Ransomware continues to escalate globally targeting essential services. The NHS WannaCry ransomware attack has been particular devastating for the UK, knocking out patient records and rendering hospitals at its mercy forcing a diversion of patients and ambulance routes across the UK. With no ability to access patient records and essential data, patients are being turned away on a large scale. Hospitals have become an increasingly larger target in recent times due to the large number of vulnerable systems in these institutions. They also pay the ransom, as in the case of Hollywood Presbyterian Medical Center last year.
What is particularly interesting about this attack is that it exploited a vulnerability that was discovered and developed by the National Security Agency which was recently leaked by a group called the shadow brokers. They leaked a number of important techniques and methods used by the NSA to take over or eavesdrop on a computer or mobile device. The weaker security protocols and systems in place at many of these hospitals allowed the ransomware spread quickly, in this case via an encrypted email attachment.
New Variants discovered
New variants of the WannaCry ransomware started emerging on Sunday (2 days after the original attack). One of the variants was stopped by registering a kill switch domain, the same way the ransomware was stopped on Friday. A second variant is not encrypting infected machines due to an error in programming, but it is spreading. More variants are expected in the coming week many if which we expect will not contain a kill switch.
How does it work?
Once the ransomware has been installed on a computer it executes on the local machine and then contacts a third party server to download other payloads (applications) and activate the application. It then starts encrypting all the files on your drive. After it has completed it will popup a paywall requesting payment to have your files decrypted. If you don’t pay the ransom then the files can be deleted by the hackers.
WannaCrypt (WannaCry)
The NHS attack has been particularly severe and rapid and took only 4 hours to spread to the NHS, originally infecting systems at Telefonica in Spain. The ransomware itself is known as WannaCrypt or WannaCry and is a variant of WeCry which was discovered in February 2017 and infects any Windows based operating system (no known Mac variants have been found yet). It appears from several reports as though this software was initially infected via email and then spread through the internal NHS network using SMB shared drives across the organization. Microsoft has been aware of the vulnerability since March of 2017 and have posted a security update to address this.
Early indicators seem to point to the attack originating in China, but more evidence is needed.
We have confirmed that this ransomware has affected Windows computers on shared networks in at least 150 countries worldwide, with 300,000 reported individual cases and more than 10,000 companies being affected.
Analysis of the Attack
After the initial payload is on your computer the application will download the anonymous network client “tor.exe” along with its dependencies. Once this has been downloaded the main executable will be able to communicate to its command and control servers anonymously.
Once started it then tries to change the access rights of all its files to obtain total access to your machine. According to Kaspersky the sequence is as follows:
- attrib +h .
- icacls . /grant Everyone:F /T /C /Q
- C:\Users\xxx\AppData\Local\Temp\taskdl.exe
- @WanaDecryptor@.exe fi
- 300921484251324.bat
- C:\Users\xxx\AppData\Local\Temp\taskdl.exe
- C:\Users\xxx\AppData\Local\Temp\taskdl.exe
Then, as is typical with a lot of ransomware, it will then try to disable Volume Shadow Service so that you cannot recover from the decryption by running a command line sequence. This will trigger a UAC popup, which should be a clue that it should not be allowed.
It will then contact the anonymous servers and begin encrypting all your files.
A more detailed analysis can be found at Microsoft and also Kaspersky Lab’s.
Origin
The NSA has now linked WannaCry directly to North Korea. Apparently developed to raise money for the regime. In total it generated $140,000 in revenue, although the funds have not been cashed in because of an operational flaw, which means the money could be traced.
The US has Government has now officially blamed the North Koreans for this attack.
Can BlackFog Help?
Users running BlackFog are already protected from this ransomware. BlackFog has been designed to target a range of ransomware just like this and prevent the activation and spread across your internal network by preventing outbound traffic to foreign networks and through execution prevention on your local machine.
Related Posts
The Hidden Crisis: How Stress is Forcing 1 in 4 Chief Information Security Officers to Quit
A Hidden Crisis A Chief Information Security Officer (CISO) has always had huge responsibility. But with increased cyberthreats and a growing workload, security leaders are under siege. According to research we [...]
Ransomware Detection: Effective Strategies and Tools
What ransomware detection tools and techniques should businesses be using in order to improve their security?
Understanding Double Extortion Ransomware: Prevention and Response
What is double extortion ransomware and what should firms know in order to protect against this threat?
Key Steps for Effective Enterprise Data Protection
How must firms adapt to a challenging enterprise data protection landscape in 2023 and beyond?
Is Transparency Important Beyond Compliance After a Cyberattack?
Understand whether transparency following a cyberattack matters beyond compliance - with real-life examples like Uber's cover-up. Learn the benefits and risks of transparency - from trust building to reputation risk.
A quarter of cybersecurity leaders want to quit
A new research study commissioned by BlackFog reveals that 24% of cybersecurity leaders are looking to leave their jobs due to stress and high demands.