• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Red Sift Blog

Red Sift Blog
  • redsift.com
  • Featured
  • Who are we?
  • Get in touch
You are here: Home / Cybersecurity / WannaCry attack: what happens next?

WannaCry attack: what happens next?

by Rahul Powar
May 15, 2017August 16, 2022Filed under:
  • Cybersecurity

By now, even people who’ve not heard of computer worms or ransomware have heard about #WannaCry. In this blog, we’ll explore what just happened and how we can use these learnings to help us better prepare our organizations for the next generation of attacks.

Better localization than most commercial software

WannaCry is the largest ransomware infection in history with over 70 countries hit with an infection that encrypts the contents of Windows machines and demands bitcoin payment with the promise to unlock the file system and restore access to said files.

How did this happen?

On April 14th, 2017, a group called Shadowbrokers dumped a bunch of internal software tools from the NSA. These are tools nation-states create or purchase to exploit weaknesses in the software you know and use as part of an ongoing digital arms race.

Somehow, Shadowbrokers managed to get hold of some of these bits and released them to the world  –  think of it as someone making off with weapons-grade plutonium and just giving it away.

The April 2017 dump included 3 groups of exploits. One related to data from the SWIFT payment network, a collection of documents, top-secret PowerPoint presentations, and most interestingly, a care package of exploits for Windows machines. Some of these were exploits that had not been seen before and researchers fully expected to start seeing new attacks built on this, now public, knowledge. Unfortunately, this has now happened.

WannaCry uses an exploit from this trove codenamed ETERNALBLUE & DoublePulsar to rapidly infect Windows machines on a network. Microsoft actually released MS17–010, a security update to fix this, in March. That was a good month before these NSA hacking tools were released to the public. However, at the time these updates were released only for their currently supported operating systems, as per normal commercial practice. We will come back to this.

What’s happening now?

Luckily, as the infection broke, a ‘kill switch’ was discovered. A kill switch is often used to ensure that the creator has some control after the infection is out in the wild. At the very least, they typically want to ensure they can control it while they are actively creating or testing the malware so they don’t demolish their own computers. In this instance, the kill switch was discovered to be a website that the software would check before it started about its business.

Security researchers quickly purchased the domain www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and it stopped computers that had internet access from further infection.

This webpage stops the spread in a few cases

Microsoft has since released patches for these older operating systems to stem the tide. However, new versions of the worm are out with new kill switches including versions that have NO kill switch. It is clear that this isn’t over yet.

Why did this go so wrong?

To actually get across the organization’s firewall and start spreading, WannaCry needed a backdoor into the system. The innovation for this worm was the use of phishing emails to get it onto the patient zero inside a network. This is the oldest trick in the book and it worked spectacularly well. Most organizations have such a poor posture with regards to their email security that for a hacker, this is an obvious and relatively easy route to achieving their objective.

At the onset of the infection, the NHS in the UK was one of the most significant and public of the organizations affected as real people were put at risk.

We can check the relative health of an organization’s email infrastructure from the outside by measuring the adoption of DMARC, an email cyber security standard. We did a review of domains belonging to around 200 NHS Authorities and Trusts and what we found shocked us.

DMARC is a bell-weather for the cyber health of a organization

Our hospitals are not only running unpatched, unsupported installations of the Windows operating system as evidenced by the scale of this infection, but they also have practically no protection to other email-borne threats as they’ve failed to implement DMARC, something the NCSC describes as fundamental for cybersecurity protection. The one organization listed that has DMARC is in the initial ‘reporting’ mode and currently receives no active protection from it.

What next?

WannaCry and its newly forming variants are still spreading and organizations need to clean up. Some variants appear to be dormant but replicating, so it’s safe to say there’s a lot of underreporting of the true extent of the problem. Some of these new variants are not created by the hackers behind the initial WannaCry ransomware so expect to see more takes on this type of attack in the near future. WannaCry isn’t even the only game in town right now, another ransomware dubbed Jaff was being spread at the rate of 5 million emails per hour when WannaCry broke out.

US-CERT, the American Computer Emergency team has been updating an alert on WannaCry and providing a section for Solutions and Recommended Steps for Prevention.

  1. The first thing they recommend you do is patch your system with the Microsoft patches to stop the spread.
  2. The second thing they recommended is using technology such as DMARC to prevent email spoofing and start reducing exposure to phishing.

Traditionally, DMARC has been complicated and expensive to deploy but we are working to change that. OnDMARC can test your email infrastructure and help you start your DMARC deployment in minutes.

Of course, the list of actions from US-CERT, including DMARC, isn’t a magic bullet. The reality is that this is one part of a system of tools and processes that need to be in play inside an organization to ensure we don’t fall victim to an increasingly sophisticated and hostile cyber landscape. However, we should all be clear that the time for action is now.

Cybersecurity is now part of the cost of doing business, not just a procedure you invoke when things go wrong. It’s the difference between treatment and vaccination — when possible, prevention is far preferable to cleaning up after the epidemic. This should be a wake-up call for businesses, governments, regulators, and ordinary citizens.

Technology is a companion whose health and safety matter to the way we work, play, and live our lives  – we need to treat it as such.

To check your domain health and current security setup, you can use our free Investigate tool and get your results in seconds.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)

Related

Tagged:
  • Business
  • DMARC
  • Industry news
  • Infosec
  • News
  • Security

Post navigation

Previous Post Without DMARC, email is the Achilles Heel of cybersecurity
Next Post Red Sift wins at the Cyber Security Awards 2017

Primary Sidebar

Subscribe to our blog and be the first to get updates!

Categories

  • AI
  • BEC
  • BIMI
  • Brand Protection
  • Coronavirus
  • Cybersecurity
  • Deliverability
  • DMARC
  • DORA
  • Email
  • Finance
  • Labs
  • News
  • OnINBOX
  • Partner Program
  • Red Sift Tools
  • Work at Red Sift
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • October 2016

Copyright © 2023 · Red Sift