Ransomware continues to escalate globally targeting essential services. The NHS WannaCry ransomware attack has been particular devastating for the UK, knocking out patient records and rendering hospitals at its mercy forcing a diversion of patients and ambulance routes across the UK. With no ability to access patient records and essential data, patients are being turned away on a large scale. Hospitals have become an increasingly larger target in recent times due to the large number of vulnerable systems in these institutions. They also pay the ransom, as in the case of Hollywood Presbyterian Medical Center last year.
What is particularly interesting about this attack is that it exploited a vulnerability that was discovered and developed by the National Security Agency which was recently leaked by a group called the shadow brokers. They leaked a number of important techniques and methods used by the NSA to take over or eavesdrop on a computer or mobile device. The weaker security protocols and systems in place at many of these hospitals allowed the ransomware spread quickly, in this case via an encrypted email attachment.
New Variants discovered
New variants of the WannaCry ransomware started emerging on Sunday (2 days after the original attack). One of the variants was stopped by registering a kill switch domain, the same way the ransomware was stopped on Friday. A second variant is not encrypting infected machines due to an error in programming, but it is spreading. More variants are expected in the coming week many if which we expect will not contain a kill switch.
How does it work?
Once the ransomware has been installed on a computer it executes on the local machine and then contacts a third party server to download other payloads (applications) and activate the application. It then starts encrypting all the files on your drive. After it has completed it will popup a paywall requesting payment to have your files decrypted. If you don’t pay the ransom then the files can be deleted by the hackers.
The NHS attack has been particularly severe and rapid and took only 4 hours to spread to the NHS, originally infecting systems at Telefonica in Spain. The ransomware itself is known as WannaCrypt or WannaCry and is a variant of WeCry which was discovered in February 2017 and infects any Windows based operating system (no known Mac variants have been found yet). It appears from several reports as though this software was initially infected via email and then spread through the internal NHS network using SMB shared drives across the organization. Microsoft has been aware of the vulnerability since March of 2017 and have posted a security update to address this.
Early indicators seem to point to the attack originating in China, but more evidence is needed.
We have confirmed that this ransomware has affected Windows computers on shared networks in at least 150 countries worldwide, with 300,000 reported individual cases and more than 10,000 companies being affected.
Analysis of the Attack
After the initial payload is on your computer the application will download the anonymous network client “tor.exe” along with its dependencies. Once this has been downloaded the main executable will be able to communicate to its command and control servers anonymously.
Once started it then tries to change the access rights of all its files to obtain total access to your machine. According to Kaspersky the sequence is as follows:
- attrib +h .
- icacls . /grant Everyone:F /T /C /Q
- @WanaDecryptor@.exe fi
Then, as is typical with a lot of ransomware, it will then try to disable Volume Shadow Service so that you cannot recover from the decryption by running a command line sequence. This will trigger a UAC popup, which should be a clue that it should not be allowed.
It will then contact the anonymous servers and begin encrypting all your files.
A more detailed analysis can be found at Microsoft and also Kaspersky Lab’s.
The NSA has now linked WannaCry directly to North Korea. Apparently developed to raise money for the regime. In total it generated $140,000 in revenue, although the funds have not been cashed in because of an operational flaw, which means the money could be traced.
The US has Government has now officially blamed the North Koreans for this attack.
Can BlackFog Help?
Users running BlackFog are already protected from this ransomware. BlackFog has been designed to target a range of ransomware just like this and prevent the activation and spread across your internal network by preventing outbound traffic to foreign networks and through execution prevention on your local machine.