Your Data Has Been Kidnapped! - A Ransomware Attack StoryJul 23, 2018
The Crime Scene
New strains of ransomware spread quickly all over the world, over 74 countries, held hostage public and private organizations in
logistics. The outbreak caused crisis in National Health Service hospitals and facilities around England, and gaining particular traction in Spain, where it has hobbled the large telecom company Telefonica, the natural gas company Gas Natural, and the electrical company Iberdrola.
The WannaCry leverage a Windows operating system vulnerability known as EternalBlue that allegedly originated with the NSA. The exploit was dumped into the wild of alleged NSA tools by the Shadow Brokers hacking group. Microsoft released a patch for the exploit, known as MS17-010, in March, but clearly many organizations haven’t caught up.
The software can also run in 27 languages - the type of development investment an attacker wouldn’t make if he were simply trying to target one hospital or a bank. Or even one country.
The malware targets vulnerable desktops and servers, and after being installed on one machine
propagates and spreads to others in the same network.
Ransomware works by infecting a computer,
locking users out of the system (usually by encrypting the data on the hard drive), and then holding the decryption or other release key ransom until the victim pays a fee, usually in bitcoin. In this case, the NHS experienced hobbled computer and phone systems, system failures, and widespread confusion after hospital computers started showing a ransom note.
Hospitals and critical agencies make for popular ransomware victims because they have an urgent need to restore service for their customers. They may therefore be more
likely to pay criminals to reinstate systems. They also often make for relatively easy targets.
The NHS portion of the attack has rightly been drawing the most focus, because it puts human lives at risk. Victims have paid hackers to unlock systems following ransomware infections.
The infiltration in this case was made via
network scan. The objective is clear, which is infection of host to lockdown information for ransom. The organisations affected mainly were operating on legacy systems and weak gateway controls.
Possible Solution: Application WhiteListing, a method in which ransomware attacks, regardless known or zero day types, which definitely are not in the list of trusted applications, will be prevented from executing on the host.
Learn about Application White Listing in an upcoming article.