WannaCry attack ranks in the top among the most devasting cyberattacks in internet history. The initial infection was said to be at 07:44 UTC May 12, 2017, in Asia. The attack is blended threat having the characteristics of a worm and ransomware that would encrypt files by changing the file extensions to .WNCRY and demand bitcoin for providing encryption keys. In the span of a few hours, the attack impacted the operations of a major Russian bank, a railway operator in Germany, a telecom firm in Spain, automobile leaders Renault, Nissan, and Honda, educational institutions in China, police departments in India, and health services in England. The attack is estimated to have affected around 230,000 computers globally.
WannaCry and the vulnerability
The attack exploited a well-known smb protocol vulnerability in windows known as Eternal Blue for which a patch was readily available for system administrators. Once infected, WannaCry would execute two components—one to provide ransomware functionality and one that would attempt to exploit a known SMB vulnerability as a worm. The dropper component would attempt to call out to domains and, if successful that is if the domain it reached out to were valid, it does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution (such a domain is referred as a kill-switch). Assuming a domain was not reached, WannaCry would then change registry keys, create services, and encrypt files. The encrypted files would be inaccessible to the users, and a message would be displayed providing the ransom payment details for decrypting. Parallelly, the worm component would scan for vulnerable (SMB) connections and systems already connected to the infected system and when one was discovered, the weaponized exploit would run and gain remote code execution on the next machine and thus mirror itself in another machine.
The code name EternalBlue
EternalBlue is the name of both a software vulnerability in Microsoft’s Windows operating system and an exploit to exploit the bug. The exploit was leaked to the public by a mysterious group known as the Shadow Brokers on April 14, 2017. The exploit was alleged to be developed by the NSA and even Microsoft has publicly attributed its existence to the NSA. On the very same day, Microsoft has released the patches to the vulnerabilities. However, several users have not deployed the patches.
A few days after the initial outbreak of WannaCry, a British security researcher (Marcus Hutchins, a.k.a. “MalwareTech”) looked at the kill-switch domain name the malware would query for, and found that the name was hardcoded into the exploit itself, and the domain itself was unregistered. Hutchins quickly registered the kill-switch domain and had set up a sinkhole server (a sinkhole is somewhat akin to a black hole – a black hole can absorb any amount of energy while a sinkhole is designed to absorb any amount of malicious traffic), which effectively stopped WannaCry from completing full execution of the ransomware and spreading. Hutchins employer Kryptoslogic deployed a collection of servers from Amazon data centres and the French hosting firm OVH to absorb any amount of traffic coming to the domain. It is said that UK government officials played a role in negotiating the server space with Amazon for sinkhole server. Thus one of the most devasting cyber attacks was stopped. The kill-switch domains are listed below.
|Solution to vulnerability||MS17-010|
|Code Name||Eternal Blue|