What do you get when you combine stolen government hacking tools, an unpatched system, and shady operatives from North Korea? The answer is one seriously debilitating cyber attack. Using the now-infamous malware derivative known as ransomware, a malicious campaign known as WannaCry built itself on the backs of previous threats, essentially modernizing the attack vector into something far more sinister, now known as a crypto worm. The world first became fully aware of malware’s nasty metamorphosis in 2013 when ransomware arrived on the scene to terrify the internet. Known as CryptoLocker, this type of ransomware set the stage for future attacks by restricting access to infected computers and demanding victims pay ransom to the attackers, preferably in the untraceable cryptocurrency of bitcoin. As the first big player in the ransomware game, it gave WannaCry a few key pointers to learn from.
By encrypting a user’s file without permission, CryptoLocker was able to extort money from executives who had never seen a data breach quite like it and became desperate to regain access to their information. When WannaCry appeared in 2017, it used these same methods as CryptoLocker, but with a much more nefarious purpose. Instead of holding the data of businesses hostage, it turned its attention to the highly-sensitive data of medical patients, essentially crippling the healthcare industry and showing the world the new and incredibly sharp teeth of crypto ransomware. And it was nicknamed “WannaCry” because of just how inconvenient it was to recover and restore the hijacked data.
The now infamous WannaCry Ransomware attack in May of 2017 infected more than 230,000 computers across 150 countries and incurred damages in the billions. Yes, billions. It targeted computers running the Microsoft Windows OS and propagated itself through an older Windows exploit called EternalBlue, which was first developed by the infamous hacking group, the Shadow Brokers. As a network worm able to spread its own virus, WannaCry used a transport code to scan for vulnerable systems, then employed the EternalBlue exploit to gain access and plant a backdoor tool first developed by the NSA called DoublePulsar. (It’s worth noting here that if the NSA had shared their knowledge of this vulnerability with Microsoft instead of hoarding it away for their own offensive work, many headaches in the healthcare industry could have been avoided.)
WannaCry swept the globe, virtually shuting down dozens of regional health authorities within the National Health Service of the U.K. Simultaneously, WannaCry was also affecting other unrelated entities like the telephone service, the railway system, car manufacturers, some universities, and the Russian Interior Ministry. As of summer, 2017, there were still two large, multi-state hospitals being negatively impacted in the U.S., as doctors were continually blocked from accessing patient files. These restrictions were not just inconvenient—they led to the closing of several emergency rooms and an overall inability to address sick people in dire need of medical treatment. And because some expensive hardware, such as MRI scanners, could not have their systems immediately updated, these valuable devices were isolated from the main network and rendered useless. While hacking exploits are not known for their compassion, targeting victims with cancer and other terrible diseases—who rely on patient databases to get the medication and treatment they need—demonstrated a new low for internet crimes. But despite its mean-spirited intentions, WannaCry only managed to rake in a measly 31 bitcoin, or $55,000, as reward for its massive campaign—hardly a hacking victory.
Why did it happen?
The reasons behind the spread of WannaCry ransomware are not nearly as new-fangled as the exploit itself. Just like most cyber attacks, it could have been avoided through the proper use of software patches. Microsoft had, in fact, released a patch previous to the exploit, although the organizations most affected had failed to apply them or were using an older Windows system that had reached its end of life. Healthcare organizations were particularly vulnerable because their overall awareness about email authentication has generally lingered behind others in the sector. In the U.S., the healthcare industry needs to invest more in cyber controls and defense, including system hardening and better infrastructure.
Although researchers assumed the WannaCry breach had arrived on a phishing hook, it became clear later on in the investigation that there was only evidence of a network worm. Essentially, the breach was a three-pronged assault, first starting with a remote code execution which allowed the malware to gain advanced user privileges. From there, the payload was unpacked and executed. Once computers were compromised, documents were encrypted and ransom notes displayed. The worm generated random IP addresses that once defined allowed malicious SMB packets to be sent to the remote host, thereby spreading itself.
There were three key factors that contributed to how quickly this attack spread:
- Once the infection occurred, the threat included code that allowed it to move across networks as a work without the need for user action. No suspicious links necessary.
- The breach took advantage of a vulnerability in the OS that many organizations had not patched against, essentially moving past the first line of security without a care in the world.
- Organizations using legacy versions of Windows XP did not have existing support from Microsoft, as they had discontinued their patches for older systems. In light of this attack, Microsoft began protecting these outdated systems as well—but at an extra cost.
At the end of the day, all files were eventually recovered from the WannaCry attack and patient information and treatment reinstated. To solve this data crisis, many updates had to happen while the OS and all essential applications were re-installed. When Microsoft released the its emergency patches, a kill switch was discovered that prevented infected computers from spreading WannaCry further. It was at this point that security experts from the U.S., the U.K., and Australia traced the initial attack worm to agencies in North Korea.
These same digital experts now recommend all cybersecurity executives protect from future ransomware attacks by ensuring their organizations have proper email authentication, as it only takes one click to bring about disaster for an entire industry. The WannaCry breach should be a wake-up call for all online entities to lock their front door by redoubling their security efforts, hardening their systems, and implementing best practices. All IT departments should install scanning software that blocks any suspected files.
How can we learn from this mistake?
Backup critical files to avoid disruption. If increased vigilance is not adopted, WannaCry will most certainly be called “River of Tears” in the future. Here are some tips for organizations hoping to move forward into a safer landscape:
- Conduct thorough black box penetration testing! This includes elaborate social engineering and white box testing to assess vulnerabilities in the network and available fixes. Just closing security holes without clarity about what other services and ports on the network are doing will not solve the problem.
- Train users in system security! Starting with those in charge of critical applications and network connections, organizations must implement elementary and multi-phased approaches to security awareness and response. This includes installing a dedicated ransomware blocker and blocking port 445 for extra safety.
- Educate would-be experts! Ensure security teams take ICT security certification training with hands-on practices such as Ethical Hacking Boot Camp from industry experts like InfoSec Institute: https://www.infosecinstitute.com/courses/ethical-hacking-boot-camp Remember, everyone is responsible for the enterprise security.
- Watch for mutations! Just because there is a patch does not mean protection is a guarantee. New variations of the ransomware have hinted at a digital pandemic on the horizon.
- Know your cloud storage capabilities! Yes, some encrypted files may be recovered by accessing earlier versions of them, but not all systems provide this feature. This is a good time to investigate the online backup protocol of your cloud storage and how it may affect future cybersecurity. If it does not keep rollback versions of files, you may find yourself paying a ransom in future.
The biggest problem with this type of malicious software, however, is the absence of a single magic bullet—a silver one made expressly to kill the beast. As a result, organizations need to change their fundamental approach to how they tackle ransomware threats, seeing it from many angles.