WannaCry Ransomware May 2017
Ransomware is a type of malicious software that carries out the cryptoviral extortion attack from cryptovirology (is a field that studies how to use cryptography to design powerful malicious software) that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse. More advanced malware encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. The ransomware may also encrypt the computer’s Master File Table (MFT) or the entire hard drive. Thus, ransomware is a denial-of-access attack that prevents computer users from accessing files, since it is extremely difficult to decrypt the files without the decryption key. Ransomware attacks are typically carried out using a Trojan that has a payload disguised as a legitimate file.
The concept of file-encrypting ransomware was invented and implemented by Young and Yung at Columbia University and was presented at the 1996 IEEE Security & Privacy conference. Ransomware usually infects a computer when a user opens a phishing email and, although such emails have been alleged to be used to infect machines through this method of attack has not been confirmed. Once installed it uses a backdoor developed by the U.S. National Security Agency (NSA) to spread through local networks and any remote hosts, that have not been updated with the most recent security updates, to directly infect any exposed systems.
The latest ransomware: WannaCry
The WannaCry ransomware attack is an ongoing cyber attack of the WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) ransomware crypto worm, targeting the Microsoft Windows operating system, encrypting data and demanding ransom payments in the cryptocurrency bitcoin. The attack started on Friday, 12 May 2017 and has been described as unprecedented in scale, infecting more than 230,000 computers in over 150 countries. The worst-hit countries are reported to be Russia, Ukraine, India and Taiwan, but parts of Britain’s National Health Service (NHS), Spain’s Telefónica, FedEx, Deutsche Bahn, and LATAM Airlines were hit; along with many others worldwide.
With the increased popularity of ransomware on PC platforms, ransomware targeting mobile operating systems have also proliferated. Mobile ransomware payloads are blockers. Mobile ransomware typically targets the Android platform, as it allows applications to be installed from third-party sources. The payload is distributed as an APK file installed by an unsuspecting user; it may attempt to display a blocking message over top of all other applications or to give it “device administrator” privileges to achieve deeper access to the system.
- Reveton – 2012
- CryptoLocker – 2013
- F and TorrentLocker – September 2014
- CryptoWall – 2014
- Fusob – April 2014
Security software might not detect a ransomware payload, or, especially in the case of encrypting payloads, only after encryption is underway or complete. If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (a relatively simple process) before it has completed would stop further damage to data, without salvaging any already lost.
Alternately, new categories of security software, specifically deception technology, can detect ransomware. Security experts have suggested precautionary measures for dealing with ransomware. Using software or other security policies to block known payloads from launching will help to prevent infection, but will not protect against all attacks. Keeping “offline” backups of data stored in locations inaccessible to the infected computer, such as external storage drives, prevents them from being accessed by the ransomware, thus accelerating data restoration.
There are a number of tools intended specifically to decrypt files locked by ransomware, although successful recovery may not be possible. If the same encryption key is used for all files, decryption tools use files for which there are both uncorrupted backups and encrypted copies. Recovery of the key, if it is possible, may take several days.
Those still running exposed older, unsupported operating systems such as Windows XP and Windows Server 2003, were initially at particular risk but Microsoft has now taken the unusual step of releasing updates for these operating systems for all customers.
Shortly after the attack began, a web security researcher who blogs as “MalwareTech” unknowingly flipped an effective kill switch by registering a domain name he found in the code of the ransomware. This slowed the spread of infection, but new versions have now been detected that lack the kill switch.
A “critical” patch had been issued by Microsoft on 14 March 2017 to remove the underlying vulnerability for supported systems, nearly two months before the attack, but many organizations had not yet applied it.
At the time of this writing the attack of WannaCry is still ongoing, so beware!
Pic Credit: Kaspersky