WannaCryptor aka WannaCry: Key questions answered

WannaCryptor, aka WannaCry, is one of the biggest cybersecurity stories of 2017. In fact, you could go as far as to suggest one of the biggest in years. Since news first broke on Friday, broadcasters, journalists, bloggers, commentators, experts and security vendors, to name but a few, have reported on, discussed and analysed this global threat with a level of attention unseen before.

While this all welcome, it can sometimes feel like information overload. Aware of this, we’ve put together this Q&A, bringing together some of the key points. There’s enough information to know all the salient points without getting too lost, but also plenty of links if you want more detail on certain areas related to the story.

What is WannaCryptor?

WannaCryptor, and its variants, is a type of malicious software known as ransomware, an increasingly popular attack method deployed by cybercriminals that involves the illegal encryption of files and devices. A ransom is demanded for the ‘safe recovery’ of said files and devices.

According to Michael Aguilar, a business security specialist at ESET, WannaCryptor, also known as WannaCry and Wcrypt, is “unlike most encrypting-type malware: this one has wormlike capabilities, allowing it to spread by itself”. He also offers some sage advice in his post on how to protect yourself. ESET clients were already protected by ESET’s network protection module.

The English version of the ransomware message, which can be displayed in several languages based on geolocation, appeared on infected computer screens, read: “Ooops, your files have been encrypted!” The authors of the malware added that it was futile to look for a way to access the files, without their assistance. Which, of course, comes with at a cost – $300 in bitcoin per infected computer.

What happened?

In the UK, news outlets in the country reporting that multiple NHS sites had been hit with a massive cyberattack. Services were disrupted, with doctors, GPs and healthcare professionals unable to access computers or files – in effect, bringing parts of the NHS to a standstill.

However, it’s unclear how much of the disruption was due to the precautionary shutting down or isolation of systems rather than direct breaches.

NHS Digital, which is the information technology arm of the Department of Health, was quick to issue a statement.

It stated: “This attack … is affecting organizations from across a range of sectors. At this stage we do not have any evidence that patient data has been accessed.”

Soon enough it became clear that the cyberattack was, in fact, global in scale, affecting close to 150 countries (including, to name but a few, Spain, the US, India, Russia and China) and impacting all sorts of organizations and government agencies.

For example, In Spain, the telecommunications giant Telefónica was hit; In Russia, the interior ministry reported infections; and in the US, FedEx confirmed that it also had fallen victim to the ransomware attack.

Over the weekend, internal and external security specialists responded swiftly to the attack, including NHS Digital, ESET, Microsoft and the UK’s National Cyber Security Centre, all of which has gone a long way to limiting the damage and reach of WannaCryptor.

Further, ‘luck’ has also played a part in at least slowing down the malware. An individual, based in the UK, who goes by the moniker MalwareTech, accidentally activated what was later discovered to be a kill switch in the malware.

As he tweeted on May 13th: “I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental.” For more detail on this, please check out his subsequent blog, titled How to Accidentally Stop a Global Cyber Attacks.

This is, by no means, the end. The story is still unfolding, with new infections still being reported across the world, though seemingly with ‘less energy’ than the initial outbreak. Still, many are calling for vigilance, as, due to the complexity of this ransomware, aftershocks are likely.

How did this happen?

It’s currently unclear what the original source is for this malware, but it’s likely that WannaCryptor was either delivered by email – hidden in an attachment – or via a backdoor (suggesting that a system had already been compromised).

In this particular instance, the malware has exploited a vulnerability in older (Windows XP, Windows 8.0, Windows Server 2003) and/or still-supported versions of Microsoft’s Windows operating system where the MS17-010  update wasn’t applied. Computers that have been infected have, for whatever reason, not updated the operating system with the latest version. The MS17-010 update has been available for supported systems since March 2017, and was made available for Windows XP/Windows 8.0/Windows Server 2003 on May 12.

The case has highlighted many flaws within some organizations, security agencies and governments, including poor and untimely information sharing; inefficient and slow to react cybersecurity efforts and financial underinvestment, all of which have created a perfect hailstorm of opportunities for cybercriminals to exploit.

What are experts, decision makers and organizations saying?

Rob Wainwright, executive director of Europol, said in an interview with British broadcaster Robert Peston: “We’ve seen the rise of ransomware becoming the principal cyber threat, but this is something we’ve never seen before – the global reach is unprecedented.”

In an official company blog, Brad Smith, president and chief legal officer of Microsoft, described the WannaCryptor as a “wake-up call for all”. He added: “We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it’s needed now.”

Mark Porter, council chair of the British Medical Association, noted: ‘We need to quickly establish what went wrong to prevent this happening again and questions must also asked about whether inadequate investment in NHS information systems has left it vulnerable to such an attack.”

MalwareTech, the so-called accidental hero, concluded in his blog: “One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible.”

The UK’s health secretary, Jeremy Hunt, who has been criticized for his silence on the attack, said three days after news broke: “According to our latest intelligence, we have not seen a second wave of attacks. And the level of criminal activity is at the lower end of the range that we had anticipated and so I think that is encouraging.”

David Harley, a senior research fellow at ESET, said: “If you didn’t take advantage of the patch for supported versions of Windows (Vista, 7, 8.1 and later) at the time, now would be a good time to do so (a couple of days earlier would have been even better). If you’re running one of the unsupported Windows versions mentioned above (and yes, we appreciate that some people have to because of hardware or software compatibility issues), we strongly recommend that you either upgrade or take advantage of the new update.”

(Editor’s note: contributed blogs like this are part of ChannelBuzz.ca’s annual sponsorship program. Find out more here. This content originally appeared on ESET’s We Live Security blog.)