WannaCry's origin, modus operandi, impact & safe cyber practices explained

Only real, long term solution, however, remains increasing education around security best practices

Udbhav Tiwari, Policy Officer, Centre for Internet and Society

Last Updated : Aug 02 2017 | 1:37 AM IST

The explosive WannaCry (aka Wanna Decryptor or WCry) malware, which is a self-replicating ransomware, has affected over 200,000 computer in over 75 countries in merely 7 days. The attacks have left public and private entities, including critical infrastructure such as hospitals and public transport, crippled across the globe. This article will attempt to highlight the origins of the ransomware, its method of operation, the effect it has had on the global economy and countermeasures users can take to protect themselves from the malware.

WannaCry is a ransomware, which is a type of a computer virus designed to block access to a computer system or files on a computer system until a sum of money is paid to the attackers. Ransomwares have been around since 1989 when the first extortionist malware, known as the AIDS trojan, was documented by security researches. Ransomwares usually exploit known or zero day (unknown and unpatched) vulnerabilities in operating systems to assume total control of the computer. They usually operate by restricting access to critical files and information on a system (or a network of systems) by encrypting them and then demanding payment for a decryption key to enable the files to be accessed again. While a fair number of ransomwares also have loopholes in their coding to enable the data to be decrypted without the key, this process normally takes security researchers many weeks and thousands of dollars to successfully complete.

For businesses and government institutions, this time can mean millions of dollars of losses while the public also suffers from denial of services (often critical) that can make the possible losses extend to billions of dollars and even the loss of lives. Due to the real time need of the affected computer systems, victims often find it more cost efficient and convenient to pay the amount being requested by the attackers to restore access to their systems and files rather than hire security teams to attempt to decrypt the files or aid investigators. This aspect makes ransomwares a particularly lucrative form of high revenue attack tactic for malicious hackers.

How was Wannacry created?

WannaCry utilises the EternalBlue exploit created by the National Security Agency (NSA) of the United States of America (USA) for carrying out targeted attacks or surveillance on systems running vulnerable operating systems. The NSA did not develop WannaCry or other deviant malwares but did actively develop and exploit the vulnerability that WannaCry utilises to infect systems.

In particular, the exploit utilised port 445 on Windows systems, which is used to carry SMB (Server Message Block) messages, to give absolute control of the system to the attacker. While the exploit was being utilised by the NSA for many years prior to the attack, a vigilante hacker group known as the ShadowBrokers, released EternalBlue (among thousands of other tools and exploits) to Wikileaks in March 2017. In this act, reminiscent of the actions of Edward Snowden in May 2013, the ShadowBrokers claimed to have released this information to present a view into the pervasive power exercised by the NSA over the digital ecosystem and to compel better security practices.

Wikileaks released this cache of tools and exploits in April 2017, after sharing them with organisations such as Microsoft and Apple, to enable them to develop patches for vulnerabilities present in the cache. While Microsoft released a patch in March 2017 that closes this vulnerability, due to piracy and general lack of awareness, only a miniscule percentage of Windows users keep their systems updated with the latest patches. This lack of security best practices is the prime cause for the rapid propagation and devastating impact of the attack, as highlighted below.

The WannaCry ransomware in particular began affecting systems at around 8 am UTC on May 12, 2017, affecting computers running Microsoft operating systems from Windows XP (released in 2001) through to Windows Server 2012. The method of propagation of the ransomware has not yet been identified but initial research indicates a multipronged approach that utilises both network interconnections (including the internet at large) and physical transfer of data (using pen drives, etc.) from affected systems. It is also unknown if the ransomware was seeded for a period of few days or weeks, prior to being made live, an often used technique to reach a critical mass prior to launching a cyber attack.

WannaCry has demanded 300 US dollars worth of bitcoins (Rs 20,000), a pseudo-anonymous cryptocurrency, by May 15, 2017 to unlock the data on affected systems. If the payment is not made by that date, it alleges the amount will doubled to 600 US dollars to be paid by May 19, 2017 after which the data will be deleted. This message is shown on the screens of affected systems in over 20 languages, indicating the premeditated and global nature of the attack. As of the writing of this article, once a system has been affected by WannCry, there is no way to recover the encrypted data apart from paying the ransom and acquiring the decryption key.

Impact of WannaCry

The wide ranging impact of the attacks, with multi-national conglomerates and local hospitals being affected equally, has led to wide ranging harms from financial loss (especially for banks) to critical healthware being denied to patients. As an example, last week, the Blackpool Victoria Hospital in the United Kingdom, a victim of the WannaCry attack, was treating only emergency or life threatening cases, due to its record keeping system being rendered inaccessible over the weekend. Similarly, public transport in Germany, telecommunications in Spain, consultancy agencies in Portugal are among the major parties affected by the attack. According to data from Kaspersky, a security vendor, the countries worst affected by the attack are Russia, Ukraine and India.

The Reserve Bank of India (RBI) had also ordered banks to shut down ATMs that may possibly be affected until they can ensure they have been patched against the vulnerability. Fortuitously, on May 15, 2017 Marcus “MalwareTech” Hutchins, a security researcher from the UK, managed to detect an unregistered domain name that was to be used for the attack (via analysing the code) and converted the domain name into a killswitch type sinkhole that significantly slowed down the propagation of the attack. However, systems that are not patched against the vulnerability and systems that are already infected by the attack continue to be vulnerable and are at grave risk.

Educate users on safe cyber practices

In terms of measures that can be taken to protect systems from similar attacks, they can be split into two categories: proactive and reactive measures. Proactively, one must always ensure their operating systems, regardless of their cost or developers, are updated to the latest security patches. Further, if possible, they should use the latest version of the operating systems (for example, Windows 10 is immune to the attack). In case cost and maintenance are an issue, users can transition to free and open source operating systems such as Ubuntu, a variant of Linux, to avoid piracy and receive active security updates, apart from using an OS that is inherently more secure than Windows. Users should also regularly carry out backups of important data and store them in a safe and secure manner, independent of the machine from which the data is being backed up. Finally, users should also ensure they do not open any suspicious emails or files from physical and network mediums, erring on the side of caution.

For reactive measures, people who are using machines at the risk of infection, especially unsupported operating systems (like Windows XP), should download the special patch issued by Microsoft to close the vulnerability that enable the attack and backup any important files as well. Victims who are already infected by the attack should contact a security agency or developer immediately and investigate means to recover the data while putting into place back up computers to carry out critical tasks while data recovery can take place. The only real, long term solution, however, remains increasing education around security best practices and ensuring operating systems are patched frequently by end users.

The author is Policy Officer at Centre for Internet and Society