If you’ve been keeping up with any technology news, you’ve more than likely heard of the WannaCry ransomware attack that started on May 12th. The attack started off with news of a cyber-attack against NHS hospitals in England. Shortly after that, news broke that the attacks were a global attack and that they leveraged NSA tools that were leaked back in March. With all the information out there, we decided to do a brief write up and timeline of all that happened.
March 2017 – The Patch
On March 14th. Microsoft released a patch for a critical vulnerability in SMB (server messaging block) v1. SMB is the protocol used for file sharing between computers and servers and v1 is considered out of date/deprecated. Rumors were that Microsoft heard about this exploit from a third party but there was not much to go on. This seemed to be a normal security update to fix a vulnerability in Windows. Since this was a routine patch, non-supported versions of Windows like XP and Server 2003 did not get the patch. This critical vulnerability is what allowed the WannaCry ransomware to spread so rapidly and do so much damage over a short period of time.
April 2017 – The Leak
On April 14th, 2017 a hacker group known as “The Shadow Brokers” released EternalBlue (the hack/tool used in WannaCry) along with other tools leaked from Equation Group. Equation Group is well known in the security sector as a sophisticated threat actor with suspected ties to the NSA. When these tools were analyzed, it raised suspicions that Microsoft may have been tipped off from the NSA about the leak of their tools. The NSA then let Microsoft know of the vulnerabilities they were aware of but did not disclose to Microsoft until March 2017.
On April 2017, the DoublePulsar backdoor was starting to be seen. DoublePulsar was used to infect computers and use them to deliver the WannaCry ransomware later on.
May 2017 – The Attack
On May 12th, 2017, WannaCry began infected computers globally. These attacks were targeted at highly vulnerable systems. Organizations without the March 2017 patch or running XP/Server 2003 were the targets. The attack was a typical ransomware attack that encrypted files and asked for payment. However, this variant was able to spread using the SMB exploit found in the NSA’s EternalBlue hacking tool. This means that the payload was able to spread to other vulnerable machines instead of being focused to just one computer.
The attack was quick and spread globally within hours. Large companies and government agencies such as Telefonica, the NHS, FedEx, Deutsche Bank, and LATAM Airlines were hit. In total over 150 countries were affected by the attack.
A Glimmer of Hope
Hours after the initial attack, a security researcher for MalwareTech found a kill-switch in the WannaCry ransomware. The researcher was able to register a specific domain name found in the ransomware. The domain was used as a command and control center for the attack. Without communication to its command and control center, the ransomware stopped encrypting files. This allowed countries that were hit late on (like the US) time to patch systems.
On Monday May 15th, the attacks had subsided and on May 16th it appears that attacks have almost completely stopped. According to researchers, the attackers made around $66,000 in ransom payments.
EDC’s Take on The Attack
While we were concerned with the attack, clients who follow best practices didn’t have to worry as much. Our managed service clients were patched for this vulnerability back in April and we follow Microsoft’s best practice for operating system retirement. The majority of the cases we have read who were hit the hardest were either behind on patches or had unsupported Microsoft operating systems on their network. We advise clients to always have the following in place:
1.)Backup systems that are tested regularly
2.)Security software such as endpoint security, spam/virus filtering, and anti-malware
3.) Patch management (including third party software such as Adobe and Java)
4.) Using software and systems still supported by the manufacturer
As always, if you have questions or concerns regarding your network security, please feel free to contact us.