In the early afternoon of Friday 12 May 2017, the media broke the news of a global computer security attack carried out through a malicious code capable of encrypting data residing in information systems and demanding a ransom in cryptocurrency to restore them, the Wannacry ransomware.
Italy was also marginally affected by the attack and the case was dealt with by the Computer Crime Operations Centre of the Postal Police (CNAIPIC) https://www.commissariatodips.it/profilo/cnaipic/index.html, which promptly issued an alert https://www.commissariatodips.it/notizie/articolo/attenzione-false-e-mailmessaggi-relativi-ad-assunzioni-in-enel-green-power/index.html on the very day of the event, recommending some useful actions also to prevent further possible propagation.
The ransomware, as reported in the Microsoft bulletin https://www.microsoft.com/en-us/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/, once transmitted by e-mail using phishing and social engineering methods or directly from the public network by exploiting a protocol flaw in the connected devices, proceeded:
The infection chain
The infection chain was divided into four stages:
Cryptolocker and exploit components
The encryption scheme implemented by WannaCry used an asymmetric encryption mechanism based on a public and private key pair generated using two prime numbers. The public key was used to encrypt the data of the affected system, while the private key was the object of the blackmail.
The operating algorithm was RSA. Its effectiveness was basedis based on the mathematical principle according to which it is easy to calculate the product of two even very large prime numbers, but the reverse process, i.e. decomposing the product to find which two prime numbers are used as factors, is much more difficult.
In order to spread the ransomware within the victim’s network, the exploit component exploited a flaw in version 1 of the SMB (Server Message Block) protocol used in some Microsoft operating systems and intended to provide shared access to files, printers, serial ports and various communications between network nodes. In this way, Wannacry spread over the affected networks in the same way as a worm does:
Since the SMB protocol flaw, catalogued by the Common Vulnerabilities and Exposures under the number CVE-2017-0144, allowed the execution of arbitrary code by remote users locally, if the operating system in question had not been updated with the Microsoft security patch MS17-010 https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010?redirectedfrom=MSDN , the success of the attack was achieved precisely because the affected operating systems had not been updated beforehand.
Why did the creators of Wannacry choose bitcoin for the ransom payment?
For the ransom payment, Wannacry required the use of the cryptocurrency bitcoin. In fact, the familiar red lock screen launched by the @[email protected] program and appearing on the monitors of infected PCs showed a detailed guide on how to make the payment transaction on the wallet, identified by a string of 34 alphanumeric characters.
https://www.blockchain.com/btc/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
https://www.blockchain.com/btc/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
https://www.blockchain.com/btc/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Although this transaction was absolutely transparent and traceable, it did not allow the account holder to be traced, precisely because of the typical peculiarities of digital currency: anonymity, transparency, speed and non-repudiation.
How did the contagion stop?
The malicious code only proliferated if it was verified that a public site was in fact non-existent:
“hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com”
Only the registration of this domain subsequently created the condition (kill swich) for the malware to stop spreading.
The spread of this ransomware was considered to be the worst cyber attack in terms of contamination rate and scope, putting public offices and companies (especially healthcare facilities) out of operation.
What should we learn from this?
In order to mitigate the risk of exposure to malware threats and improve security, it would be advisable, at all levels, to adopt a policy of precautionary behaviour, to ensure the periodic patching of computer systems, but above all to share with everyone the information that has come to light. Indeed, every discovery is worthless if it is not made available to others.
Certainly Wannacry, with its global spread, marked a breaking point by laying the foundations for a new way of conceiving what would be future ransomware attacks.
Unfortunately, contemporary events seem to confirm this.
To restore functionality without having to decrypt files and pay a possible ransom (not recommended), it is always advisable to adequately safeguard backups, adopting backup strategies according to the 3-2-1 rule: keep at least 3 copies of company data in 2 different formats, with 1 copy offline and located off-site.
To try and prevent cyber attacks including ransomware, it is always a good idea to keep systems up-to-date, activate 2FA authentication for access, use reliable antivirus software and always keep your guard up (awareness).
About the author: Salvatore Lombardo
Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.
Twitter @Slvlombardo
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Wannacry)
[adrotate banner=”5″]
[adrotate banner=”13″]