WannaCry: A Stark Wake-up Call

16 May 2017
Posted in: 

Ransomware in the Headlines

On Friday the world witnessed once more the global effect of malware and ransomware. By the end of Friday, over 200,000 computers from over 100 countries were infected by ransomware’s latest incarnation WannaCry. The creators of WannaCry managed to extract of 25,000 USD worth of Bitcoin in the few hours it was active. Ransomware is simply a form of malware which once executed encrypts files on your computer, you will then receive a ransom note informing that your files have been encrypted and in order to have access once more to your files you need to pay a ransom often within a certain timeframe.


An Unsophisticated Wildfire

Many cyber security experts and analysts agree that WannaCry is by far not the most advanced ransomware code encountered. What then enabled it to spread so quickly? Although the code itself was unsophisticated it leveraged an SMB exploit which was recently sent into the wild called EternalBlue dumped by the hacking group “The Shadow Brokers”. This SMB exploit had been patched but despite this, it is obvious that numerous computers and systems had not downloaded the patch making the computer vulnerable to attack. WannaCry is not new, it had been detected in March and a subsequent ineffective campaign in April as WCry. This version was not leveraged with EternalBlue, explaining why it was so ineffective.

Even the attack vectors used by the creators of WannaCry was ineffective. It relied on the traditional method of scam emails and malware droppers to execute the code. Another facet which shows how unsophisticated the attack was, there were only three Bitcoin accounts for payments. Normally more sophisticated attacks have an account for each infection. One should never pay the ransom, however, in this instance, it is most certainly not advised as with only three accounts it would be hard to trace payments. This would mean there would be even less of a guarantee in getting files decrypted despite paying the ransom.

Eventually, on Friday a security analyst going by the name of MalwareTech discovered a killswitch. The code was dependent on a single fake domain been accessed, once the domain was deemed fake by the system and couldn’t connect the code would execute. All MalwareTech did was purchase the domain, effectively prevented many further infections.


How 24/7 Monitoring Protects from Further Attacks

While this attack was unsophisticated it still caused millions of dollars’ worth of damage. Vijilan is uniquely positioned to combat such attacks and even far more sophisticated attacks. By offering 24/7 monitoring combined with highly trained security experts and advanced correlation rules any malicious code would be detected and could be dealt with speedily.

Even if the vulnerable system, like in this instance, was not patched the malicious code would have been detected by the advanced automatic detection system. Then the alert would be escalated to the Security Operations Center then the Incident Response Team. While much can be done to prevent such attacks the service offered by Vijilan serves as a further layer of protection to protect your data and fundamentally your livelihood.

Contact Us

Contact Us