Ransomware Virus – WannaCry and Petya – What’s Next

WannaCry Ransom Demand
WannaCry Ransom Demand

Back in the 1980’s, Duran Duran and Tears for Fears videos played on MTV in high rotation.

Windows LAN Manager is also an 80’s legacy which enabled sharing of files between a Windows host computer and any number of Windows clients. By the early 1990’s, Windows NT LAN Manager replaced Windows LAN Manager.

A typical modern file sharing network topology uses Windows 2013 Enterprise Server to manage the file repository while Active Directory Server manages file access security details such as protecting your Office360 eMail files.

A core component of Windows LAN Manager is the Server Message Block (SMB) server.

The SMB server handles the client requests to create shared folders, copy, rename, delete, print or execute remote files. SMB V1.0 was used up until Windows XP and made obsolete by Windows Vista. Windows Server 2003 used SMB1.0 as well and replaced in Windows Server 2008 or later.

SMB 3.0 is the latest version supported on Windows 8.1 and Windows Server 2012 or later. Note that any version of SMB can be enabled or disabled by setting the appropriate Windows Registry keys.

So why is this important?

The WANNA CRY malware system exploited a flaw in SMB1.0 code named Eternal Blu. WannaCry searches for and encrypts 176 different file types and appends “.WCRY” to the end of the file name.

Eternal Blu was discovered by the American National Security Agency (NSA).  NSA researchers discovered that SMB 1.0 messages under certain cases omitted the security profile of the request to perform a network operation such as a copy or execute. This permitted a hacker to copy files from one computer with no security checks.

Since Windows XP typically had SMB1.0 enabled, it was thought to be a key viral attack vector.

Cryptos Research however reports that installation of WannaCry on Windows XP computers failed to install in some cases. Installation resulted in the infamous Windows Blue Screen of Death.

No definitive answer to how the virus infected a computer and spread quickly to other computers is available.

The security technology provider Symantec reports that the code contained tools which enabled WannaCry to access all security profiles maintained in Active Directory. Symantec also reports that a bug in the payment system means that WannaCry system is unable to know if a user paid the ransom. All files whose name ends in “wcry” are lost. Hence there no point then in paying the ransom if Symantec’s claim is true.

Eternal Blu along with six other stolen NSA exploits were leaked by a group called Shadow Brokers.

In the week of October 5, 2016 Harold T. Martin III was arrested. Martin was a contractor for Booz Allen Hamilton who worked at the NSA– the same contractor that employed Edward Snowden.  Without Martin’s disclosure, Wanna Cry would not have been possible. Microsoft issued security update MS17-010  on March 17, 2017. Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13, 2017 even though XP and Server 2003 were well past their end of life.  Automated security updates were no longer being provided by Microsoft.

Two years elapsed during which the NSA failed to notify Microsoft of the issue.

In the week of May 12, 2017, Wanna Cry ransomware went live with a demand in 27 languages for $300 to undo the encryption of a hapless user’s now encrypted critical files. Major organizations such as the British National Health System and hundreds of thousands of users were affected.

The Wanna Cry virus is thought to be loaded from a phishing campaign where an eMail contained an attachment which, if clicked, ran the WannaCry installer application. During the time of infection, I received two suspicious eMails claiming to be from FedEx stating that I my packages could not be delivered. The standard FedEx procedure is to leave a notice at the door. They have my phone number but not eMail address. I was not expecting any packages and immediately deleted both eMails. During this period, FedEx had been hacked twice. This was likely a fake ransomware demand.

The ransom demand was written in perfect Mandarin and translated using Google Translate. This points the perpetrators to China. A chart by  Kryptos Research shows that the vast majority of affected computers were located in China gives further support to this claim.  Spread of WannaCry. Others claim it was North Korea who is the culprit.

Once installed, it also searched the local network new host candidates to infect. It would also take several minutes to find files to encrypt. During this time,  the file encryption software could as well could run into cases where encryption of files ran into disk errors resulting in a partially encrypted file.

