The WannaCry ransomware burst into the spotlight over the weekend as reports of infections streamed in from around the globe. It was the stuff of a Hollywood techno-thriller, and we watched it unfold in real time. But how did WannaCry come to be? How did it infect so many computers so quickly? And, perhaps most importantly, how will organizations and individuals cope with the fallout?
What is MS17-010, and what does it have to do with WannaCry?
When Microsoft needs to alert its customers to a security concern, it creates bulletins and posts them to the TechNet site. They’re given a label and assigned a severity rating. MS17-010 is a bulletin Microsoft posted in March. It disclosed the existence of a critical vulnerability in an older version of the SMB network protocol. That vulnerability was exploited by WannaCry to spread from computer to computer.
Who discovered the SMB vulnerability?
It wasn’t Microsoft, unfortunately. This nasty bug was actually discovered (and reportedly utilized) by the NSA, who referred to it as EternalBlue. It went public when Wikileaks published information obtained by the Shadowbrokers hacking group.
What is WannaCry / WCry / WDecryptor?
WannaCry is a strain of Windows ransomware that took advantage of the EternalBlue exploit. It is a worm, a type of malware that seeks out vulnerable computers and spreads the infection on its own — rather than replying on phishing emails or drive-by downloads.
How did WannaCry spread so quickly?
Several factors were involved. The biggest may be that large numbers of computers — potentially millions around the world — did not have Microsoft’s patch installed or ran versions of Windows for which there was no patch. That included legitimate Windows XP installs as well as pirated copies of Microsoft’s operating systems, which the company blocks from updating.
Tests by researchers showed that an unpatched computer that was connected to the Internet could be infected in a matter of minutes.
Another contributing factor is that the vulnerable systems tend to be very concentrated, with some organizations having hundreds or thousands of unpatched computers deployed. Improperly secured firewalls were also to blame, as attempted SMB connections from the Internet can be blocked with relative ease.
How did WannaCry become an international incident?
Those concentrated deployments of vulnerable computers? Many of them are found inside government agencies, banks, hospitals, telecom providers, manufacturers and universities. WannaCry didn’t discriminate.
It crippled Britain’s National Health Service and disrupted surgeries. Hospitals and health authorities in Canada, Colombia, Indonesia, and Slovakia. It infested government offices in Kerala, India, Russia’s Ministry of Internal Affairs and the Romanian Ministry of Foreign Affairs. Major corporations including FedEx, Hitachi, Nissan and Sandvik were hit.
With so many high-profile victims and remediation costs potentially climbing to billions of dollars, malware outbreaks don’t get much more serious than WannaCry.
Reactions to the outbreak
As the smoke began to clear, outrage around WannaCry shifted from the ransomware itself to the bug that made its spread possible. Many security experts have pointed to the WannaCry attacks as proof that the NSA shouldn’t “hoard” software vulnerabilities. There have also been accusations that Microsoft was complicit and the MS17-010 bug was actually a backdoor it allowed the NSA to utilize — though that has yet to be proven.
That certainly doesn’t seem to be the case. Microsoft president Brad Smith authored a post in which he blasted intelligence agencies for failing to disclose the vulnerabilities they discover. Smith said WannaCry “represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”
Can WannaCry or other malware based on EternalBlue infect my computer?
If your computers run Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016 and you’ve installed all the recent updates, (or at least those up to March), you’re protected. If your computers run another version of Windows (Windows XP, Windows 8, Server 2003) you need to download and install Microsoft’s emergency patch immediately.
Another step you can take is disabling SMB version 1 on your computer. Microsoft has an easy-to-follow guide that will step you through the process, and you shouldn’t notice any differences after switching it off.
It’s also worth testing your router or firewall to see if port 445 — which is used by SMB — is blocked. You Get Signal offers a free web-based tool. All you have to do to run it is click the number 445 next to SMB in the list of common ports. You should see a red flag icon and “Port 445 is closed.”
What happens next?
In the short-term, organizations and individuals alike need to pay more attention to security than ever before. Windows updates need to be installed as quickly as possible, particularly when Microsoft identifies them as critical. Installing the update that addresses MS17-010, for example, will prevent not just WannaCry infections but any copycat malware that uses the same method to spread.
Highly-sensitive systems — like industrial machines and medical equipment — need to be isolated to prevent malware from spreading to places where it can cause actual physical harm to humans.
Look ahead, Smith says “we need the tech sector, customers, and governments to work together to protect against cybersecurity attacks.” He adds that governments need to “treat this attack as a wake-up call,” and pointed to a request made in February for world leaders to enact a sort of “Digital Geneva Convention” to govern the use of cyberweapons.