WannaCry Ransomware Post-Mortem: Where Did We Go Wrong?

WannaCry Ransomware Post-Mortem: Where Did We Go Wrong?

It's impossible to read the tech news these days without seeing a report of a new ransomware attack. The recent spread of a new form of ransomware called WannaCry, though, has captured the public's imagination -- perhaps because of how rapidly it infected computers within the first few days of its release. At the time of writing, WannaCry has encrypted the files on hundreds of thousands of computers and illicitly raised more than $123,000 in Bitcoin.

WannaCry propagates itself using a Windows vulnerability first discovered and exploited by the United States government. The even more incredible truth is that WannaCry wouldn't have compromised a single computer if the owner of each infected computer had simply used the most important Windows cyber security tool that exists: Windows Update.

What Is WannaCry?

WannaCry spreads on local area networks and over the Internet by exploiting a vulnerability in the Server Message Block protocol on computers running Windows XP and later. Upon finding an unpatched computer, WannaCry tries to find other vulnerable machines before executing its payload on the infected computer.

The ransomware encrypts documents and other important files on the computer -- rendering them unreadable without a decryption key -- and displays a notification on the screen.

The notification demands a payment of $300 in Bitcoin in exchange for the key necessary to unlock the encrypted files. The notification further warns the victim that the fee will double after three days -- and that the encrypted files will become unrecoverable after one week.

How Does WannaCry Work?

WannaCry uses the EternalBlue exploit to infect computers running Windows XP and later. Reports suggest that EternalBlue is a hacking tool developed by -- and later stolen from -- the United States National Security Agency. A group of hackers called the ShadowBrokers obtained EternalBlue and released it on the website WikiLeaks in March 2017. WannaCry also uses another leaked NSA tool called DoublePulsar to download and execute the payload.

After ShadowBrokers released the EternalBlue exploit on WikiLeaks, Microsoft patched all supported versions of Windows to fix the vulnerability. Anyone who enabled the automatic update function in Windows -- or updated Windows manually -- before May 2017 would not have been vulnerable to WannaCry.

Microsoft also released emergency patches for three unsupported versions of Windows -- Windows XP, Windows Server 2003 and Windows 8.0 -- after WannaCry began to infect systems.

Has WannaCry Infected Many Computers?

Members of the media believe that WannaCry has infected at least 230,000 computers including critical business, government and healthcare systems around the world. Some of the affected organizations include:

  • FedEx in the United States
  • The National Health Service in the United Kingdom
  • The automaker Renault in France
  • The interior ministry of Russia

Is WannaCry Still Infecting Computers?

WannaCry is still a threat. Using the search engine Shodan, writer Dave Lewis found more than 891,000 Windows systems still vulnerable to the EternalBlue exploit.

Shortly after WannaCry began to infect computers, security researcher MalwareTech discovered that the original version of the malware had a built-in kill switch. WannaCry attempted to contact an Internet domain that didn't exist. If the domain responded -- presumably because the creator of WannaCry had registered it -- the malware would not download and execute its payload.

MalwareTech registered the domain and temporarily stopped the malware from spreading, but a new version of WannaCry -- without the kill switch -- quickly surfaced.

How Do I Protect My Business From WannaCry and Attacks Like It?

In May 2017, security firm ESET released a free tool that you can use to check whether any computer is vulnerable to the EternalBlue exploit that allows WannaCry to infect a system. If the tool finds that the vulnerability still exists, it automatically opens the download page for the appropriate Microsoft patch in a browser window.

Until every computer in your organization is patched, your company is vulnerable to WannaCry and similar malware.

WannaCry is particularly insidious, but it is only one threat. Enabling automatic updates in Windows is a simple way to ensure that you'll never have to worry about it. Very soon, though, some other threat will begin winding its way around the Internet.

What will you do then? What cyber security policy can your company adopt to ensure that it never has to pay a ransom to access its own files?

The simplest counterattack for malware like WannaCry is to ensure that you have multiple backups of your most important data. Ransomware only works because it encrypts files that the victims can't afford to lose. If you have backups of the important files on an infected computer, you can simply wipe the computer and install a new operating system image.

It is also wise to consider adopting an application whitelisting policy in which your company's IT department manually approves all applications that your computers can run.

When a whitelisting policy is in effect, a computer will refuse to run any application that isn't whitelisted -- including any malicious software. Application whitelisting stops almost all malicious software before it can execute its payload.