On May 12, 2017, everyone heard the cry that echoed around cyberspace. More specifically, they heard the WannaCry.
The true story has three elements.
The first story surrounds one of the vulnerabilities included in MS17-010. The most severe of these vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server. This part of the story was often dwarfed by the next part of the story, but it is ultimately more important.
Because Microsoft released the MS17-010 patch back on March 14, 2017, almost two months before the SMB vulnerability was exploited in a very public way with WannaCry. And, if the SMB vulnerability had not existed, or had been patched before May 12, the global impact of WannaCry would most likely have been prevented.
The second part of the story is that WannaCry ransomware took advantage of the SMB vulnerability. ETERNALBLUE was one of the exploits disclosed by the Shadow Brokers when they leaked several NSA tools. By using the ETERNALBLUE exploit, the WannaCry ransomware spread like wildfire, making big news around the world.
WannaCry soon hit as many as 200,000 workstations, and even more by some estimates. WannaCry demanded payment in bitcoin to decrypt the affected systems. NTT Security analysts evaluated the process of buying bitcoin for payment, and determined that unless the organization already had the bitcoin, some organizations would likely not be able to buy the required bitcoin in the allotted time. And on top of that, it appears a significant amount of ransom payments did not actually unlock the victim’s data.
WannaCry is ultimately another ransomware. Unfortunately, the best defense against ransomware is to plan ahead and make sure your organization is ready for the ransomware, before it strikes.
The third part of the story is that WannaCry was not the only attack to take advantage of the SMB vulnerability. Adylkuzz was designed to mine cryptocurrency, and hit the world three weeks earlier. EternalRocks was a worm which spread in the same manner as WannaCry, but has since been removed from the web by its author.
Still, WannaCry was the most obvious symptom of the three components. For this reason, NTT Security researchers and analysts took a long, hard look at WannaCry in the NTT Security Monthly Threat Report for May 2017, published on June 5 here. The report takes a detailed look at statistics from the ransomware – including industries being attacked, a detection calendar, as well as ports and protocols used. The report also details a variety of indicators verified against monitoring data, such as IP addresses, command and control IP addresses, Snort signatures, Palo Alto signatures, domains, killswitch domains, file hashes and affected file names. All this information can be used to enhance detection of WannaCry-related activity, as well as activity associated with related attacks.
The monthly report also includes recommendations to reduce the chances organizations are not exposed to the original SMB vulnerabilities, as well as recommendations to reduce potential exposure to any ransomware, including WannaCry.
WannaCry was, and is, big news. The NTT Security Monthly Report for May 2017 focuses on providing practical details relating to the attack and the underlying SMB vulnerabilities. If you want a detailed description of what WannaCry really means, read the report.