Questions have circled over the past few days, “What is this malware?”, “Where did it come from?”, “Am I a target?”, “How do I stop it?” With this cyberattack being the largest in history, there are bound to be more questions than answers in the wake of this incident. Here is a breakdown of what we do know so far and some solutions to help protect yourself.
What's the deal with WannaCry?
WannaCry/Wcry/WannaCrypt is ransomware that spreads from host to host using a vulnerability that was originally exposed by the leaked toolkit from the Equation Group (tied to the NSA's hacking team). The vulnerability was exploited by a backdoor called DoublePulsar, and attacks a commonly used service called SMB that is present and was vulnerable in most installations of Windows at the time of the leak.
Microsoft released patches for the vulnerable service in March. Unpatched Windows hosts are likely to be vulnerable to an infection of WannaCry, which directly targets this service, hopping from one infected host to another rapidly to deliver ransomware to the vulnerable hosts.
What's this "kill switch" I keep hearing about?
The original authors of the ransomware attempted to foil sandbox analysis of their malware. When malware is first released, copies are caught in the wild by security researchers, who then attempt to dissect and ultimately foil the malware in safe, sandboxed environments. These sandboxed environments work offline to avoid unintentional damage, but will often try to trick the malware into doing business as usual by making it appear online. This includes responding to any request the malware makes for a domain (eg. the name of a host online, such as www.twinsate.com). The authors of this malware attempted to employ anti-sandbox techniques (which would slow down analysis and improve the ransomware's spread and return on investment) by making sure the ransomware stopped working if a special, non-existent domain was responding. This poorly thought-out technique also created a "kill switch" - any attempted infection would be stopped in its tracks if this domain responded.
MalwareTech stops the spread - for now
A malware researcher from MalwareTech stopped the spread of the original version by setting up the fake domain and effectively making the kill switch active over the Internet. Now, when infected hosts with the original variant attempt to reach the anti-sandbox domain, they will get a response, and shut down. However, as is typical, malware authors have modified the original code to change or completely remove the accidental kill switch. Now its variants are spreading directly through the SMB vulnerability, and have no easy “kill switch” function to protect users against the malware.
Am I vulnerable?
If you have not updated Windows since the March release, you are probably vulnerable. You can check your network using a vulnerability scan to check the vulnerable service port involved.
How do I protect myself?
First and foremost, patch any Windows host to ensure you have the latest patch and close the point of vulnerability WannaCry uses to propagate. If you can’t patch immediately you should consider blocking traffic (through a perimeter device or host firewall) on TCP port 445.
Since the event has unfolded, new details have come to light. As of May 15th, Microsoft released a statement against the NSA reprimanding them for "stockpiling" their vulnerabilities. The details of this attack will continue to unfold as professionals dig deeper into the life of this attack. Twinstate will be updating readers as more about the attack comes to light. Due to the recent attacks, Twinstate is offering special promotions that will help you and your company guard against these threats. Contact us today to learn more.
Originally published on 05/16/2017