It has been ten days since the WannaCry ransomware attack was unleashed. It has infected nearly 300,000 devices in 150 countries. During that time, many large organizations—including hospitals, banks, and telecom companies—were brought to a halt when their data was encrypted. The yet-to-be identified attackers had received just under $110,000 in ransom at the time this article was published. Despite the initial chaos, details have emerged about how the attack happened, who may be behind it, and other malicious attacks using comparable techniques.
WannaCry: What We Know So Far
It is now believed that Windows 7 users were the hardest hit by WannaCry, which counters initial reports that stated Windows XP users were the most widely affected. In fact, the version of Windows 7 that suffered the brunt of the attack is the x64 Edition, an operating system widely deployed by large organizations. It is unclear whether enterprises are less likely to stay up-to-date with their security patches, or if there are other explanations for the nature of this vulnerability.
Another rumor states that most systems became infected following the distribution of spam emails. However, it has been proven more recently that the malware began by scanning the internet for devices with open Server Message Block (SMB) ports. It then used a modified version of the security exploit “EternalBlue”, an exploit initially developed by the National Security Agency, to install WannaCry on vulnerable machines. Once installed, WannaCry propagated across networks, infecting connected devices, and encrypting more and more user data as it grew.
Who is Behind the WannaCry Attack?
EternalBlue was initially developed by the NSA, only to be leaked by the hacker group known as The Shadow Brokers, along with a number of other weaponized software exploits on April 14, 2017. The connection between The Shadow Brokers and the group that created WannaCry remains unclear.
Cybersecurity company Kaspersky Lab has pointed out similarities between the code used for WannaCry, and code that was used for attacks carried out by hackers known as the Lazarus Group. The Lazarus Group, which has ties to North Korea, is believed to have carried out the cyberattack against Sony Pictures in 2014, as well as a bank heist in Bangladesh in 2016. North Korea is denying involvement in those attacks, as well as WannaCry.
— Costin Raiu (@craiu) May 15, 2017
New Malware on the Prowl
All of the recent attention on WannaCry has brought to light new threats that are doing damage via the same security exploits that were originally developed by the NSA. One in particular, “EternalRocks”, is malware that makes use of seven of the weaponized exploits The Shadow Brokers have leaked, which is five more than WannaCry used.
Another malware, “Adylkuzz”, has also been spreading using similar security exploits as WannaCry. Although it hasn’t received the same amount of attention that WannaCry generated, it is thought to have been at work longer, and to have done even more damage in the time since its release. Similar to WannaCry’s reliance on the cryptocurrency Bitcoin, Adylkuzz profits from its use of a digital currency called Monero.
Trust the Experts
In March 2017, Microsoft announced the security patch that prevents the SMB vulnerability enabling the latest wave of attacks. At that time, NetWize made sure its customers were protected by implementing the requisite security update. We are also available for consultation regarding user best practices for optimal security. We always make sure our customers are protected with up-to-date anti-virus protection, and a reliable data backup and disaster recovery process. Ask us about Sophos Intercept-X, and its capabilities for protecting against any type of ransomeware attack.
If you have any questions or concerns regarding recent malware attacks, or cybersecurity in general, please call NetWize at (801) 747-3200, option 1.