Friday the 13th is traditionally a day associated with negativity; but this month, bad luck struck on Friday the 12th. That's when networks across the world were breached with WannaCry, malware that locked up computers and held them for ransom en masse. WannaCry spread quickly across the globe, hitting specialised networks like Britain's National Health Service (NHS), Spain's leading telecommunications company, Telefónica, as well as a large number of computers in Russia, Ukraine, and India.
This ransomware employs EternalBlue, a vulnerability initially discovered by the National Security Agency (NSA). This method of attack infects Windows PCs, encrypts the data stored on them, then demands victims pay hundreds of dollars for a decryption key that unlocks their affected files. This ransomware has the special ability to spread from one PC to another, which was what helped security researchers in the NHS identify it.
In response to this incident, Microsoft's president, Brad Smith, criticised the NSA for “stockpiling” software code that could be exploited by hackers. WannaCry has heavily impacted Britain's hospitals, forcing them to move emergency patients to different facilities. So what is this WannaCry malware, how does it spread, and why it is being unleashed into the market in the first place?
What is WannaCry ransomware and what does it do?
The ransomware WannaCry is also referred to as WannaCrypt, Wanna Cryptor, and Wanna Decryptor because of its method of attack. Ransomware is a nasty type of malware that enters your computer, locks you out of all your data, and then demands money to unlock it. When ransomware infects your computer, it encrypts all the data in the computer after getting activated by a central server. Once all the files are encrypted, it will display a message asking for a sum of money as ransom to unlock the encrypted data. Usually, a timer is attached with the message to ramp up the pressure. If the timer stops, you will be permanently locked out of your files forever.
Is it an epidemic?
WannaCry is, indeed, a malware epidemic. It usually spreads via emails that contain attachments like Word, PDF, and other files, or via a secondary infection on computers already affected by viruses that provide a back door for further attacks.
Who is behind this attack and how much does it cost to unlock the data?
The WannaCry creators are suspected to be from North Korea, as discovered by Neel Mehta, a Google security researcher.. Specifically, they're thought to be from a military-funded group called Lazarus. Mehta mentioned that similar lines of code were behind another ransomware attack in 2015. An earlier version of this ransomware, Wecry, was discovered in February 2016. Wecry asked for 0.1 bitcoins to unlock files and folders. The WannaCry hackers are asking for $300 in bitcoin to unlock affected files. At least one IT worker in the UK has paid approximately £70,000 to recover his personal data.
What is the NSA's role in this attack?
WannaCry spreads between computers on the same network using a known vulnerability that exists in Windows operating systems. An anonymous group calling itself “Shadow Brokers” first revealed this weakness to the world back in April. This reveal was made possible only after some NSA hacking tools were successfully leaked. This leak paved the way for EternalBlue, which is the vulnerability WannaCry exploits.
Will paying the ransom help us or do we have other options?
Paying the ransom may or may not work. For the Cryptolocker ransomware that hit a few years ago, users reported that they got their data back after paying the ransom. But there’s no guarantee that paying the ransom will work. After all, hackers who unleash a ransomware attack are not exactly the type of people you can trust.
Once ransomware has encrypted your files, there’s little you can do. Having a backup of your files is the only sure way to restore them. If the ransomware is weak, it can sometimes be hacked to recover the data. But that's not going to work on a well-designed, professional ransomware attack like WannaCry.
How long will this attack last and can we track these attackers?
Ransomware attacks usually have a short life span. Anti-virus vendors come up with solutions by identifying and researching their behavior so that developers can create patch updates that can neutralise or eliminate any further distribution. The hackers are demanding Bitcoin as the payment method, which is very difficult to trace, but not impossible. Since the scale of attack is huge, law enforcement in multiple countries will be trying to follow the money back to the culprits.
Why is NHS the prime victim?
One of the main reasons NHS was devastated by WannaCry is because they use Windows XP as their prime operating system and haven't updated it in a long time. Additionally, attackers often target hospitals because they have sensitive information like health care records, meaning that they'll often pay to quickly retrieve their data. Around 300,000 computers across 150 countries have been affected by this WannaCry ransomware attack.
How can we avoid ransomware attacks?
Keeping your systems up-to-date will help you avoid any future ransom attacks. However, in order to keep your systems updated, you need insights into the vulnerabilities that exists in your network, and you have to patch your systems whenever vendors release updates. To keep your systems secure and safe, you have to employ an endpoint management solution that will help you avoid unwanted breaches into your network. There are a number of vendors in the market that will help you with this, but choosing the right one isn't always easy.
Read the IT briefcase guidelines to choose the right endpoint management solution for your enterprise.
Giridhara Raam is a product analyst at ManageEngine
Image source: Shutterstock/Carlos Amarillo