Reflecting on the Wannacry ransomware attack, which is the lesson learnt e why most organizations are still ignoring it.
In the early afternoon of Friday 12 May 2017, the media broke the news of a global computer security attack carried out through a malicious code capable of encrypting data residing in information systems and demanding a ransom in cryptocurrency to restore them, the Wannacry ransomware.
Italy was also marginally affected by the attack and the case was dealt with by the Computer Crime Operations Centre of the Postal Police (CNAIPIC) https://www.commissariatodips.it/profilo/cnaipic/index.html, which promptly issued an alert https://www.commissariatodips.it/notizie/articolo/attenzione-false-e-mailmessaggi-relativi-ad-assunzioni-in-enel-green-power/index.html on the very day of the event, recommending some useful actions also to prevent further possible propagation.
The ransomware, as reported in the Microsoft bulletin https://www.microsoft.com/en-us/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/, once transmitted by e-mail using phishing and social engineering methods or directly from the public network by exploiting a protocol flaw in the connected devices, proceeded:
- encrypt computer data, using RSA public key asymmetric encryption techniques;
- multiply in the affected network, through an NSA code called EternalBlue, which exploited a vulnerability in the network file sharing protocol SMB (Server Message Block) used by Microsoft Windows systems.
The infection chain
The infection chain was divided into four stages:
- The malware was installed through a dropper, a program executed by opening an attachment to a deceptive e-mail, probably a fake pdf or doc file, or executed directly from the Internet, without user interaction, exploiting the exploit described in the point 4.
- The dropper, once copied on the computer, attempted to connect to a site and only if the connection failed, proceeded to install two components, a cryptolocker and an exploit.
- The cryptolocker had the task of encrypting the data of the affected system;
- The exploit was to infect the victim’s local network, if not properly updated, through the SMB protocol vulnerability.
Cryptolocker and exploit components
The encryption scheme implemented by WannaCry used an asymmetric encryption mechanism based on a public and private key pair generated using two prime numbers. The public key was used to encrypt the data of the affected system, while the private key was the object of the blackmail.
The operating algorithm was RSA. Its effectiveness was basedis based on the mathematical principle according to which it is easy to calculate the product of two even very large prime numbers, but the reverse process, i.e. decomposing the product to find which two prime numbers are used as factors, is much more difficult.
In order to spread the ransomware within the victim’s network, the exploit component exploited a flaw in version 1 of the SMB (Server Message Block) protocol used in some Microsoft operating systems and intended to provide shared access to files, printers, serial ports and various communications between network nodes. In this way, Wannacry spread over the affected networks in the same way as a worm does:
- In fact, the first phase of the infection was conducted via an executable that scanned the network on TCP port 445 of the SMB protocol for vulnerable Windows systems.
- In the second phase, once access was gained to a computer, the malware would create and execute a copy of itself on the system.In the second phase, once access is gained to a machine, the malware creates and executes a copy of itself on the system.
Since the SMB protocol flaw, catalogued by the Common Vulnerabilities and Exposures under the number CVE-2017-0144, allowed the execution of arbitrary code by remote users locally, if the operating system in question had not been updated with the Microsoft security patch MS17-010 https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010?redirectedfrom=MSDN , the success of the attack was achieved precisely because the affected operating systems had not been updated beforehand.
Why did the creators of Wannacry choose bitcoin for the ransom payment?
For the ransom payment, Wannacry required the use of the cryptocurrency bitcoin. In fact, the familiar red lock screen launched by the @WanaDecryptor@.exe program and appearing on the monitors of infected PCs showed a detailed guide on how to make the payment transaction on the wallet, identified by a string of 34 alphanumeric characters.
Although this transaction was absolutely transparent and traceable, it did not allow the account holder to be traced, precisely because of the typical peculiarities of digital currency: anonymity, transparency, speed and non-repudiation.
How did the contagion stop?
The malicious code only proliferated if it was verified that a public site was in fact non-existent:
Only the registration of this domain subsequently created the condition (kill swich) for the malware to stop spreading.
The spread of this ransomware was considered to be the worst cyber attack in terms of contamination rate and scope, putting public offices and companies (especially healthcare facilities) out of operation.
What should we learn from this?
In order to mitigate the risk of exposure to malware threats and improve security, it would be advisable, at all levels, to adopt a policy of precautionary behaviour, to ensure the periodic patching of computer systems, but above all to share with everyone the information that has come to light. Indeed, every discovery is worthless if it is not made available to others.
Certainly Wannacry, with its global spread, marked a breaking point by laying the foundations for a new way of conceiving what would be future ransomware attacks.
Unfortunately, contemporary events seem to confirm this.
To restore functionality without having to decrypt files and pay a possible ransom (not recommended), it is always advisable to adequately safeguard backups, adopting backup strategies according to the 3-2-1 rule: keep at least 3 copies of company data in 2 different formats, with 1 copy offline and located off-site.
To try and prevent cyber attacks including ransomware, it is always a good idea to keep systems up-to-date, activate 2FA authentication for access, use reliable antivirus software and always keep your guard up (awareness).
About the author: Salvatore Lombardo
Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.
[출처 : SecurityAffairs / 10.31.]