The first global ransomware campaign that disrupted several organizations including hospitals across the world sees the Department of Homeland Security’s cybersecurity arm issue a threat alert over the weekend.
The sweeping ransomware menace known as WannaCry has impacted tens of thousands of computers in as many as 100 countries around the world, including the likes of the United States, Spain, Russia, France and Japan. Discovered on the morning of May 12, 2017 by an independent security researcher, the ransomware spread rapidly, demanding a ransom of $300 in bitcoin.
“Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability,” read an alert issued by the DHS US-CERT, the United States Computer Emergency Readiness Team.
Microsoft has previously released a security update for the exploit on March 14, 2017. The software giant has also released patches for now-unsupported operating systems including Windows XP, Windows 8 and Windows Server 2003 on May 13, 2017.
Phishing emails remain a possible infection vector, according to the official advisory.
Official Initial Analysis
Initial analysis of the ransomware conducted by US-CERT points to an AES-encrypted DLL, which during runtime sees the loader write a file to disk titled “t.wry”. From here on in, the malware uses an embedded 128-bit key to decrypt this file. When loaded into the parent process, the DLL is revealed as the ransomware that encrypts user’s files. Notably, the WannaCry DLL is never noticed by antivirus software scans nor does it appear exposed on the disk due to its cryptographic loading technique.
When loaded, the DLL begins encrypting files on the victim’s system with 128-bit AES encryption. Every file sees a random key generated.
The malware then access the resources that the victim’s machine has access to, allowing it to spread itself on a compromised network.
“This malware is designed to spread laterally on a network by gaining unauthorized access IPC$ share on network resources on the network on which it is operating,” the notice stated.
The ransomware does not discriminate, in that, it targets both home users and businesses.
Notably, the advisory recommended victims not to pay the ransom.
Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.
The advisory, which can be read in full here, also details steps toward applying Microsoft’s patch.
Remediation steps include contacting law enforcement, specifically a local FBI field office, to request assistance.
Other tips for safeguarding against future ransomware attacks include up-to-date antivirus software, close scrutiny to email links and automated data backups.
Image credit: Wikimedia.