WannaCry Ransomware – Update
Four days after one of the biggest cybersecurity attacks in recent memory, the WannaCry crisis has begun to slow down. The initial malware is being sinkholed and IT professionals are installing vital patches to their machines to protect them from any future attacks that may use the NSA-created Eternal Blue tool.
As the dust begins to settle the severity of the damage begins to become apparent, with Europol confirming that over 200,000 computers had been infected within at least 150 different countries.
The ransomware had infected businesses across all sectors including, car factories, hospitals, shops, schools, banks, airlines, and government institutions. Deutsche Bahn, the national rail operator for Germany along with Singaporean digital signage company, MediaOnline, also announced that a few of their electronic signs had been infected with the ransomware.
Businesses were able to breathe a sigh of relief on Monday, as the news that a 22 Year-Old British researcher was able to identify a kill switch to the fast spreading ransomware. The researcher known as @MalwareTech on Twitter, realized that there was an unregistered domain within WannaCry’s coding that the malware would try and connect to before releasing its payload.
“All this code is doing is attempting to connect to the domain we registered and if the connection is not successful it ransoms the system, if it is successful the malware exits.” –MalwareTech
While the initial strain of WannaCry is now unable to spread its ransomware, companies quickly patched their systems and backed up their data as they prepared for a second wave of attacks on Monday.
Businesses warned of a Second Wave
Cyber security officials around the world warned businesses that the now defunct WannaCry was still a threat as the code could be easily altered to be more effective than it was the first attack. The internet began to be flooded with news that the second wave of attacks were coming, though fortunately only two other variations were found on Monday.
The first of which was considered to be a near exact copy of WannaCry’s code, except with the kill switch domain now pointing to a different, at the time unregistered domain, allowing the ransomware to infect computers again. This variant was quickly stopped by another security researcher purchasing the new domain and again sink-holing it.
The second variant’s code had been altered to completely remove the kill switch domain, though was eventually deemed corrupted as the ransomware was unable to actually encrypt any files from the infected computer.
The threat of another wave of attacks is still a possibility as companies around the globe race against time to ensure their systems are secure from this type of attack.
Luckily for businesses running on the vulnerable out of date Windows operating systems, Microsoft released a patch for their now-unsupported operating systems like Windows XP.
The President of the world’s largest software maker, Microsoft, also released a very critical statement of the NSA’s apparent incidental assistance in this major attack;
“This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world”
-Microsoft President Brad Smith
The United States NSA has been credited with identifying the Windows vulnerability and creating the Eternal Blue tool that allowed the ransomware to infect so many computers at such a rapid pace.
Identifying the Authors
While the US may take the blame for creating the destructive malware, it has been reported that North Korea may also have been involved in this massive attack.
Researchers have poured over the WannaCry code since its release, trying to find clues that could identify the authors of the worldwide attack, and as of Tuesday morning, they may have an idea. Google security researcher, Neel Metha, has announced that he has found similarities to the WannaCry code to code written by the notorious Lazarus Group.
The Lazarus Group is most known for their previous attack on Sony Pictures in 2014 and on a Bangladeshi bank in 2016. They are believed to be residing in China but working for North Korea, which is where the first clue comes in.
The WannaCry ransom notes were inscribed in over 28 languages, most which seemed to be translated by a computer or machine; However, the Chinese version of the note appeared to be written by a native speaker, such as the Lazarus Group. The code also revealed that it had been set to UTC +9 (North Korea’s time zone), and contained similarities to code written by the Lazarus Group.
If the Lazarus Group was behind this monumental attack, they haven’t received the payment they have been expecting. As of 9:30 am GMT on Tuesday morning, the three bitcoin wallets tied to the WannaCry accounts had only received about 230 payments, totaling a mere $62,000 USD (37 BTC). Considering over 200,000 computers had been infected this amount remains relatively low, though today marks the fourth day of infection for many users, raising the ransom up to $600 USD.
Cyber Security Best Practices
As the world continues to recover from such a massive global cyber security attack, it is important to remember cyber security best practices.
- Always update your antivirus and software to ensure all vulnerabilities are patched
- As a cloud service, updates to The Email Laundry services are automatic, allowing customers to rest assured they are always completely covered.
- Back-up data in multiple locations
- In order to make sure our services never go down; The Email Laundry has servers placed across the globe in geographically diverse locations to keep uptime at 99.99%
- Avoid opening unknown email attachments or clicking on links in emails
- At The Email Laundry, we are proud to be an industry-leading email security provider who helps to keep companies safe from vicious attacks like WannaCry by ensuring those malicious emails don’t make it into your user’s inboxes (none of our customers were affected by the recent worldwide attack).
We also provide Phishing Awareness Training so businesses can efficiently train their employees how to detect phishing emails such as spear phishing, CEO Fraud, and other types of attacks, to keep their business safe.