WannaCry Ransomware Case Study
WannaCry Ransomware Case Study..
Is it Still Exist?
WannaCry is a ransomware cyberattack aimed at Windows Platform. This was first
introduced on 12th of May 2017. This ransomware encrypted files and required a ransom
payment of $300 to $600 in Bitcoin. WannaCry implanted a backdoor on compromised
computers after installation. WannaCry used an existing weakness in outdated Windows
machines known as EternalBlue. A group named The Shadow Brokers intercepted and
released EternalBlue couple months previous to the assault. While EternalBlue was rapidly
fixed, a significant portion of WannaCry's effectiveness was due to enterprises not upgrading
their windows computers or running outdated versions.
WannaCry is distinctive in its form and distribution. Typically, ransomware assaults are
isolated, typically infecting machines that come into interaction with any malware delivery
mechanism such as compromised webpages or links. WannaCry, however, was a worm, and
hence could utilize compromised PCs as a delivery mechanism for other machines. Worms
are self-replicating. Similar viruses in biological sciences, they exploit the resources of their
host to generate copies of themselves and subsequently infect the entire network and device is
in connect with. This became WannaCry extremely widespread, boosting its rate of infection
significantly. The malware also leveraged another NSA-discovered (and disclosed) backdoor
dubbed DoublePulsar as an infection channel. The bulk of machines attacked utilized an
unsecured version of Windows 7, with some cases of infection occurring in devices that run
Windows XP. Initial WannaCry done to the SMB port on machine in Asia and spread to
others in the network.
Rapid updating and the identification of terminate switch domains stopped WannaCry from
propagating on affected PCs. Eu commission believes that even more over 2 billion machines
in 150 countries have been infected, with losses up to hundreds of millions or even billions of
euros. Most of European, Asian countries such as USA, UK, Japan, and Canada security
specialists publicly stated that North Korea is responsible for the incident.
In 2018, a new form of WannaCry caused chip-manufacturing business Taiwan
Semiconductor to force to close many of its units as the virus infect to 10,000 workstations
throughout perhaps the most modern facilities.
In 2018, a new form of WannaCry caused chip-manufacturing business Taiwan
Semiconductor to force to close many of its units as the virus infect to 10,000 workstations
throughout perhaps the most modern facilities.
WannaCry is replicates by targeting a Windows Server Message Block (SMB) protocol bug.
Microsoft's version of the SMB protocol, which permits communication across Windows
devices on a network, might be persuaded by highly structured packets into running an
attacker's commands.
WannaCry Ransomware has 3 stages these are as follows,
1.Infection
WannaCry, unlike many previous ransomware versions, grows independently, instead of
through spam email or malicious droppers. Utilizing an EternalBlue exploit, that takes control
of a weakness within Windows Server Message Block (SMB) protocol, WannaCry is able to
behave as a worm. Once the EternalBlue was disclosed, Microsoft published an improved
version of SMB around April 2017 which resolved the bug. Despite being a month prior to
the initial WannaCry epidemic, numerous companies have not implemented the patch,
leaving them exposed to the virus. That WannaCry ransomware scans the Network for
computer systems the affect the perception of SMB. If one is discovered, the compromised
machine utilizes EternalBlue to deliver and execute WannaCry on the victim device. During
this stage, the spyware may encrypt the data on the machine. However, it first verifies the
presence of a certain website. Whereas if website already existing, the malware seems to have
no effect. It is speculated that the inclusion of such a "kill switch" is a strategy to limit the
spread of WannaCry or a way to make forensic investigation more complex. WannaCry
advances to the encrypting step if the targeted domain is just not discovered. Any
computer infected with a WannaCry will scan the targeted system seeking devices allowing
connection over TCP ports 135-139 as well as 445, which indicates the machine is equipped
to perform SMB.
2. Encryption
Like a ransomware variation, WannaCry is meant to restrict a client access to that data on a
machine until an user pays. This is performed via the use of encryption, in which the virus
modifies its data in a manner which is only recoverable with understanding of the encryption
key. Because WannaCry’s encryption key will only be given to a ransomware administrator,
it requires an user to pay ransom to unlock their files. WannaCry is supposed to look about or
encrypt a specific type of file format varieties on a machine. It is intended to limit the
malware’s influence about a system’s functionality. A device may not even be capable of
functioning if the inappropriate files are encrypted, finding it challenging is for user to pay
the money or recover the data.
