Echoes of cyberwar
Why WannaCry was more dangerous than other ransomware
Ilya Sachkov
CEO Group-IB
Appearing to be a global epidemic: WannaCry has infected more than 200,000 PCs in more than 150 countries. Spreading across the networks of Universities, Renault, Nissan factories in France and Japan and impacting huge telecom and railway networks, including Telefonica in Spain and Deutsche Bahn in Germany. Hospitals in the UK were even forced to cancel operations as ransomware demanded payment to regain access to medical records. What was the motivation? Money? The WannaCry operators only managed to earn about $43,000 - nothing compared to the average targeted attack.
WannaCry's objective was not financial. It is a demonstration of the consequences of cyber-warfare. It demonstrates the vulnerability of our world today to digital weapons of which special services and governments have at their disposal. Moreover, it showcases what can happen when these tools end up in the wrong hands.
Is Wanna Cryptor an APT?
No it isn't, but it employed APT tools.

Technically this malware is quite simple. It attacks all the hosts available on the local network and scans internet for more vulnerable hosts.

This attack campaign and its global impact highlights the unexpected consequences of the development of cyber weaponry and the results when these advanced tools are employed by criminal groups: Wanna Cryptor uses EternalBlue, supposedly an NSA exploit released in the Shadow Brokers leak on 14th April.
Countries attacked by WannaCry encryptor
Although the attack tactics are advance, there is nothing new in them. Mirai, IoT botnet behind historically large DDoS attack on cybersecurity blog site KrebsOnSecurity on September 2016, was built with the same approach to distribution and stealthy techniques.

Few other peculiarities of Wanna Cryptor are:

  • Self-replication: Wanna Cryptor spreads itself onto other computers in a manner of a computer worm. It starts 2 threads: 1st scan LAN on port 445 for vulnerable hosts, 2nd tries to exploit vulnerability on a randomly generated IPs at a speed of 1000 IPs per minute.

  • Targeted encryption: the malware chooses the most sensitive docs for encryption: email, encryption keys and certificates, sourcecode files, archives, office files, virtual machines, databases.

  • Anti-forensics: it installs TOR to contact C&C server.
Wanna Cryptor incident is not the first time that cybercriminals actively use leaks of exploits and utilities from the arsenal of special services. With the help of another tool, NSA-backdoor DoublePulsar designed to infiltrate and launch malicious programs, the attackers managed to infect more than 47,000 Windows machines in the US, UK, and Taiwan. These hacked computers can be used to spread malicious programs, send spam, conduct cyber attacks and espionage etc.
In early April, we found 43,000 hosts infected with DoublePulsar
Who is at risk?
  1. Companies who didn't install security patch MS17-010.
  2. Large companies – the more PCs are in the same local network, the more hosts the
    malware has for distribution.
  3. Users of counterfeit software not supported by the vendor.
Are home users at risk?
Only if they launch it manually or if they access Internet via provider's local network. Home routers configured by default don't allow 445 port – used by the malware for self-propagation – to be seen from the outside.
I've installed MS17-010 patch, am I safe?
Yes, but only if don't launch the malware file manually. In this case your computer will be
encrypted even if patched properly.
What if I run a non-supported version of the OS?
Microsoft has issued a special series of security updates for Win Server 2003 and Win XP. Install them ASAP. Otherwise you're at risk.
Who is behind this attack? Are they Russians?
Neither Group-IB, nor anyone can confirm or deny Russian origin of the attackers without thorough investigation. We haven't found among targeted extensions files of "1C:Enterprise", the most popular accounting / inventory management software in Russia, which are typically targeted by ransomware developed by Russian threat actors. But no conclusion can be made without further investigation.
Why were governmental bodies (law enforcements, healthcare etc.) primarily affected?
We don't have any info to state that gov bodies were aimed. The malware scans ANY host in a network irrespective of its nature.

The screen of a computer infected by WannaCry
Should I pay the ransom?
We don't recommend to pay the ransom, since:
  • You sponsor the criminals
  • We have no evidence that the data of those who's paid has ever been restored.
    Has the attack been stopped?
    The massive attack has been stopped. A UK researcher managed to suspend infection has registered a domain the malware pinged to start its activity. As soon as there was no domain registered the malware was launched. Now that the domain is registered the malware that is installed pings it and when gets a reply ceases any activity.

    However organizations that use proxies will not benefit from the kill-switch, since Wanna Cryptor won't be able to reach that domain.

    The only reliable way to be protected is to install the security updates and not to launch the malware manually.
    What is the purpose of such a 'kill switch' feature of the malware?
    We can only guess, but we believe it is as "circuit breaker" for the malware authors to use, if the situation goes out of control.
    Can the malware be modified to be started again?
    It won't take cybercriminals long to modify the malware and launch the attack again. So, it can be a temporary respite. Someone (supposedly not the developer of original Wanna Cryptor) has already uploaded to VirusTotal the new version of Wanna Cryptor with kill-switched removed.

    The only reliable way to be protected is to install the security updates and not to launch the malware manually.
    What should I do to be protected against attacks like this?
    1
    Install system patches and security updates timely.
    2
    Unless you patched all PCs in corporate network, don't allow your employees to
    connect their laptops to corporate LAN.
    3
    Back up your systems regularly. Ideally if you use both – the cloud and drives that aren't
    constantly connected to the network.
    4
    Implement Zero Trust policy and arrange a Security Awareness training course for your
    employees.
    5
    Consider disabling SMB as a temporary troubleshooting measure.
    6
    Subscribe to Microsoft Technical Security Notifications.
    7
    Creating mutexes MsWinZonesCacheCounterMutexA and
    Global\MsWinZonesCacheCounterMutexA0 prevent virus from starting.
    Instruct your employees
    If you see that your computer is considerably slowing down and files with strange extensions appear, power down your computer immediately. Thus, you prevent files from encryption. Professionals will help you to restore your data. By the way Group-IB Threat Intelligence informed its customers about the vulnerability used by Wanna Cryptor in advance.
    IMPORTANT CONCLUSION

    My position is simple, moratoriums on digital weapons should be imposed and investigated by a special commission at the UN level. Unfortunately history tells us that militaries live in constant anticipation of war and that presence of external enemies leads to inflated budgets to protect against such "enemies". The main point is that with technology where it is today, war, including that which takes place in cyberspace, could be our last.