSA does all of it legally.
Anonymous Internet groups across the globe are fighting against orchestrated surveillance, censorship and rogue government agencies. One thing that’s for sure, our immune systems may make us feel sick, but if we fight our immune systems we will be dead faster.