3)Ransom
The WannaCry ransomware demanding $300 in payment out of its targets. Unfortunately, the
payment would be to be paid in Bitcoin and just not conventional currency. As a digital
money, Bitcoin seems to be less identifiable than classical modes of payment, which is
advantageous for ransomware companies because it enables them to include a deposit
address in a ransom message without directly informing the police to about their identity.
When a WannaCry user pays that ransom, a decryption key of their machine should be
delivered. This allows a decrypt application supplied by hackers to undo the change made on
the individual's files and restore access to the actual contents.
Methodology
Methodology
This ransomware used an attack known as EternalBlue, which the NSA created after
detecting a flaw in earlier Windows software. The vulnerability made advantage of Windows
SMB, which may be fooled into remotely executing malware through packets.
The virus would send a first packet to the device, known as a dropper, which would then be
executed by the SMB. Unusually, the dropper would next try to connect to an unregistered
domain consisting of an apparently random string of digits and characters, suspending the
assault if a successful connection was achieved and continuing the attack if no connection
was made. Security specialists believe that this was installed to serve as a kill switch should
the hackers choose to cease an assault remotely.
Once the connection had failed, the virus would transmit two further packets: an encryptor
and a decryptor. The dropper could extract and run the encryptor file, which included a
software that concealed and encrypted the victim's data, as well as a collection of poorly
translated ransom letters in several languages.
Once the data were encrypted, the malware would show a letter and two timers requesting
$300 in bitcoins be sent to an untraceable location. The memo gave two deadlines: a three-
day countdown that would treble the fee if victims did not pay, and a seven-day deadline that
would instruct the software to delete all encrypted data if it was missed.
The virus employed RSA and AES encryption keys, making it impossible to manually decode
the data before the deadline. Even though the decryptor was included in the payload, there
was no assurance that customers who paid the ransom would get their data back. Due to poor
coding, it was impossible to track the money to its source computer.
Unfortunately, the ransomware had a 'demo' option that would randomly decode 10 files
using a locally stored RSA key in the decryptor application, guaranteeing victims that it was
theoretically feasible to recover their data.
Aftermath
One day following the incident, Windows issued a series of updates to fix the SMB
vulnerability; nevertheless, this did not aid afflicted machines. Several days after the assault,
security experts discovered that registering the kill switch domain stopped the encryption file
from running. Subsequent variants of the malware tried to circumvent this by registering
other killswitch domains, which were soon registered.
When the attackers published a version of WannaCry without a killswitch, a French
researcher named Adrien Guinet discovered a technique to extract the RSA key from the
malware files, so rendering the assaults ineffective. This, together with the Windows fixes,
halted the spread of WannaCry a few days after it first appeared.
How impactful was the vulnerability and exploitation including the financial losses?
WannaCry hits many countries as well as many sectors in the world these are Health services,
supply chain, Education, Telecommunication, automotive, security etc.
The WannaCry assault took place over the period of five days, but the impact was significant.
Affected machines including over 150 countries ended in a total of approximately $100,000
payoff for the attackers. nevertheless, it really is estimated that lost productivity and deleted
information totaled billions.
Businesses have lost thousands of documents, while hospitals have canceled surgeries owing
to the deletion of patient information. Much more scary is the possibility that people were
killed as a consequence of redirected ambulances caused by the attacks interference with
stored Gps location.
there are many countries affected the WannaCry attack including USA,
Canada, Australia, New Zealand, Japan. All the countries have pointed the responsibility of
the attack to the north Korea and their government.
the popup message from the WannaCry ransomware, it shows affected
users to pay the 300 dollars in bitcoin within three days. If they unable to full fill the required
amount they must be pay 600 dollars in bitcoins. Furthermore, if the affected clients unable to
fulfill the requirements their files and all the data on the computer will be permanently loss.
All the payments must to be pay in bitcoins to the relevant vault address. Then the clients
cannot find who is the behind the attack. bitcoins are highly secured platform which uses the
blockchain and hashing algorithms to secure the payments therefore attackers’ identity will
be hide.
What were the solutions found and proposed for WannaCry ransomware?
- Regularly update software and operating system.
- If it is windows operating system, we need to push monthly patch updates to the system which is distributing in every month. All the system software should be up to date because developers seek the vulnerabilities and bugs in the software and through the software updates, they can fix these loopholes and bugs. Most of previous scenarios they have used windows OS but Even though they had not updated their Windows OS, windows users fell vulnerable to the WannaCry cyberattack.
