WannaCry
WannaCry is the largest ransomware attack. The attack started at 07:44 UTC on 12 May 2017 and was halted a few hours later at 15:03 UTC. In that time, it had spread to over 230,000 computers in 150 different countries. Companies/Agencies such as the NHS and Nissan Motor Manufacturing UK where massively crippled in this attack as they had tens of thousands of devices infected.
The widespread chaos caused by WannaCry was only possible due to a computer exploit, known as Eternal Blue, which had leaked onto the clear web a month ago.
EternalBlue
EternalBlue was a computer exploit developed by the NSA.
EternalBlue was created around 2012 when the NSA discovered an exploit in Microsoft’s SMB software. They decided to not alert Microsoft of this exploit for 5 years until learning about EternalBlue’s possible theft. On April 14, 2017, a hacking group known as the Shadow Brokers leaked it one month after Microsoft had released patches. Unfortunately, people were slow to update their software, leaving millions of devices vulnerable.
The Exploit
The Exploit attacks the Server Message Block(SMB) protocol. SMB was originally created in 1983 and is intended to provide shared access to files and printers across networks.
In 1996, Microsoft published an implementation of SMB 1.0. It was included in all Windows Machines and would be used for accessing shared resources on other computers.
A malicious attacker could craft a packet which would be miss-handled by the operating system due to the specific implementation of SMB 1.0. This would result in arbitrary code being executed on the victims computer.
Using this, a bad actor could run malicious commands on a victims computer from another device.
WannaCry
One month after the EternalBlue leaks, a ransomware worm was released in Asia.
The worm was released via a vulnerable SMB port and propagated on its own throughout the web. Once an infected machine was on a network, the worm would start looking for an open SMB port. It would then copy itself over to the victims machine using the EternalBlue exploit. Finally, it would encrypt all the data and demand payment in Bitcoin.
Stopping the attack
Marcus Hutchins is a computer science researcher from the UK. After becoming aware of the attack while on vacation, he began to reverse engineer the worm from his bedroom. He launched the worm in a virtual sandbox and monitored all the requests that the worm was performing.
The worm would make a request to an odd looking domain name which suggested that it was trying to contact a command and control server. After checking online, it was discovered that the domain wasn’t registered and Hutchins registered the domain at Kryptos Logic (his employer). He set up a server acting as a Honey pot so that he could monitor the rate of infected machines. However, once he had set setup the server, the worm would stop spreading, essentially becoming the killswitch for the worm. While the server and domain where online, WannaCry did not execute any further. Hutchins, and Kryptos Logic along side UK’s National Cyber Security Centre spent the next week defending the server from a variety of DDoS attacks which where trying to bring down the server and cause the worm to keep spreading.
Finally, french researchers discovered that WannaCry hadn’t cleared the prime numbers, used to generate the encryption keys, from the cache and a tool to retrieve this data and regenerate the keys was created and distributed.
Within 4 days of the outbreak, the rate of new infections had slowed to a trickle.
Two Years later
Two years after WannaCry, Hackers working for North Korea were accused for the cyberattack.
All seamed well until June 24, 2019. A worldwide outage caused by BGP routing leaks in verizon’s systems.
The killswitch did not go down during this outage. However, there were 220,000 attempted WannaCry executions during this time, showing that WannaCry is still active and dormant around the world. There are still millions of unpatched devices world wide.
Conclusion
I find this to be one of the most interesting topics in CS. I loved researching this and hope you find it just as interesting as I did.