The WannaCry Ransomware first made its way through the web in Europe and Asia, famously shutting down the United Kingdom National Health Service, several Renault factories, and a Nissan UK plant in Sunderland.
Hospitals’ and clinics’ computer systems were shut down, some for weeks. An estimated 20,000 patient appointments were cancelled, and associated costs across the 50+ countries infected were estimated at up to $4 billion. The car plants wouldn’t comment on whether they had a halt in production or speak to the true effects of the cyber-attack.
WannaCry’s Origin Story
WannaCry, in its original form, is a vicious ransomware attack that started through bogus email links that automatically ran an execute file when clicked by unsuspecting victims. Within seconds, the exploit takes over a PC and encrypts all of a computer’s files. The user is offered access back to the PC through a pop-up window demanding Bitcoin payment equaling around $300 US.
From there, the attack attempts to ping a random URL. If the URL ping comes back unresponsive, the ransomware begins to travel through the connected server, also known as a worm exploit.
MalwareTech To The Rescue
This version of the attack had a short life-span thanks to a 22-year-old UK security researcher. The researcher, going by the name MalwareTech, looked into the coding. He noticed the random URL inclusion and recognized while the URL was random, it wasn’t changing. The ransomware was specifically designed to ping riuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. Again, a non-response instructed the attack to continue worming through the network.
MalwareTech analyzed this random website, and recognized that nobody owned it. He bought it for $10.69, and made the site active. This small step ended up being the kill switch to the malware. A live response to the intrusion’s ping stopped the ransomware from worming through the server. Essentially, MalwareTech tricked the exploit to shutdown by buying this domain.
Why was it so easy activate a kill switch? Most experts guess that this was either a mistake from the creators of the Malware. To prolong the attack, the creators should have made that website check a roaming, completely random URL every time – rather than a static website. Other theories suggest this may have been an accidental or premature release of the attack.
This kill switch slowed, but didn’t stop WannaCry. More advanced varieties of the attack were initiated as soon as the kill switch was engaged. Also, the kill switch didn’t remove the ransomware, it was simply shut down. It was dormant.
WannaCry Blame Game
Where did this malware come from? Microsoft contends that the NSA recognized cyber-security vulnerabilities prior to the attacks. Microsoft chose not to disclose them. By the end of 2017, the United States had directly linked hackers Lazarus Group and the North Korean government as the parties responsible for carrying out the WannaCry attack.
Dangerous and Dormant
Besides newer versions of the malware, a risk lies in the original dormant infection. While the kill switch stopped the exploit from worming, the infection is still present in the first PC awaiting a non-response from the URL ping. Should there be an Internet outage, the virus would reactivate due to being unable to reach the designated website. Now active, WannaCry would immediately start worming through the network as originally intended.
Jamie Hankins, Head of Security & Threat Intelligence at Kryptos Logic, estimates over half a million PCs still possess the WannaCry threat dormant in their system. He urged exposed victims to clean their computers once and for all.
In the last 24 hours we saw:
2,713,752 beacons from 220,648 unique SrcIPs to the killswitch from 184 different countries
Over the course of a week we see:
17,088,121 beacons from 639,507 unique SrcIPs (DHCP churn obviously is a factor) across 194 countries
— Jamie Hankins (@2sec4u) December 21, 2018
The best way to protect your system from WannaCry’s past, present and future versions is to have reliable firewall protection and end point security with updated definitions.
SonicWall stays on top of WannaCry to ensure the intrusion is not passed through IT environments. SonicWall can recognize different signatures that exist within the virus as it continues to evolve.
The network security will reject or halt any download containing WannaCry through its Capture & Advanced Threat Protection, and provide a Gateway antivirus alert. SonicWall also provides a log of the exploits that were blocked.
The WannaCry attack has plagued the Internet for almost two years now. Without taking the steps to rid the system of the exploit with firewall protection like SonicWall, it will continue to pose a threat to users and colleagues within the network.