Advertisement

Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

It was the “oops” heard around the world—hundreds of thousands of computers in approximately 150 countries were held hostage last weekend after the so-called WannaCry ransomware exploited a Microsoft vulnerability that had been patched two months prior. Not all users had installed the patch, so many of them were met with the mocking message “Ooops, your files have been encrypted!” on Friday, May 12 when the attack was first discovered.

The malware locked users out of their computers, encrypted their files and demanded a bitcoin ransom between $300 and $600 to get the files back, according to the Associated Press. Once you got hit it was pretty much game over—you would either have to pay the ransom or lose your files, with the luckier victims being those who could afford to lose their files thanks to frequent backups.

Hospitals in the U.K. were badly hit by the attack and were some of the first to begin reporting its spread—businesses around the world, including Telefonica in Spain, Nissan in Japan and FedEx in the United States, were also hit. By the end of the weekend, at least 100,000 organizations were affected.

The attack was ultimately slowed with the help of a young computer expert who discovered and registered a “kill switch” domain included in the malware’s code. The attack has been on the decline since then, but speculation abounds as to its origins and possible future attacks.

I couldn’t even begin to tackle the subject of a cyberattack this enormous without the help of experts, examining it through their professional lens. That’s why, this week, I spoke to the experienced team from Layer 8 Security, as well as malware researcher Amanda Rousseau from Endgame, who has already tested and analyzed the WannaCry virus herself.

“Looking at the code, you could tell that the ransomware itself is really basic code, that there’s no anti-AV (anti-virus) or anti-analysis techniques in the code—you could see all of the strings,” Rousseau explained.

The virus spread through an exploit called EternalBlue, which was developed by the National Security Agency and leaked publicly by the so-called Shadow Brokers. It takes advantage of a vulnerability in Microsoft’s use of the Server Message Block (SMB) protocol in unpatched machines. Rousseau said this exploit was the key to the malware’s spread—but while analyzing the code, she noticed something interesting.

“When you look at the SMB exploit, it looks like a completely different author—like they just shoved that in there. So it’s kind of like two packages merged together to create this highly, highly mobile ransomware,” she said.

I wondered whether the perpetrator of this attack could be someone who is not a mastermind per se, but simply a greedy person or group of people with some coding knowledge who thought they could use the already-existing exploit to pull of something that would otherwise be out of their league.

“This particular exploit was not that sophisticated in its execution or even the vulnerability that it uncovered. This was a known vulnerability; it was broadcast months ago that things needed to be patched,” explained Jeffrey Lipson, executive director of Layer 8 security, a seasoned cybersecurity expert who previously served at the NSA. “The U.S. government is not involved in the ransomware business; this was repurposed and truthfully it wasn’t even done that well. That’s why the 22-year-old cybersecurity kid was able to find the website kill switch.”

Even so, whether this was the work of an average hacker, a group of criminals—or even North Korea, as some have speculated—this attack was immense and sent shockwaves through the world and the cybersecurity community.

“This did initially feel like—could this be the big one? Could this be the kind of the cyber Pearl Harbor that we’re all dreading?” Lipson said. “And certainly this was serious but as the details started to come out, as far as the vulnerability that was being exposed, I think there was a little sigh of relief—yes it was serious, yes tens of thousands of computers were being affected, but it was primarily those that weren’t prepared or weren’t patched.”

While the attack exploited vulnerabilities and lack of preparation, rather than being able to penetrate through defenses, it was still effective in its ability to take over one’s computer, leaving people helpless and—in at least 292 instances as of this writing—compelling them to pay the ransom.

Rousseau explained what she observed—the malware’s process for trapping the user out of their computer:

“It will spin up different threads to encrypt all your files and write them to the file system, and then it will start doing some more persistent behavior, such as writing to the startup/run registry key. So what that means is—when you reboot the system, it will restart everything all over again, and it’ll show the ransomware note (…) Then it will try to delete your volume shadow copies, which is basically Microsoft’s own way of backing up your system in the volume shadow area. So if it deletes those, you can’t really restore your system back—which sucks because it makes you want to pay the bitcoin ransom.”

The best solution for this kind of problem is prevention, said Brian Langley, cybersecurity analyst at Layer 8.

“The wider problem is a lack of regard for cybersecurity policy, in general,” he said. “Companies need to implement a risk management program, a cybersecurity management program, to avoid exploits like these and others that will come in the future.”

For companies and organizations, Langley suggests keeping a weekly schedule to ensure all important patches and security updates are installed, and keeping track of all machines in the network to know which ones have been updated and which need attention. He also says organizations should make sure all of their employees are aware of cyber threats and their role in keeping them at bay.

“You can’t make a security expert out of someone, but you can make them a cybersecurity advocate,” he said.

Joel Majka, Layer 8’s director of risk and security services, says that there are three main players whose respective roles are essential to maintaining cybersecurity amidst these types of situations.

“The software vendors (like Microsoft) have a responsibility to release and maintain their software; the customers of that software vendor would have the responsibility to monitor and track the security of the software they’re utilizing. And there’s a third partner, and that is the security industry. They have to be a third partner in this, in having a reasonable system to discover, to discuss, to disclose and then to remediate vulnerabilities” he explained. “The incident drew particular attention to that last partner, because in this case the WannaCry was a derivative of a vulnerability that was discovered by the government. So there’s nothing to suggest that something like this couldn’t happen again, and we can hope that as an industry we can better manage this in the future.”

Advertisement
Advertisement