A picture of a London newsstand on Saturday, May 13, 2017, the day after the WannaCry ransomware cyberattack struck. (Picture by Jason Steer, Menlo Security, Inc.)
The title is a quote from American Major League Baseball Hall of Fame catcher of the New York Yankees, the late, great Yogi Berra, known maybe as much for his malapropisms as his baseball talent.
But, that quote is appropriate when discussing the worldwide ransomware attack attributed to and called by the multiple names for the ransomware at the heart of the attack – WCry, WannaCrypt0r, WannaCryptor, WannaDecryptor, WannaCrypt. Let’s just call it WannaCry for short.
If you’ve gone native and have turned off your phone, the Internet, gone on radio silence, unplugged, been incommunicado, or simply been residing in a cave since Thursday night (May 11, 2017) or early Friday morning (May 12, 2017), here’s a quick recap:
Around 8:00 AM CET on Friday, May 12, 2017, reports of a ransomware attack on businesses in Spain started circulating around the web, and then all technological Hell broke lose. At last toll, according to Director of Europol Rob Wainwright, the WannaCry ransomware attack has affected over 200,000 victims in over 150 nations around the world.
It spread quickly around the globe because it was leveraging a known vulnerability in Microsoft Windows operating systems, stretching from the legacy Windows XP to Windows Server 2012. The security exploit is dubbed EternalBlue. The EternalBlue exploit was developed by the U.S. National Security Agency (NSA), but was stolen and released into the wild by the hacking group, The Shadow Brokers, during the summer of 2016. The security exploit could enable a remote code execution (RCE) attack on servers with Microsoft Server Message Block version 1.0 (SMBv1) protocol via specifically created messages. Microsoft released a critical security update, MS17-101, on March 14, 2017, to address the exploit.
However, the update was apparently not adopted by many organizations, leaving their systems unpatched and vulnerable to this exploit. In addition, the original Microsoft security update/patch did not address systems running the legacy Windows XP operating system, which Microsoft had ended public support for in 2014. And, according to reports published from over a year ago, upwards of 180 million computers worldwide were still using Windows XP, and about 95 percent of all automatic teller machines around the globe are still running Windows XP as their OS.
This, unfortunately, left many organizations defenseless for the next step in this cyberattack, the WannaCry ransomware. The WannaCry ransomware sought out systems and servers that had not been patched to eradicate the EternalBlue exploit, and deposited its malicious payload. It’s still unknown how the WannaCry ransomware attack was initiated. Some experts speculate it could have been a phishing or surgical spear-phishing attack delivered via email with a web link that, once clicked, downloaded the ransomware. Or, it may have been a phishing or spear-phishing attack with malicious, ransomware laden attachments. Still other pundits speculate it could have been a drive-by download or even a targeted watering hole attack. It’s not known at this time who Patient Zero is, what the catalyst was, or how they became infected. (But, one thing is for sure: If Patient Zero did click on a web link in a phishing or spear-phishing email, or if they did go to a malicious website accidentally or if they were driven to it in a watering hole attack, if their organization had deployed isolation, then the WannaCry ransomware attack could have been prevented.)
As of Saturday, May 13, 2017, though, it had appeared that the reign of WannaCry ransomware terror had abated due to a security researcher known simply as MalwareTech, who was able to determine that a previously unregistered web domain in the ransomware code might hold the key to stopping the attack. He simply registered the web domain and the ridiculously fast spread of the WannaCry ransomware was stopped. For now. Because, the sinkhole that MalwareTech created doesn’t prevent ransomware developers from removing the web domain that served as an inadvertent kill-switch and relaunching their cyberattack. So, updating Windows devices via MS-17-010 needs to happen as soon as possible.
As the MS17-010 critical security update did not address the EternalBlue security vulnerability in Windows XP and several other legacy Windows operating systems, Microsoft, in an unprecedented move, released a public patch on Saturday, May 13, 2017, to address the EternalBlue exploit in Windows XP, Windows 8 and Windows Server 2003 devices, all operating systems that have only been eligible for custom or special support lifecycle options for a number of years. Microsoft also released customer guidance to address the WannaCry ransomware.
But, according to some security researchers, they are already seeing copycat variants of the WannaCry ransomware, this time without a kill-switch.
Now we are facing the Monday 9:00 AM security issue; that is, when the workday begins in Sydney, then Tokyo, then Hong Kong and Singapore, and onward across the globe. Will there be a residual effect from Friday’s WannaCry attack? Remember: The WannaCry attack started around 8:00 AM CET and spread rapidly. However, businesses in Australia and Asia were just closing for the weekend. So, what happens when users turn on their systems first thing Monday morning? Will the WannaCry ransomware have already locked them out and held their data ransom?
Yogi Berra was right: It really ain’t over til it’s over.
One way to ensure that you, your users, and your organization are protected from ransomware attacks spread by phishing, spear-phishing, drive-by download, and watering hole attacks is to isolate in the cloud any web or document link clicked on. Menlo Security can help.