The code contained kill switch. It used a reference to an unregistered Internet domain to determine if the virus should halt infecting hosts. If the domain was registered, the code stopped trying to infect host computers. The infection stopped after a British security researcher registered the Internet domain which had the effect of minimizing the infection in North America.

If the user’s PC has not been rebooted since the ransom attack, it may be possible to decrypt infected files here>

This much is known for WannaCry to happen:

  1. SMB 1.0 was enabled on the infected machine prior to the infection or WannaCry enabled the settings for SMB 1.0 to facilitate the infection.
  2. It obtained permission to deploy the WannaCry application on the target computer if Security Essentials was enabled.
  3. The computers were no longer receiving security updates from Microsoft or third parties such as Symantec.   XP was released on August 24, 2001 and end of life date of April 8, 2014 and should have been migrated to Windows 7.X or 8.X prior to this date.
  4. The eMail system should pass emails with binary attachments or attachments. This indicates that an eMail malware scanner was not running.
  5. Users have not enrolled in periodic security training which stresses never to open eMails with attachments from parties you are not aware of.

The choice is to:
a) pay the $300 in the hope that payment will result in the recovery of your files
b) or scrap the computer.

There is no viable upgrade option. If you decide to pay the $300 to decipher a personally owned computer, buy a USB drive from a computer store to contain a backup of your personal files including MS Office mailbox files, scan the original and new USB drive for virus’ and scrap the computer. Buy a new computer and restore only files you need.

Going forward:

  1. There is no guaranty that by paying the ransom that Wanna Cry artifacts still remain on your servers and desktops that could enable the cretin to relaunch the virus. Treat them as nothing but burglars who could revisit the scene of the crime.
  2. Linux and Apple are not immune to malware. A consistent set of procedures for Windows, Apple and Linux systems should be in place to contain the activation and spread of malware.
  3. Enforce saving files to document repositories. A user could as well save all personal files to a server which is synchronized with a backup server -e.g. Drive H. If the hacker software encrypted files on the local C and D drives , the contents of drive H can be recovered after ensuring the removal of the virus. Make sure the drive is never permanently connected.
  4. For private users consider using cloud storage such as Drop Box to exchange files between users.
  5. Any person or organization must replace these obsolete systems with the latest technology and plan to maintain a current technology environment.
  6. Always enable security updates from the system vendor.
  7. For internal corporate networks, publish documents to document repository such as SharePoint and eMail a link to the document. This eliminates the need to add binary attachments to eMails and reduces the risk of infection.
  8. For private users, Gmail and Microsoft mail are scanned by Antivirus software. Microsoft Office mailboxes can be scanned by using Microsoft Security Essentials.
  9. Enterprises have two choices regarding risk – mitigate the risk or assume liability for the risk which means that the risk is always present.
    1. The risk of doing nothing is has been shown to be real. No computer system lasts forever.
    2. The cost of compliance is an ongoing cost and must be factored into the operating budget. Never cut the cost of maintaining currency and security and never assume unlimited risks.

Expect more ransom ware attacks.

There is a report of EternalRocks malware in the wild which has no kill switch.  If nothing was done to prevent further WannaCry attacks, the hackers could relaunch the attack.

Make it a habit to delete without reading any eMails with attachments you receive from people you don’t know. Better yet, your eMail system should be configured to scan attachments for malware and never deliver other than standard attachments such as PDF, XLS, TXT and DOC files.

And sure enough,  on June 27, 2017 the BBC is reporting another ransomware attack named  Petya

Petya Ransom Demand
Petya Ransom Demand

Those who chose to accept the risk rather than mitigate the risk of an attack occurring after the  release of Wanna Cry are paying the price.

Instead of encrypting files, the system encrypts the Windows Master file Table which keeps track of all files stored on the disk.

As long as the cost of spreading the malware is low and reward high, ransomware is likely to be a persistent phenomenon.

There is an obvious fault in the design of these systems in that installation of application software such as the Tor Browser required on a corporate desktop typically requires an administrative account. End users will unlikely be able to restore their files in this case.

It’s 2017.   Duran Duran and Tears for Fears are on high rotation at my local Starbucks which is a good thing!.