This article was revised 5/15/17 at 9:12 a.m. (PDT) with updated recommendations.
Over a dozen years ago, malware pioneer Dr. Peter Tippett coined the expression “virus disaster,” which describes the point at which more than 25 machines are infected on a single network as the “tipping point” for complete shutdown of a network.1 The new ransomware WannaCry,2 which locks down all files on an infected computer until the owner pays a ransom, seems to have plunged whole sections of critical infrastructure into a virus disaster. Hospitals in the UK were the first to feel it's bite, but the damage is spreading far and wide. This is likely to jeopardize patient health as hospitals are being shut down. If someone dies because of this, we’ll be looking at murder by malware.3 That will be a game-changer for security and compliance.
The malware is using MS17-010,4 a.k.a. “EternalBlue” (a Shadow Brokers-released NSA exploit5) to punch through the network of anyone who hadn't patched the week’s old vulnerability. This vulnerability hits Server Message Block (SMB) protocol file sharing, which is often wide open within organizational networks and thereby facilitates fast spreading of this attack.
Just as we saw with the Cerberus ransomware and Apache Struts, cyber-crooks waste no time upgrading the warheads on their malware to the latest exploits. When new holes are released, you should expect the same old evil to come repackaged with a new way to get in.
WannaCry is coming into networks in many different forms. The most dangerous is via Microsoft SMB (Server Message Block)6 which is used for file sharing. Security researchers are reporting that a device listening to SMB placed on the open unfiltered Internet is attacked within three minutes. However, traditional malware propagation methods are also in use, including malicious email attachments and phishing.
The most prevalent form of the WannaCry ransomware comes in as a loader with an AES-encrypted DLL that writes a file called “t.wry”. This file is decrypted by a malware-embedded 128-bit key, which is what encrypts the victim's disk files. By using an encrypted loading method, the malware is never written directly to disk in unencrypted form and remains invisible to traditional antivirus software.
While encrypting the victim's files, it also scans all the visible IPC$ and SMB file shares. It uses the Microsoft MS17-010 SMB vulnerability to gain access to the systems on these shares, and infects those systems, as well. It is this behavior that has enabled WannaCry to quickly infect whole networks in minutes.
The primary variant of WannaCry used an unregistered domain to control distribution, a.k.a. “the kill switch.” A security researcher who goes by the name of MalwareTech, registered and sink-holed that domain7 which has stopped this version of WannaCry. Updated WannaCry ransomware variations have since been released, so the danger is still real.
MODIFIED: Jul 24, 2017