- Avoid clicking on Suspicious links
- If you receive an unusual email or visit an untrustworthy website, you should not click any links. When you click on a link that has not been validated, malware might be downloaded. most of malwares can be send by hackers through the emails, it can be a pdf, document, or the executable file. once you click it you get infected the virus if their no protection in your personal or organizational workstations. these WannaCry can be spreaded over the organizational network. therefore, you should aware these types of suspicious links.
- Avoid open emails with unknown attachments
- Open email attachments only if you are certain they are known and secured.Do you recognize the originator? Is the nature of the connection clear? Did you anticipate receiving the attachment ?.somehow the attachment required that you allow macros to see it, avoid it. This is a frequent method for ransomware and other forms of malware to propagate, therefore disable macros and therefore do not click open.
- Avoid downloading from unreliable websites.
- if you want to download software then visit their official website and download it. Do not download from any third-party websites. If you want some necessary software for an organizational computer then consult a system administrator and get the advice before download. Most of the organization have a ICT policies for every user therefore they must use the necessary files and software rather than using untrusted files and programs. This will harm to the organizational data as well as reputation. The danger of obtaining ransomware is increased when files are downloaded from unfamiliar websites. Carefully download files via reputable sources.
- Avoid unfamiliar USBs plugs
- Do not plug any untrusted usb drives to the organizational assets because malicious scripts and virus can be damage to the entire workstation as well as organizational data. When you do not aware where USBs or other removable storage devices come from, should not insert them into your workstation. They may have been compromised by ransomware.
- Activate a VPN while using public Wi-Fi.
- It is better to use trusted and premium vpn when accessing internet through the public Wi-Fi. If you have own private vpn server then that is the best way to avoid eves dropping and WannaCry attacks. If you are using the organizational computer with public Wi-Fi then you should use the organizational intranet vpn such as cisco any connect, Fortinet to access necessary file servers and system. Utilizing a public Wi-Fi network made your computer system extremely susceptible to intrusion. When utilizing public Wi- Fi, use a VPN to safeguard yourselves from the possibility of malware.
- Install security software and antivirus software
- Installing internet security software can help secure your PC and avoid ransomware. Chose for a system that provides protection against many complicated threats. When it comes to organization workstations it should be install antivirus software in all the workstation and keep up to date. Necessary to keep watch security compliances to identify which systems are vulnerable. Installing internet security software can help secure your PC and avoid ransomware. Select for a system that provides protection against many complicated threats.
- Update the antivirus software and internet security software
- Day by day viruses and ransomware grow rapidly with their technologies. Keeping your Internet security software up to date (with all of the newest updates) will guarantee that you obtain the greatest level of protection it provides. If the intruder exploits some zero-day vulnerability then the workstation become affected. Therefore all the antivirus software need to be up to date because developers will issue new patches to identify new viruses and threats.
- Security Awareness Training for employees.
- Employees must be trained regularly of proper email etiquette, particularly since more people have been working online. Employees must not open email - links or attachments from unknown senders.
- Back up your data
- Ensure that you frequently back up your data using an external storage or online storage. In the event that you fall victim to ransomware criminals, your backed-up data will be protected. Keep in mind to unplug the external storage device from your computer after you have completed the backup. Keeping your external storage regularly linked to your computer might subject it to ransomware types that can also encrypt data on such drives. When it comes to the organizational data backups we can use some several type to back up the data according to the requirements.
- Full backup - A complete backup copies all chosen files. When further duplicates are executed, an additional backup of the data iscreated. Restoring a complete backup is rather quick, but every sessionis slower and requires more storage than other kinds. It is sometimescalled a complete copy.
- Incremental Backup- A backup that is incremental creates a complete duplicate of the data and then keeps just the data that has changed
since the prior backup. Its primary advantages are it doesn't need much
time to execute and does not require much storage. nevertheless, the
information recovery procedure is much more expensive. - Differential Backup- A differential backup creates a copy of all modifications made since the previous full backup. It is far quicker and takes significantly less storage capacity than a complete backup, but it require more than an incremental backup. Restore processes are longer than with a complete backup, but quicker than with an incremental backup.
- Mirror Backups- A mirror backup is extremely similar to a previous full backup, but there is a significant distinction. Because as backup is a true replica of the original, a file that has been removed from the source will likewise be erased from the backup. Hence, it must be used with extreme care.
- Synthetic Backups- A synthetic backup recreates the snapshot of a complete backup by combining all incremental and differential backups. It may be kept on tapes at remote places, which reduces the restoration process.
- Reverse Backups- This backup is an incremental backup of modifications performed between two mirror clone versions.
How many WannaCry variations are already there?
