What WannaCry Means for Windows

Bluelock

By: R. Scott Raynovich


Important details about the origins and propagation of the WannaCry ransomware virus remain unknown, but the damage done by the cyber attack highlights ongoing concerns about security the Windows operating system (OS) and leaves some key takeaways for security professionals.

WannaCry is "ransomware" that locks down a system and then asks the victim for a ransom payment to unlock the files. The virus exploits vulnerabilities in Windows, primarily Windows 7. Once it has infected a victim on a network, it can propagate itself using worm-like techniques of computer viruses, looking for similar exploitable systems where it copy itself. However, many security experts say they still don't know how WannaCry initially infects victims, though it is suspected to use phishing techniques.

Many security experts have concluded that WannaCry used the EternalBlue hacking tool developed by the National Security Agency (NSA) and leaked by Shadow Brokers, a global hacking organization. However, the WannaCry perpetrators appear to have borrowed the code from Shadowbrokers and have proven to be miserable businesspeople -- the ransomware techniques appear "amateurish," according to many experts, explaining why few people have paid the ransom.

Most estimates put WannaCry's impact at more than 150 countries and millions of systems. It is estimated to have caused billions of dollars in damage.

WannaCry is targeted at Windows operating systems (OSes) and primarily Windows 7, which has led to some criticism of Microsoft for slow updates and limited support for this older generation OS. Windows 7 accounts for 67 percent of infections, according to data from BitSight, as reported by Reuters. Older operating systems such as Windows XP appear to be playing a smaller role, and Windows 10, Microsoft's latest OS, accounts for only 15 percent of infections.

WannaCry appears to have struck organizations who have not been vigilant in updating patches and plugging known vulnerabilities in Windows.

"I think more than anything it was a wake up call about configuration governance and patching," said Anthony Cochenour, the Founder and President of Hoplite Industries, a security firm based on Bozeman, MT. "On March 7 Microsoft pushed out a patch [that would have stopped it]."

Cochenour says WannaCry has mostly affected organizations that were not updating Windows configurations and patches. The bulk of infections are focused on China and Russia, which combined represent more than half of all infections worldwide. Infection levels remained high as recently as Friday, according to many security reporting services.

The origins and methods of WannaCray propagation remain a mystery at this point. According to Kaspersky Lab, from the RSA website earlier this week:

“To date, we could not find an e-mail attack vector for Wannacry. We are still investigating leads that suggest compromised sites were used to target some customers. So far, we can confirm that our users are getting attacked using an implementation of the famous EternalBlue exploit leaked by the Shadowbrokers in April. The exploit installs the DoublePulsar backdoor, which is further leveraged to infect a system. Even if the EternalBlue exploit fails in the first place, the attack code still tries to leverage the DoublePulsar backdoor which might have been installed in a previous attack."

The bottom line is that WannaCry shows how global connected systems are remarkably vulnerable to modern viruses -- but also that regular security hygiene can reduce many risks.

If you're running Windows and you haven't secured your computer, take a look. According to Bitdefender, you should follow these steps:

1. Disable your computer's Server Message Block service.
2. Install Microsoft's patch.
3. Back up your data on an offline hard drive.
4. Install all Windows updates.
5. Use security software to prevent attacks in the future.

Some more highlights on WannaCry:

Oddities in WannaCry ransomware puzzle cybersecurity researchers (Reuters)

Microsoft held back a free WannaCry patch, report says (CNET) https://www.cnet.com/news/micr...

The 'WannaCry' malware: A public service announcement indirectly from the NSA
(LA Times)