Ransomware is a type of malware that encrypts all files on a victim computer and holds them hostage until someone pays the hacker who released the malware. Despite a possible fix to stop the virus from spreading – things still hang in the balance in the Cyber world and in the inimitable words of Yogi Berra, “It’s not over, til it’s over.” Here’s the scoop:
Last Friday, a British cyber-security researcher named Marcus Hutchins, who runs the MalwareTech blog, returned from lunch to find news on the net that the British National Health Service (NHS) was being ravaged nationwide by nearly simultaneous explosions of ransomware.
Marcus got to work immediately. He secured a sample of the ransomware, which has come to be known as “Wannacry” or “WannaCrypt0r”, from a friend. He then infected a specially protected system so he could study the results. After installing the malware and letting it run, Marcus noticed that the code was searching the Internet, looking for an unregistered domain. A domain is a unique human-friendly name which points to a computer or network, like LibertyNation.com. Because this behavior is not unusual for malware, Marcus registered that domain for about eleven dollars, hoping it would help him learn more about the malware’s behavior. Because it takes a while for Internet Domain Name System (DNS) servers to spread newly registered information across the Internet, Marcus returned to his electronic petri dish and kept digging.
This time when Marcus ran the sample, he noticed that the malware was attempting to communicate to other computers using a protocol associated with Microsoft’s file and printer sharing services, aka Server Message Block (SMB). He knew that the hacking group “Shadowbrokers” had recently released U.S. National Security Agency (NSA) tools designed to exploit SMB, so he tweeted out to the information security community seeking confirmation.
Then a colleague asked him to share his sample, but they could not duplicate the first behavior that the malware exhibited. So, Marcus then had an employee check on the malware again to see if the domain it was reaching out to had changed. The employee mistakenly reported that the domain registration had triggered the ransomware, which caused it to encrypt all files. There was much panic until other researchers said that exactly the opposite was true. The registration of the domain had stopped the malware from executing.
Further investigation revealed that the malware authors had included the domain check as a “kill switch.” If the writers wanted the malware stopped, they could do what Marcus did, and no new malevolent action would occur. Because Marcus had now stolen the author’s kill switch, he had inadvertently brought a halt to new activation of the malware on any device with access to the Internet. The Internet cheered, and Marcus documented his findings and took a well-deserved nap. Overnight, the press began calling Marcus an accidental hero. His number of Twitter followers jumped from twenty thousand to almost sixty thousand today.
But this story isn’t over because, despite Marcus’ victory, he only slowed Wannacry down. By Saturday, Wannacry had infected over one hundred thousand systems worldwide. It now affects over two hundred thousand. It is still spreading via email at a minimum.
Additionally, several different efforts have been made to disable the kill switch. Someone in China attempted to transfer the kill switch domain away from Marcus, and another person tried to overwhelm the MalwareTech server to turn off the kill switch.
Complicating things further, new versions of Wannacry are in the wild now. McAfee Labs reports that Wannacry can spread itself across the internet if the random Internet addresses it targets are accessible and vulnerable, and it now checks two distinct domains before attempting to encrypt data or spread itself via the network. To make matters worse, Hackernews reports that Kaspersky Labs has seen incomplete Wannacry samples with no killswitch at all. The existence of the no killswitch versions is independently confirmed, and researchers believe that these new releases are the work of a different group. Lawrence Abrams of BeepingComputer has discovered four different Wannacry variants in various stages of development. And with Financial Times reporting that there are more than 1.3 Million systems still vulnerable to Wannacry, It is just a matter of time before someone releases a fully functioning version with no kill switch. When that happens, only fully patched systems are safe.
The good news is that patching is easy. Microsoft, who had previously released a patch for current versions of Windows operating systems, has taken the exceptional step of providing a patch for unsupported versions of Windows, like Windows XP as well. Take Marcus’ advice via Twitter:
MalwareTech @MalwareTechBlog 12h12 hours ago
Warning for Monday: If you turn on a system without the MS17-010 patch and TCP port 445 open, your system can be ransomwared.
There are other steps you can take, but patching is by far the easiest fix. Do it now if you haven’t already.
And make sure you have an offsite backup of your files. If Wannacry compromises you, you might as well wipe your hard drive and start over. Check Point Software Technologies reports that even though the Bitcoin accounts associated with Wannacry have received more than $33,000, no one has had their files decrypted. What is worse, is that there does not appear to be a way for the hackers who authored Wannacry to know who has paid them, and they are unsure if the hackers even have the means to decrypt the files at all.
Update your computers. Make sure you have a current virus scanner. Backup your data. Don’t open email attachments or web links. Tattoo that to the inside of your eyelids.
After all, Marcus won’t always be there to save you.