NSA tools behind worldwide WanaCryptOr ransomware attack
NSA tools behind worldwide WanaCryptOr ransomware attack

A ransomware attack leveraging alleged NSA hacking tools that began hitting the U.K. National Health System earlier today, has spread globally, impacting FedEx and Spanish telecom Telefonica, and locking up tens of thousands of computers in 74 countries.

Early analysis has found that the attackers dropped WanaCryptOr 2.0 ransomware using an exploit tool released last month by the Shadow Brokers hacking group. The ransomware, also known as Wannacry, the displays a ransom note demanding $300 in Bitcoin that must be paid within three days. The most widely hit countries so far are the Russian Federation, Ukraine, India and Taiwan, according to Kaspersky Labs. About 60,000 computers in total are infected.

The attacker has not yet been named, however, a 22-year-old independent cybersecurity researcher who tweets at @MalwareTechBlog and blogs at MalwareTech is being credited with helping mitigate the attack on Friday. He discovered the malware once injected into a target computer attempted to contact a command and control website, reported the Telegraph. If the target computer was unable to make a connection to that website the ransomware then activated taking the computer hostage. However, if the target computer was able to successfully contact the remote website it simply terminated itself and did not install the ransomware.

The researcher was able to use this to his advantage. The remote website was for sale, so he bought it for a small sum, once it showed up as officially purchased it began connecting to all the infected computers effectively turning off the attack.

"A few seconds after the domain had gone live I received a DM from a Talos analyst asking for the sample I had which was scanning SMB host, which i provided. Humorously at this point we had unknowingly killed the malware so there was much confusion as to why he could not run the exact same sample I just ran and get any results at all," he wrote.

However, before the researcher was able to enact his plan the ransomware had spread globally.

“The ransomware is spread using a known, and patched, vulnerability (MS17-010) that came from a leaked NSA set of exploits that we reported on our blog in April. Our research shows the encryption is done with RSA-2048 encryption. That means that decryption will be next to impossible, unless the coders have made a mistake that we haven't found yet,” wrote Malwarebytes researcher Pieter Arntz.

Courtesy of Malwarebytes

The vulnerability MS17-010 is also known as ETERNALBLUE, which was patched by Microsoft in March, and is used to inject the backdoor malware DoublePulsar, according to Cyberscoop. The malicious actors then use the backdoor to infect the target machine with WanaCryptOr.

 The initial entry into a company is most like through a phishing attack.

“It would be shocking if the NSA knew about this vulnerability, but failed to disclose it to Microsoft until after it was stolen. It is past time for Congress to enhance cybersecurity by passing a law that requires the government to disclose vulnerabilities to companies in a timely manner. Patching security holes immediately, not stockpiling them, is the best way to make everyone's digital life safer," said Patrick Toomey, a staff attorney with the American Civil Liberties Union's National Security Project.

“The speed with which it's spreading is frightening. Ransomware becomes a significant nuisance if full backups of the systems weren't taken, dramatically increasing the recovery time if the ransom isn't paid,” said Gavin Millard, Tenable EMEA technical director.

The scattershot nature of the attack has also raised eyebrows with it hitting a variety of industries and countries.

“This kind of attack is indiscriminate in its nature, it will attack any machine that is not patched for the particular vulnerability, in this case MS17-010, that it is exploiting. This appears to be financially motivated, however that doesn't mean that there aren't other potential scenarios,” Owen Connelly, VP services at IOActive, told SC Media.

Phil Richards, CISO with Ivanti, called the persistent nature of this attack strong, with infected systems – at least those that do not pay the ransom – having to be powered down and rebuilt from scratch. Also, all backups have to be pulled off the network so they do not become ensnared.

“It isn¹t surprising that NHS haven¹t gotten to root cause yet. Since 90% of this type of ransomware comes in through phishing, my assumption went with the numbers. This ransomware enumerates accounts and systems when it infects a machine, so spreading to servers is also expected. Servers are more consistently available on the network than workstations. So far, this appears to be a Windows only ransomware, not affecting Linux or Mac.

Because the attack is taking advantage of an already patched vulnerability some experts are calling it a failure on behalf of the victims to have left their systems unpatched.

“This is an example of the systemic failure of government and commercial firms to implement security, resiliency and appropriate privacy policies,” said Philip Lieberman, president of Lieberman software.

John Bambenek, threat research manager at Fidelis Cybersecurity, said that the WannaCry attack demonstrates the serious consequences that can occur when a nation-state's zero-day exploit is leaked into the wild, even after a patch is developed. “This is the first time that a worm-link tool has been used in conjunction with ransomware that has created devastating impact against entire organizations," said Bambenek. "Strong and swift patching would have helped mitigate this threat. It has undoubtedly captured the imagination of criminals who don't want to hold individual machines ransom but to take entire organizations hostage and surely we will see much more of this in the coming weeks.”