Crying About WannaCry: Notable Features of the Newest Ransomware Attack

By Nicholas Weaver
Friday, May 12, 2017, 8:04 PM

You’ve likely heard, by now, about the “wCry” (aka WannaCry) ransomware worm. There are a few features of this attack worthy of particular note.

First and foremost, this is a multi-vector attack, meaning the malicious worm can get onto a system in multiple ways. If a targeted user receives a worm-laden email and clicks on the attached executable, the worm starts running. There is a tendency in cyberattacks to blame the victim, but this attack is really the fault of the computing industry which continue, after decades of criticism, to allow executable attachments in email. The fact that decades-old attack vectors continue to work is perhaps the best example of the need for software liability.

The other vector is courtesy of the NSA and ShadowBrokers. The ransomware authors repurposed the exploit from the ETERNALBLUE attack tool, which was dumped in the most recent ShadowBrokers leak of government hacking tools, for malicious purposes. This exploit allows the ransomware-worm to look for any vulnerable Windows computer (anyone not patched in March and which is listening for SMB requests) and exploit it. As such, the worm starts on one computer and quickly spreads to all vulnerable systems in the network. It is is this self-propagating nature that makes this ransomware a “worm,” meaning a computer program that spreads on its own.  

WannaCry also reportedly uses DOUBLEPULSAR, present in the same ShadowBrockers release, to inject into running processes as part of this infection process. Although there are always recently released patches that have not been implemented that might be used in attacks like this, the presence of NSA exploits released by ShadowBrokers is particularly newsworthy. The fact that the Russian Interior Ministry appears to compromised is a moment for schadenfreude around the Internet, a sentiment which will be only magnified when an infection strikes a major U.S. government network.

The use of an NSA exploit will be seized upon by those who argue the U.S. government should never retain zero-days, but WannaCry is no longer a 0-day. The NSA clearly notified Microsoft in January when the ShadowBrokers revealed they had access to these attack tools (even if the NSA refuses to claim credit for it), and Microsoft released a patch in March. Critics cannot say the U.S. government didn’t disclose in time to mitigate damage for all those who can patch their systems.

This second vector generally shouldn’t be a concern for home users, as the Windows file sharing port is blocked by almost all ISPs and is turned off by default on current Windows for home users, but it is a critical problem for businesses. But any business not religious about updating all Windows systems is likely to experience a substantial crisis as soon as either a user clicks on a bad attachment or an already infected laptop connects to the internal network. Indeed, this is what appears to have happened to the NHS.

This is not just a rapidly spreading attack, but also one with a profit motive. It is the latest in a long line of “Ransomware” programs: malicious code which first encrypts all the computer’s data with random keys, encrypts those keys with a public key belonging to the attacker, and finally presents the user with a ransom message. If the user wants to access the data, they must pay the attacker to release the keys used to encrypt the computer.  Otherwise the computer can only be restored from backup (presuming the backup wasn’t also attached to the computer and encrypted by the same attack).

Ransomware is a rapidly accelerating problem, driven by the presence of a payment network, Bitcoin, that is unregulated by design. wCry is just the latest in a now large family of attackers and it may signal that it is time to start thinking seriously about beginning a government effort to disrupt Bitcoin if we want to address the ransomware problem.

These attackers might have miscalculated by overreaching in their targets. Jurisdictions within Russia’s reach have proven very friendly for cyber-criminals targeting western interests, with many high profile cybercrooks living happy and free unless they take a trip to a place where the US might arrest them. By targeting both Russia and the West in the same attack, the traditional protection Russia provides is no longer available. So this particular gang may discover they have no safe place to hide.