Global Weekly Executive Summary, May 24, 2017

All About WannaCry 

What is WannaCry?
WannaCry is a global ransomware attack that began spreading quickly on Friday, May 12th, eventually affecting at least 300,000 computers in 150 countries around the world.
WannaCry, also called WanaCryptOr, attempts to gain access to a computer remotely, encrypts the files on the computer to prevent users from accessing their own files, then demands that a $300 ransom be paid to unlock those files. Once a host is infected, WannaCry also works to spread itself to other hosts.

WannaCry is also significant because it was made up of exploits allegedly created by the National Security Agency and later stolen and leaked by the Shadow Brokers hacking group.

How does it work?
WannaCry is crypto-ransomware with a worm component that exploits a Windows SMB vulnerability that can cause some versions of Windows to “allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.” (Microsoft Security Bulletin MS17-010 – Critical).

WannaCry combines an exploit tool with a backdoor tool to gain access and then load the ransomware package onto an exploited system. EternalBlue, an exploit tool allegedly created by the NSA and later stolen and leaked by the Shadow Brokers hacking group, is used to gain access and execute code remotely. DoublePulsar, purportedly another leaked NSA tool, is a backdoor tool that is used to load the ransomware package onto the exploited system.

For more detailed technical information, read our CSCC reports.

WannaCry Vulnerabilties Report

WannaCry Forensics Report

Why is WannaCry important?

WannaCry is significant because of: 1) who was affected, 2) how many were affected, 3) how quickly it was able to spread even when working security patches were available, and 4) what this incident tells us about our preparation for the next global cybersecurity threat.

Who was affected?

At least 300,000 computers were infected worldwide with the largest percentage of infected machines used in telecommunications. A Dark Reading articles reports that over 15% of the victims worldwide were in the telecom sector.

Countries

The countries most affected were Russia, China, Taiwan, Ukraine, and the US, but Russia and China made up the bulk of infections. China had four times the number of infected machines as the US. Russia had five times the number of infections as the US. The UK, India, Brazil, and Japan were also significantly affected.

Organizations

Notable organizations affected include: FedEx (US), Russian Interior Ministry, National Health Service (NHS) (UK), Sberbank (state-owned banking and finance company) (Russia), PetroChina (state-owned oil and gas company), four State Governments in India, Hitachi, Nissan Manufacturing (UK), Saudi Telecom Company.

Sectors

The ransomware attack hit critical infrastructure sectors hard, affecting government, telecommunications, finance and banking, healthcare, manufacturing, transportation, law enforcement, and educational organizations across the globe. A partial list of affected countries and organizations is given below.
Government: Ministry of Internal Affairs of the Russian Federation, Ministry of Foreign Affairs (Romania), State Governments of Kerala, Gujarat, Maharashtra, and West Bengal (India), Chinese Public Security Bureau, Timrå Municipality (Sweden).
Telecommunications: Telefónica Europe, Saudi Telecom Company, telecom companies in Portugal, Hungary, and South Africa.
Financial: Sberbank (Russia)
Healthcare systems/ Hospitals: National Health Service (England), NHS Scotland, hospitals in Indonesia, Slovakia, and Canada
Manufacturing: Nissan Motor Manufacturing UK, Renault (France), Hitachi, Automobile Dacia (Romania)
Transportation: Deutsche Bahn (Germany), LATAM Airlines Group (throughout S. America), Russian Railways
Education: Universities and educational organizations in the Netherlands, Greece, China, Canada, Colombia, Indonesia, Italy
Law enforcement/ Justice: India, Brazil

Operating Systems

Machines running Windows 7 operating systems made up 98% of computers affected by WannaCry. Despite early fears that XP would be most susceptible to infection, an error in WannaCry’s code resulted reduced infection rates of XP machines, leading cybersecurity provider Kaspersky to describe XP infections as “negligible.” Windows Server 2008 R2 clients were also affected but made up just 1% of total infections (The Verge).

The fact WannaCry was most effective against Windows 7 OS is significant because Windows 7 is still the most commonly used desktop operating system in the world. According to web analytics firm NetMarketShare, 48.5% of desktop computers worldwide are running Windows 7 (NetMarketShare). An attack that targets the most used version of the most common operating system in the world can cause global disruption even if, as in the case of WannaCry, tech and infosec organizations work quickly to contain the damage and keep WannaCry from spreading.

Microsoft patched the SMB vulnerability a month before the flood of infections began and made patches freely available for even unsupported operating systems just a day after news of the infections began to spread.
Security researchers around the world worked both independently and collaboratively across organizations and borders to contain the effects of the ransomware by finding and activating a kill switch and crafting fixes that allowed some affected users to recover their locked data.

Lessons learned:

The ultimate lesson learned is this: if we view WannaCry as a test, a practice run for a big, crippling global cyberattack that could come someday, then the world may not be ready. But while not everyone is ready, we now know that there are IT and infosec workers in place around the world who are ready to spring into action to defend and fix security problems that arise quickly, competently, cooperatively, tirelessly, altruistically. Everyone else should to do what they can to help. Upgrade, patch, back up, pay attention, catch up.

For more best practices and tips on dealing with WannaCry, read our WannaCry Best Practices report.