Cyber Crime

Wannacry, the hybrid malware that brought the world to its knees

Reflecting on the Wannacry ransomware attack, which is the lesson learnt e why most organizations are still ignoring it.

In the early afternoon of Friday 12 May 2017, the media broke the news of a global computer security attack carried out through a malicious code capable of encrypting data residing in information systems and demanding a ransom in cryptocurrency to restore them, the Wannacry ransomware.

Italy was also marginally affected by the attack and the case was dealt with by the Computer Crime Operations Centre of the Postal Police (CNAIPIC) https://www.commissariatodips.it/profilo/cnaipic/index.html, which promptly issued an alert https://www.commissariatodips.it/notizie/articolo/attenzione-false-e-mailmessaggi-relativi-ad-assunzioni-in-enel-green-power/index.html on the very day of the event, recommending some useful actions also to prevent further possible propagation.

The ransomware, as reported in the Microsoft bulletin https://www.microsoft.com/en-us/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/, once transmitted by e-mail using phishing and social engineering methods or directly from the public network by exploiting a protocol flaw in the connected devices, proceeded:

  • encrypt computer data, using RSA public key asymmetric encryption techniques;
  • multiply in the affected network, through an NSA code called EternalBlue, which exploited a vulnerability in the network file sharing protocol SMB (Server Message Block) used by Microsoft Windows systems.

The infection chain

The infection chain was divided into four stages:

  1. The malware was installed through a dropper, a program executed by opening an attachment to a deceptive e-mail, probably a fake pdf or doc file, or executed directly from the Internet, without user interaction, exploiting the exploit described in the point 4.
  2. The dropper, once copied on the computer, attempted to connect to a site and only if the connection failed, proceeded to install two components, a cryptolocker and an exploit.
  3. The cryptolocker had the task of encrypting the data of the affected system;
  4. The exploit was to infect the victim’s local network, if not properly updated, through the SMB protocol vulnerability.

Cryptolocker and exploit components

The encryption scheme implemented by WannaCry used an asymmetric encryption mechanism based on a public and private key pair generated using two prime numbers. The public key was used to encrypt the data of the affected system, while the private key was the object of the blackmail.

The operating algorithm was RSA. Its effectiveness was basedis based on the mathematical principle according to which it is easy to calculate the product of two even very large prime numbers, but the reverse process, i.e. decomposing the product to find which two prime numbers are used as factors, is much more difficult.

In order to spread the ransomware within the victim’s network, the exploit component exploited a flaw in version 1 of the SMB (Server Message Block) protocol used in some Microsoft operating systems and intended to provide shared access to files, printers, serial ports and various communications between network nodes. In this way, Wannacry spread over the affected networks in the same way as a worm does:

  • In fact, the first phase of the infection was conducted via an executable that scanned the network on TCP port 445 of the SMB protocol for vulnerable Windows systems.
  • In the second phase, once access was gained to a computer, the malware would create and execute a copy of itself on the system.In the second phase, once access is gained to a machine, the malware creates and executes a copy of itself on the system.

Since the SMB protocol flaw, catalogued by the Common Vulnerabilities and Exposures under the number CVE-2017-0144, allowed the execution of arbitrary code by remote users locally, if the operating system in question had not been updated with the Microsoft security patch MS17-010 https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010?redirectedfrom=MSDN , the success of the attack was achieved precisely because the affected operating systems had not been updated beforehand.

Why did the creators of Wannacry choose bitcoin for the ransom payment?

For the ransom payment, Wannacry required the use of the cryptocurrency bitcoin. In fact, the familiar red lock screen launched by the @WanaDecryptor@.exe program and appearing on the monitors of infected PCs showed a detailed guide on how to make the payment transaction on the wallet, identified by a string of 34 alphanumeric characters.

https://www.blockchain.com/btc/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

https://www.blockchain.com/btc/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

https://www.blockchain.com/btc/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Although this transaction was absolutely transparent and traceable, it did not allow the account holder to be traced, precisely because of the typical peculiarities of digital currency: anonymity, transparency, speed and non-repudiation.

How did the contagion stop?

The malicious code only proliferated if it was verified that a public site was in fact non-existent:

“hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com”

Only the registration of this domain subsequently created the condition (kill swich) for the malware to stop spreading.

The spread of this ransomware was considered to be the worst cyber attack in terms of contamination rate and scope, putting public offices and companies (especially healthcare facilities) out of operation.

What should we learn from this?

In order to mitigate the risk of exposure to malware threats and improve security, it would be advisable, at all levels, to adopt a policy of precautionary behaviour, to ensure the periodic patching of computer systems, but above all to share with everyone the information that has come to light. Indeed, every discovery is worthless if it is not made available to others.

Certainly Wannacry, with its global spread, marked a breaking point by laying the foundations for a new way of conceiving what would be future ransomware attacks.

Unfortunately, contemporary events seem to confirm this.

To restore functionality without having to decrypt files and pay a possible ransom (not recommended), it is always advisable to adequately safeguard backups, adopting backup strategies according to the 3-2-1 rule: keep at least 3 copies of company data in 2 different formats, with 1 copy offline and located off-site.

To try and prevent cyber attacks including ransomware, it is always a good idea to keep systems up-to-date, activate 2FA authentication for access, use reliable antivirus software and always keep your guard up (awareness).

About the author: Salvatore Lombardo

Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.

Twitter @Slvlombardo

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Wannacry)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

41 mins ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

12 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

16 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

22 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.