DoublePulsar is a backdoor tool, also released by The Shadow Brokers on 14 April 2017. Starting from 21 April 2017, security researchers reported that there were tens of thousands of computers with the DoublePulsar backdoor installed. By 25 April, reports estimated that the number of infected computers could be up to several hundred thousand, with numbers increasing every day. The WannaCry code can take advantage of any existing DoublePulsar infection, or installs it itself. On 9 May 2017, private cybersecurity company RiskSense released code on GitHub with the stated purpose of allowing legal white hat penetration testers to test the CVE-2017-0144 exploit on unpatched systems.
Experts quickly advised affected users against paying the ransom due to no reports of people getting their data back after payment and as high revenues would encourage more of such campaigns. As of 14 June 2017, after the attack had subsided, a total of 327 payments totaling US$130,634.77 (51.62396539 BTC) had been transferred.
Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations, stated that "the patching and updating systems are broken, basically, in the private sector and in government agencies". In addition, Segal said that governments' apparent inability to secure vulnerabilities "opens a lot of questions about backdoors and access to encryption that the government argues it needs from the private sector for security". Arne Schönbohm, president of Germany's Federal Office for Information Security (BSI), stated that "the current attacks show how vulnerable our digital society is. It's a wake-up call for companies to finally take IT security [seriously]".
The effects of the attack also had political implications; in the United Kingdom, the impact on the National Health Service quickly became political, with claims that the effects were exacerbated by Government underfunding of the NHS; in particular, the NHS ceased its paid Custom Support arrangement to continue receiving support for unsupported Microsoft software used within the organization, including Windows XP. Home Secretary Amber Rudd refused to say whether patient data had been backed up, and Shadow Health Secretary Jon Ashworth accused Health Secretary Jeremy Hunt of refusing to act on a critical note from Microsoft, the National Cyber Security Centre (NCSC) and the National Crime Agency that had been received two months previously.
WannaCry worked by spreading over networks by exploiting a flaw in the ancient SMB 1 networking protocol and encrypting files. Users (including institutions such as the UK's National Health Service) had to pay a ransom to get their files back or face a loss of data.
Five years since the infamous WannaCry ransomware strain swept corporate networks globally, we look back on its impact with fresh eyes. In the second of a two-part series, we explore why WannaCry is still so prevalent in certain corners of the world and how we might be able to finally defeat it.
One has only to go back to 2003 to see the effects of the MS Blaster worm (also known as Lovsan and Lovesan, which first appeared in August of the same year). After the Chinese reverse-engineered a Microsoft Windows XP and 2003 patch, others created variants which traveled laterally inside computer networks, easily bypassing perimeter protection.
Decryption of encrypted files is not possible at present but Symantec researchers continue to investigate the possibility. See this article for further details. If you have backup copies of affected files, you may be able to restore them. Symantec does not recommend paying the ransom.
In some cases, files may be recovered without backups. Files saved on the Desktop, My Documents, or on a removable drive are encrypted and their original copies are wiped. These are not recoverable. Files stored elsewhere on a computer are encrypted and their original copies are simply deleted. This means they could be recovered using an undelete tool.
Two weeks into the WannaCry aftermath, response teams are getting back to normal, organizations are re-evaluating their infrastructures, and even the bitcoin payments the fraudsters were collecting have almost stopped trickling in.
Having analyzed the malware and seeing that it generated randomized IP addresses to scan for, X-Force researchers went back to the data to look for those ingredients with the theory that WannaCry was indeed that sort of worm.
Computer worms, or rapidly self-replicating programs, are as old as the internet itself. Dating back as far as 1949, John von Neumann, a pioneer in the discovery of self-replicating cells and human DNA, devised the theory that would lead to the creation of the first computer worm, as in self-replicating data. Two decades later, in 1971, the first actual worm, Creeper, was created to access endpoints via the ARPANET. Worms have not stopped appearing since.
As long as that domain, and one other discovered and sinkholed(Opens in a new tab) by a different researcher, remain up and active the ransomware won't spread. Which brings us back to our lulz-pirates.
Segment the network: The reality is, you are going to be breached. When that happens, you want to limit the impact of that event as much as possible. The best defense is to segment the network. Without proper segmentation, ransomworms like WannaCry can easily propagate to backup stores, making other parts of your incident response (IR) plan much more difficult to implement. Segmentation strategies, including microsegmentation in virtual environments, and macro-segmentation between physical and virtual networks, allow you to proactively and/or dynamically isolate an attack, thereby limiting its ability to spread.
The good news is that, even back at the time that WannaCry burst onto the internet, a patch to fix the ETERNALBLUE security hole was available, issued two months previously by Microsoft as part of the March 2017 Patch Tuesday update.
The way it works is that once it infects a computer, it encrypts -- or basically scrambles -- all the data. Then the program puts up a screen demanding you pay money to get access back. Typically the price increases over time until the end of a countdown, when the files are destroyed.
According to MalwareTech, the ransomware was infecting users because of its connection to an unregistered domain and the kill switch was hardcoded into the malware in case the author wanted to stop it from spreading. This involved a very long, illogical domain name that the malware makes a request to as if it was looking up any website. If the request comes back showing the domain is live then the kill switch kicks in and the malware quits spreading.
The malware also downloaded the DoublePulsar backdoor (part of the Shadow Brokers leak) following an infection. It was also stated that the malicious code aimed to use the DoublePulsar backdoor, which may have been mounted in a previous attack, even though the EternalBlue exploit failed. The vulnerability would enable the intruder to obtain remote access to the compromised device in order to flood the victim with additional malware or allow for data exfiltration.
Following the WannaCry outbreak, pressing cybersecurity matters were brought to light. Namely, the importance of setting up secure and regular backups, using proactive cybersecurity software, staying up to date with the latest security patches, and isolating sensitive systems.
To better ensure that attack entry points are covered, organizations need to follow a multi-layered defense approach. This should entail not only periodically patching software flaws and ensuring the backup of sensitive systems, but also the use of interconnected protection technologies. These solutions include essential threat prevention and remediation mechanisms, such as Next-Gen Antivirus & Firewall, DNS Filtering at the endpoint and perimeter level, Email Security, and Privileged Access Management (PAM).
There are many lessons to learn from the spread of the WannaCry ransomware attacks across the globe. One lesson that needs more attention is the danger that exists when a government attempts to create mandatory backdoors into computer software and systems.
Most importantly, however, it teaches us that a backdoor required in one nation opens up the data and devices of users everywhere in the world. Over 150 countries suffered the effects of the WannaCry ransomware. Over 150 countries will also have their systems exposed if any one country succeeds in mandating a backdoor in the devices and software upon which we all rely.
Yesterday, Sophos CTO Joe Levy dissected the outbreak. He showed how it spread on the back of an NSA exploit for Microsoft Windows SMB, which was leaked last month by the Shadow Brokers hacking group. Levy gave the technical perspective on what happened, how the attack worked, the timeline of events, how this latest attack can be prevented, and what to do now.
Experts are advising anyone running a device with a Windows operating system to update Windows and any anti-virus products as soon as possible. If you've already fallen victim to a WannaCry attack, experts say it's highly unlikely you will regain control of your device back by paying the ransom.
Additionally, Talos has observed WannaCry samples making use of DOUBLEPULSAR which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware. This backdoor is typically installed following successful exploitation of SMB vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is associated with an offensive exploitation framework that was released as part of the Shadow Brokers cache that was recently released to the public. Since its release it has been widely analyzed and studied by the security industry as well as on various underground hacking forums. 2b1af7f3a8