After an unprecedented weekend of global cyber-attacks on hospitals, oil companies, banks and other organizations, businesses prepare for further attacks. For the first time, hackers exploit file-sharing arrangements to hold organizations to ransom. Discover how you can protect yourself.
Over the weekend of 13 May 2017, a tidal wave of ransomware blocked companies from accessing their computer systems. The worldwide attack – named WannaCry by security experts – gained infamy due to its broad impact on entities such as Britain’s National Health Service. WannaCry incapacitated one-third of the UK’s hospitals, shutting down operations and other services as staff were unable to use their computer systems.
What is ransomware?
Ransomware is a special type of malware designed to encrypt all files contained on an infected system. Like most malware, ransomware is usually distributed via email through malicious links or infected attachments. Once triggered, the ransomware encrypts all files on the affected machine and displays a message informing the user of the attack. To decrypt the files, ransom is demanded (usually in Bitcoin) in exchange for the decryption key. A hotline number is also often provided to assist the infected company in the payment process.
Why is WannaCry so special?
Two aspects of the ransomware must be analyzed to understand WannaCry’s unique behavior and features:
1. The distribution process
WannaCry’s distribution makes it special. Normally, ransomware replicates and distributes itself via email and attachments. WannaCry is unique because it also distributes itself to networked systems and folders via the SMB version 1 protocol that was originally used to provide shared access to network systems. However, the outdated version of the protocol suffers from some vulnerabilities and was replaced in 2006. One critical weakness is the “Windows SMB remote code execution” vulnerability, which allows an attacker to remotely send a specific message to systems having an enabled version of the SMB version 1 protocol. The affected host interprets the messages and executes the malicious code sent by the attacker. WannaCry takes advantage of this weakness to distribute the encryption payload to vulnerable machines.
The following diagram represents the WannaCry distribution process:
2. The infection process
Ransomware’s infection process is quite basic. The malicious payload travels through the file on the infected computer and encrypts other files. The infection payload generates the encryption and decryption keys for each infected machine and then sends decryption keys back to the attacker. The decryption mechanism is also included in the ransomware and decrypts files once the attacker releases the decryption key after payment of the ransom.
In the case of WannaCry, files are encrypted using the AES-128-CBC algorithm and each file has its own encryption key. The keys are combined and encrypted with RSA-2048, a strong cryptography algorithm. These encryption algorithms are aligned with government requirements for secure encryption. The RSA decryption key is sent back to the attacker through Tor, an anonymity network that features a darknet. Without the key, decryption of the files is considered near impossible. And almost every file on a computer can be encrypted. From PowerPoint, Word and Excel documents to open-office documents, archive files such as zip files, emails, databases, source code and developers file, image files as well as files containing certificates and encryption keys.
The following screenshots represent the results of the WannaCry infection:
So is WannaCry really that special?
Although it’s not that special as ransomware, its double-channel distribution process is fairly advanced. It’s the first time that ransomware exploits the use of the SMB vulnerability as well as email to spread the malware quickly through the network, both internally and to external machines reachable by SMB port via the Internet.
How to protect against ransomware
The best defense against ransomware are backups and an incident response process. It’s important to define and regularly test your backup and recovery processes.
One lesson learned from WannaCry is that ransomware can propagate on an internal network without using emails and reach network-connected drives and systems which are otherwise segregated from the internet. It’s essential to put offline backups and a corresponding recovery process in place. Although they don’t prevent an attack and may sound old-school, offline archives are actually the best way to minimize ransomware’s possible impact on your systems and operations.
In the case of WannaCry, you must apply the latest patches defined in MS17-010. Although this won’t prevent an email infection of the first system, it prevents the ransomware from being distributed within your network-connected systems. Specific patches were released by Microsoft. Given the scale of the attack, Microsoft released a special patch for these systems during the infection weekend even though Windows XP and Microsoft Windows 2003 are no longer supported by Microsoft.
Additionally, you must take the following actions on a regular basis:
- Perform training and awareness campaigns as well as regular anti-phishing exercises
- Periodically assess and review your firewall and intrusion detection systems’ rules
- Apply patches and updates on a regular basis
- Plan and test (exercise) cyber-incident response scenarios
- Plan and test your business continuity and crisis management and ensure it is aligned with your cyber incident response capability
- Perform regular cyber penetration tests to ensure no well-known vulnerabilities are present on your systems
What to do if you are attacked
We recommend that you do not to pay any ransom to the attackers, especially if you have backups in place that allow you to recover your data from a recent time. However, if you have no backups in place, paying a ransom may be your only option to retrieve your files and get back to business. It’s important to understand that paying a ransom does not guarantee that your files will get decrypted and doing so may encourage cybercriminals to continue spreading ransomwares.
- The no more ransom project
- MELANI announcement form to announce cases of ransomware
- Microsoft Security Bulletin MS17-010
- Cyber Security Services at KPMG