Back to overview

WannaCry – Worldwide Ransomware Attack not unexpected

WannaCry ist eine Ransomware. Aber wer rechtzeitig gepatcht hat ist sicher. Im Moment jedenfalls.It was only a matter of time before hackers would try to make a profit from the leaked technical information on the backdoors used by the NSA. Patches have been delivered, but probably not yet installed. The ransomware WannaCry is now exploiting one such vulnerability.

The now seen global ransomware attack, which was first detected on Friday, May 12, 2017, affects both private users and businesses alike with yet unforseeable consequences. It is currently estimated that users and institutions in 75-100 countries are affected.

According to the Malwaretech botnet tracker, more than 150,000 systems have been infected since the initial outbreak.

(Quelle: Malwaretech)

What happened?

Worldwide, systems have been infected with the Ransomware Wcrypt / WanaCrypt0r 2.0 / WannaCry, a so-called crypto trojan. It encrypts infected systems and gives a corresponding indication that those affected can decrypt their data in exchange for payment in bitcoins. The intrusion point was probably a gap used by the NSA in Windows operating systems, which became known by the Leak of NSA documents in March 2017 called EternalBlue.

Microsoft had promptly published information about this vulnerability through security bulletin MS17-010 and provided patches that close the gap. However, the distribution of the corresponding hotfixes seems to be low, as the high numbers of infections suggest. IT-CUBE recommends that all users check whether the patch has already been installed and if it is not to immediately install the patch. Due to the high number of infections, Microsoft now felt compelled to provide appropriate patches for Windows versions like XP and Server 2003, which are no longer officially supported.

The perfidy to WannaCry is the fact that this Ransomware is not only distributed via email or malicious websites, but spreads itself through the above-mentioned gap in the SMB implementation of Windows without a user interaction being necessary. As workaround in segmented networks, access to TCP port 445 can be restricted and the use of SMBv1 disabled. Corresponding IPS signatures also help to curb the spread.

Patching required ASAP!

Once again, it shows how important a functioning and effective patch management is. Also backin up data using a corresponding backup concept is essential for minimizing the risk of ransomware attacks. If a PC is affected by the current encryption, only the reinstallation is recommended – the data is lost until the corresponding decryption tools are available. Unless one pays the ransom and thereby contributes to the fact that this business model is still highly profitable. Whether the decoding after payment works, however, is by no means assured.

Ominous Killswitch stops independent spread of WannaCry for now

Meanwhile, security researchers have managed to find a kill switch more or less by chance in the code of the malicious software, which apparently turns off the automatic spreading. When the malware for execution runs, it checks the URL of a Command & Control server. The corresponding domain was not registered. Since the researchers have registered this domain as part of the analysis, the numbers of new infections are decreasing.

(Quelle: Malwaretech)

But this hope might turn out to be deceptive. On the one hand, new variants of the pest that ignore the killswitch can be expected. On the other hand, this incident only allows a glimpse of what damage a ransomware that uses a zero-day weakness for independent spreading could do in the future. In this case, even users who are fast and regularly patched would not be protected. The security researcher Tavis Ormandy, who is part of Google’s Project Zero, reported such a “wormable” vulnerability to Microsoft. This has now been closed, but what if cybercriminals get this information before patches exist? In this case, protection systems that recognize new malicious software without having to rely on the creation of signatures, as offered by manufacturers like Cylance, would be the only “line of defence”. Even in the case of Wcrypt, such protected systems were not affected.

Annoying for the average user, threatening for businesses

What is annoying for the private user can lead to serious problems for businesses affected. At the moment, there no case of serious damage or personal injury has been reported yet. But when hospitals can no longer access their IT systems results might very well be lethal. Medical records, medication plans, etc. are often only available digitally. We have seen hospitals becoming target of attacks in the past.

Wake-up call

It is often the carefree handling of the data that leads to problems during these attacks. Why is data not consistently processed and stored on servers? Servers, which are located in highly segmented and appropriately protected data centers? Unfortunately, one has to realize that the user often has no other option than to process data locally, since the corresponding effective support by the IT simply is not given.

Old fashioned malware scanners are becoming a growing problem. Signature-based protection systems do not help the first wave of those initially infected. Before a signature is created and distributed, tens of thousands of systems have already been taken down. Against self-mutating malware, such scanners are basically hopeless as well. It would be imperative to deal with Next Generation Endpoint Defence, which is based on AI algorithms and can detect malicious programs without signatures. (Find a comparison test of modern malwarescanners for example here).

A holistic information security strategy must not only ensure the detection of an attack, but also cover the appropriate response and restart planning up to crisis management. Processes, which are no longer purely IT security, but must be anchored in the company.

Leave a Reply