Hurricanes, tornadoes, and cyberattacks—it may seem like one of those things is not like the other. But, on Friday May 12th, a new ransomware variant affected 61 health organizations in Britain, halted FedEx deliveries in America, and locked up 200,000 computers worldwide. This is an attack that's truly on scale of a natural disaster, and with patients in Britain being told to avoid hospitals except in cases of dire emergencies, it may truly be a matter of life and death.
Security researchers thought that ransomware was bad back in 2016, with various viruses locking up several hospitals as well as the entire San Francisco subway system. WannaCry, however, appears to have replicated or even exceeded all the worst ransomware damage of 2016—and in just a single day. While the initial outbreak of havoc appears to have been forestalled for the time being, experts warn that outbreaks like WannaCry may become commonplace - we will discuss Safe-T’s Ransomeware Protection solution later in this blog.
WannaCry Ransomware Rooted in a Leak from the NSA
The WannaCry ransomware is directly tied to a massive leak from the NSA, from a group known as "The Shadow Brokers." This thread of the story is complicated. Back in the summer of 2016, The Shadow Brokers emerged with the news that they had stolen a cache of hacking tools from a cyberespionage division of the NSA known as the Equation Group.
The exploits, as it turned out, were real. Two networking equipment manufacturers, Cisco and Fortinet, immediately released warnings about unpatched vulnerabilities that could be used to compromise older versions of their equipment. While the reveal of this information raised alarm, it did not result in a widespread data breach.
The truly damaging leak came about in the middle of April, about a month before the WannaCry attack hit. April's leak contained some incredibly compromising material—three zero-day exploits for Windows, code affecting the SWIFT banking communication network, and a hacking tool dubbed Eternalblue. This last tool forms the core of the WannaCry ransomware.
An Invisible, Self-Replicating Payload
Eternalblue is designed to take advantage of a vulnerability in versions of Windows that include XP and Windows Server 2012. Although this vulnerability was patched by Microsoft shortly before the breach occurred, the patch had not yet been widely applied. The specific vulnerability allows attackers to execute code remotely via the Server Message Block. When combined with a ransomware package, it allowed WannaCry to spread from peer to peer, jumping between vulnerable computers in a network. What's more, the virus deliberately seeks out and destroys system backup files.
WannaCry has spread so quickly that researchers still aren't sure how initial infections began on various networks. The typical email-phishing strategy is suspected, but attackers may have used an additional network vulnerability yet unknown. Even more concerning is the fact that hackers have already begun tweaking WannaCry to further its success, before security researchers are even fully aware of how it works.
As it turns out, a single security researcher was able to accidentally halt the global spread of WannaCry by purchasing a domain name that the attackers had intended to use—a technique known as "sinkholing." Since then, the original attackers have edited and modified the virus to eliminate this vulnerability, and other hackers may attempt to clone the virus for their own ends.
Signs of More Trouble to Come
Providing extortionist cyber-criminals with tools used by nation-state actors is like throwing gasoline on a fire. The criminal community will inevitably dissect, modify, and upgrade exploits like EternalBlue, as well as pre-existing malware such as WannaCry, and it's going to be hard for security researchers to keep up. In other words, the internet's endemic ransomware problem just got permanently worse.
With ransomware a seemingly constant hazard for companies—and with antivirus vendors hard-pressed to keep up—it is incumbent for administrators to protect their file systems by any means necessary. Safe-T allows users to protect themselves from ransomware by preventing users from copying un-allowed files into an NTFS drive, locking files against encryption, and controlling the flow of transferred files. This allows admins to prevent ransomware from gaining a toehold—even if it involves a zero-day.
The products offered at Safe-T are designed to mitigate data related threats, including un-authorized access to data, services, networks, or APIs; as well as data exfiltration, leakage, malware, ransomware, and fraud. To our knowledge, no Safe-T users were successfully exploited by this ransomware and that is something to be proud of. For more information on Safe-T and how we can protect your files from ransomware, contact us today.