This depends about how a variation is defined. But since initial stages, there have been
several versions, but they seem to have the same functions and features. The last time, there
were almost 700 modifications, ranging from minor modifications to the file to prevent
signature detection methods to modifying the kill-switch domain.
Is WannaCry as huge as reported by the media?
There is no evidence that it was a world attack on a large scale. However, when compared to
earlier attacks such like SQLSlammer and Blaster, WannaCry did not actually attain the same
degree of seriousness. Today, the majority of home users get Windows Updates enabled by
default, so they were actually safeguarded. But the harm inflicted by this attacks payload is
significantly higher than any huge threat we have experienced to far, since the ransomware can
encrypt all important data on the machine and even in network shares. In this regard, it
became one of the most catastrophic attacks in recorded existence.
According to recent estimates, there still are around 300,000 targets. The actual number is far
more. There seem to be a lot of infected systems inside enterprise networks that have no link
to the outside world. Thus, millions of PCs are actually infected.
Can standard antiviruses eliminate the infection such as WannaCry?
The simple answer is antiviruses software can eliminate infections. The answer to that
question is it depends. If your security plan is unable to safeguard your machine out from
EternalBlue security flaw, then it will continue to be infected with ransomware over and over
again. Furthermore, as eventually as it fails to detect a new strain of ransomware or a new
strain of malware that uses the same attack patterns, the machine will be affected.
happen?
WannaCry is distinguished in that it attempts to establish a connection to a particular URL.
This is one of its properties. Even if it is there, it has no effect, it will not continue to
propagate, and it will not carry out the ransomware's intended function. Over through the
course of the attacks weekend, a security expert registered for ownership of that domain.
Despite this, the worm continued to spread around the world. Organizations whose computer
systems access the internet via proxy, which means that WannaCry really cannot interact to
the URL and persists to cause havoc on local networks, or organizations which have
completely detached from the Internet in order to bring the things under control. Both of
these reasons are possible. In addition to this, there are variations of the infection that have a
different domain, which means that the kill switch can only be effective against a subset of
the infections.
Overall lessons learned.
Finally, the I can conclude that cybersecurity is very essential for all the individuals as well
as the organization to prevent from the cybercriminals. When it comes to the organization,
the it administrators, cyber security engineers, system engineers should be properly design
the organization security infrastructure to avoid some crucial attacks. They need to configure
proper firewall rules, implement intrusion detection systems and prevention systems to
identify and avoid from malicious activities.
As my case study was the WannaCry which was a older type attack but it is still in active
type because ransomware developers improve their viruses t work in latest operating systems.
Therefore, we need to aware these types of vulnerabilities. As the cybersecurity engineers
have develop the kill switch with the help of reverse engineering and honeypots to prevent
further WannaCry execution. However, some French researchers have identified the tool to
decrypt the encrypted files for the WannaCry attached system.
As the WannaCry exploit the older versions of windows that use SMB protocol which was
enable port 135 and 445. So, when it comes to organizational computers, we should be
capable to close all the unnecessary port through the firewall. As well as we can monitor the
network using some tools like opmanager, prtg, NetFlow to identify some malicious network
behaviors. We need to ensure clients system security through the physically as well as
logically. When it comes to the physical security we should be implement and real time
monitor the activities on the server rooms and workstation. We need to protect the server
room with biometrics to accessible to the authorize individuals. Then we can identify the
attackers and how they perform exploitation. When it comes to the logical security the
administrators can provide some necessary role base access to the clients to ensure the
confidentiality, integrity, and accountability. Only the necessary access should be provided to
each user then they cannot disclose to the threats.
We need to update our system software as well as the operating systems to prevent from the
vulnerabilities. We need to give some cybersecurity awareness training for the employees
regularly to mitigate some these kinds of attacks. We need to implement proper virus guard
for the best practices. And update it regularly. We need to maintain the backups to the cloud
or the external drive for retore our data when the attack was happened. Every organization
need to get daily backup or incremental backups to preventing from the financial threats. If
the attack was compromising the organization must have a disaster recovery plan to continue
the process. This could be offsite or hot site backup. Users need active the two-factor
authentication to their systems and application to mitigate from the unauthorize disclosures.
Not only the WannaCry all the ransomware, malware trojan horse, worms and viruses are
very harmful for individuals as well as organizations they can be actively or passively
perform their underlying purpose. all the viruses are not the same process some of them can
encrypt data, view the databases, track the usernames and passwords, take some sensitive
information likewise. Therefore, if the company loses their sensitive information from the cyberattack the company reputation will be losses and clients are no longer work with you
because of the lack of security.
Comments
Post a Comment