Before we can address the lessons learned from the WannaCry attack, we first need to understand what it was and how it spread so efficiently.
WannaCry was a ransomware attack that spread globally in May 2017. It affected machines running most versions of the Windows Operating System, encrypting user files and demanding a $300-$600 ransom paid in Bitcoin to unlock these files.
WannaCry infected 230,000 computers in over 150 countries in the first day. That is because of the nature of the cryptoworm. WannaCry made use of several key parts that all worked together. First off, it used an attack vector called EternalBlue, which used a vulnerability in Microsoft’s Server Message Block (SMB) protocol. It also made use of a backdoor called DoublePulsar. Both of these tools were released in April of 2017 by The Shadow Brokers. Once WanaCry was on a system, it would use the EternalBlue attack to gain access to other systems, and the DoublePulsar backdoor to install and execute on the next system.
MalwareTech found a solution to the attack in the source code of the worm. The worm included a query to a domain that wasn’t registered. Basically, what this means is that the worm would ask a website, “Hey, do you exist?” Since it was an unregistered domain, it wouldn’t exist. Because anti-virus research systems are sandboxed instead of connected to the Internet, the worm used this function to test if it was connected to the Internet or a sandbox. Most sandbox systems will fake data when a query is sent to make it look like they’re connected to the Internet (the sandbox wants the virus to think it’s on a live system). So when WannaCry asked if this nonexistent server existed, the sandbox system would fake some data saying yes, and WannaCry knew that since that server shouldn’t exist, it was connected to a Sandbox, and the worm would deactivate itself.
The solution found was to simply register the domain that WannaCry was checking. Once the domain existed, every instance of WannaCry assumed it was in a Sandbox, and deactivated itself. Unfortunately, this was only a temporary fix, and soon there was a new version spreading that didn’t have the sandbox check.
Now that we’ve covered what WannaCry was and how it worked, let’s get on to the key lessons learned from this attack.
Microsoft discovered the vulnerability in March of 2017, two months before the attack was spread. As soon as they discovered the vulnerability, they released a security notice, and released patches for all Windows Operating Systems. In the two months between the patches being issued and the attack being launched, many users had not installed the security patch. After the attack launched, Microsoft pushed emergency patches, and within four more days, most organizations finally applied these patches. This wasn’t just home users that didn’t apply patches, these were large organizations, such as FedEx, Hitachi, Renault, Saudi Telecom, and many, many more.
It’s easy to put off patch updates. It seems like all the time we get notifications of a new patch that needs to be installed in our Operating Systems or various web applications. Security patches are usually issued fairly quickly after a vulnerability is discovered, and the sooner the patch is applied, the sooner you’re protected against that vulnerability. WannaCry would have been a very different scenario if all of these systems had been patched when the advisory was first posted, and the first round of patches issued. Home users should have their systems routinely checking for new security updates, and business network administrators and information security professionals should be aware of new threats, vulnerabilities, as well as current security patches. It is also important for these network administrators to regularly assess their business’ networks, through vulnerability scans and penetration tests, which will be covered in a future post.
WannaCry was a devastating attack, that affected systems in over one hundred countries, but this attack could have been avoided with timely applications of security patches.