Security researchers acted quickly to halt the attack, but experts fear that a new work week could see thousands of more systems hacked as employees log onto less than secure PCs.
The Malware – going by the name WannaCry, but also variants include WannaCrypt and Wanna Decryptor – were unleashed on the world Friday, in what is being called the largest malware attack of all time. The RansomWear hit vulnerabilities in the old Windows XP operating system, infecting thousands of insecure PCs in organizations across the globe.
RansomWare is a form of malware in which affected users are asked to pay a fee – a ransom – in order to regain control of their PCs. In this case, WannaCry locks the PC, encrypts any files and says they will be deleted unless users pony up $300 USD in Bitcoins
RansomWare is nothing new, but the WannaCry variant spread very fast and is being called unprecedented in scope, hitting everyone from Users in the USA to the UK National Health Service.
Security Experts are still rushing to find out more about how WannaCry operates, but so far, it’s become clear that WannaCry uses an exploit found in older Windows OS, including XP, Windows 8 and Windows Server 2003.
The exploit was supposedly patched for all supported Windows OS in March of this year, but after WannCry went global on Friday, Microsoft took the very unusual step of issuing security fixes for it’s older systems – which you can grab here.
That’s the bare-bones version of the story, but the background on WannaCry is a lot more interesting. The RansomWear is the first to use a security exploit developed by the National Security Agency.
The exploit, known as EternalBlue, was leaked to the public by a hacker group known as the Shadow Brokers back in April. Microsoft issues a patch for the exploit in March, but WannaCry comprised the hundreds of thousands of PCs and systems that currently run older OSs, such as Windows XP, that never received a patch because Microsoft had not supporting them for years.
Shortly after WannaCry began making the rounds on Friday, a UK security researcher, who goes by the name MalwareTech happened across some data in the Malware’s code leading to our understanding of how WannaCry spread as voraciously as it did, and a clue about how to halt it.
Once a PC is infected with the RansomWear, the worm checks other systems on the Local Area Network that might be able to become compromised. It then attempts to make connections with random IP address on the internet in search of other vulnerable systems.
MalwareTech discovered a domain hidden in WannaCry’s code – suspected to be a failsafe URL embedded by the RansomWear’s designer to control their own worm. MalwareTech suspected it could be used to control the worm to some degree.
By registering the URL – creating what’s is known as a sinkhole – the researcher was able to fool the code into thinking it was being run inside of a virtual environment, leading the Malware to exit the system.
“Cyber attacks have already become a kind of industry…I don’t think it’s ethical to pay ransom to get data back because we really need to have strong mechanisms to defend against attackers… If you keep paying ransom it’s actually helping attackers to grow the industry.”
– Cyber Security Researcher Yang Xiang
It’s unknown how man hundreds of thousands PCs this move may have ended up saving from WannaCry, but since then several variant strains of WannaCry have been detected by researchers – ones that do not have the same vulnerability to a sinkhole.
All this means its essential that any user of a Windows PC should make sure they are running an updated and patched version of their OS that can’t be infected by WannaCry or it’s variants, and where possible update to a more modern continually supported OS. Furthermore, it is imperative to run antivirus or other security software on a regular basis, and always keep a back of all your important data.
While this particular hack was perhaps the most brazen, it seems that WannaCry hasn’t had the intended effect of making its designers wealthy. Figures show that the largest RansomWear hack of all time earned just over US$26,000 at the time of writing. It has also sparked an international manhunt to find the unknown perpetrators.
All these numbers could change very quickly this week if users return to work Monday without updating or patching their Windows PCs. Even in the case of infection, experts say the last thing you should do is pay the ransom, lest it only encourage the hackers further.