Ransomware started around 2012 and is where your computer pops up a message saying that your files have been encrypted and you can only get them back if you pay a ransom.
Sometimes these messages are just what is called ‘scareware’ i.e. its an empty threat and if you don’t pay then nothing is lost. But the warning can also be real and you find your files have been encrypted and the chance of getting them unencrypted without paying the ransom is very slim.
Even if you do pay the ransom you may not get your files back.
Ransomware usually gets into your computer when you open an email attachment that contains the malicious code, disguised as a legitimate file. However, WannaCry can jump from one computer to another without the user doing anything.
The story of how WannaCry was so successful in propagating itself starts with the US government. The NSA discovered a vulnerability in Microsoft Windows but didn’t warn Microsoft. The company did later find the vulnerability and issued security patches to fix it. But not everyone keeps their Windows computers fully up to date with security patches.
The vulnerability was used in a piece of software called EternalBlue which was published on the Internet by a hacking group called Shadow Brokers. Many believe the software was created by the NSA for their own use.
The WannaCry ransomware attack started in May 2017, The ransomware demands users pay $300 worth of online currency Bitcoins to retrieve their files, but the price goes up if they don’t pay on time. Even paying the ransom does not ensure a decryption key will be made available.
A UK cybersecurity researcher (known by the Twitter handle @malwaretechblog) with the help of Darien Huss from security firm Proofpoint looked at the ransomware and discovered the name of a website which was being accessed by the ransomware. The website address hadn’t been registered by anyone so he bought the domain name. This was to track the progress of the Ransomware, but turned out to be a kill switch. Once there was a website at the domain name then Wannacry stopped spreading.
Back in March 2017, Microsoft issued security bulletin MS17-010, which explained the flaw in MS Windows and announced that patches had been released. Two months later when Wannacry hit, some organisations had not installed the security patches and hence their systems were vulnerable to the attack. The day after the attack started Microsoft issued emergency security patches for Windows 7 and Windows 8. Microsoft also later released patches for unsupported Windows XP and Windows Server 2003.
The way that Wannacry encrypted files meant that in some cases a decryption key could be generated. This method was posted on the Internet and a tool known as WannaKey was developed which could use this method on Windows XP computers.
WannaCry is estimated to have infected around 200,000 computers across 150 countries. According to Kaspersky Lab, the four most affected countries were Russia, Ukraine, India and Taiwan.
The strange thing about Wannacry is that it does not seem to have been designed to make money. It turned out later that the way Wannacry demands payment by Bitcoin does not give the fraudsters enough information to create decryption keys per organisation even if they wanted to.
Previously common ransomware such as J.Lockey made millions of dollars for its perpetrators. But Wannacry only collected around $140,000. Once victims knew they couldn’t get a decryption key – they stopped paying.
What was it all about?
3. The NHS
Wannacry was rapidly spread across Europe and Asia and happened to hit the NHS very hard for a series of reasons including that they had old Windows 95 machines on their network and because their network has a huge number of computers attached to it.
The attack affected many National Health Service hospitals in England and Scotland, and up to 70,000 devices – including computers, MRI scanners, operating theatre equipment and more were affected in some cases.
On 12 May, some NHS services had to turn away non-critical emergencies. This was life threatening for some.
4. Who Created Wannacry?
Linguistic analysis of the ransom notes indicated the authors were likely fluent in Chinese and proficient in English.
Cybersecurity companies Kaspersky Lab and Symantec have both said the code has some similarities with that previously used by the Lazarus Group (believed to have carried out the cyberattack on Sony Pictures in 2014 and a Bangladesh bank heist in 2016—and linked to North Korea). This could also be either simple re-use of code by another group or an attempt to shift blame. North Korea denies being responsible for the cyberattack.
5. The Future of Ransomware
Wannacry seems to be about disruption rather than collecting money.
Plus it has the ability to jump from one computer to another – this makes ransomware much more dangerous than the versions that simply demand a few hundred dollars.
It can be expected that there are people working hard to create a new ransomware with that jumping capability but looking to make a lot of money.
The problems at the NHS showed that such ransomware can endanger life.
Hopefully many people will have been woken up by what happened and realise they have to put in the funds to keep their systems fully up to date with security patches and put more effort into maintaining the confidentiality of their customers and staff as the next generation of ransomware may be designed to capture confidential data as well.
As to the people who just want to cause disruption or deny us access to data – we can probably expect more such attacks and with a variety of reasons behind them.
Keep your online security fully up to date.
Do you have an opinion on this matter? Please comment in the box below.