The Crime Scene

New strains of ransomware spread quickly all over the world, over 74 countries, held hostage public and private organizations in telecommunications, healthcare, and logistics. The outbreak caused crisis in National Health Service hospitals and facilities around England, and gaining particular traction in Spain, where it has hobbled the large telecom company Telefonica, the natural gas company Gas Natural, and the electrical company Iberdrola.

The Infiltration

The WannaCry leverage a Windows operating system vulnerability known as EternalBlue that allegedly originated with the NSA. The exploit was dumped into the wild of alleged NSA tools by the Shadow Brokers hacking group. Microsoft released a patch for the exploit, known as MS17-010, in March, but clearly many organizations haven’t caught up.

The software can also run in 27 languages - the type of development investment an attacker wouldn’t make if he were simply trying to target one hospital or a bank. Or even one country.

The malware targets vulnerable desktops and servers, and after being installed on one machine propagates and spreads to others in the same network.

The Attack

Ransomware works by infecting a computer, locking users out of the system (usually by encrypting the data on the hard drive), and then holding the decryption or other release key ransom until the victim pays a fee, usually in bitcoin. In this case, the NHS experienced hobbled computer and phone systems, system failures, and widespread confusion after hospital computers started showing a ransom note.

The Motivation

Hospitals and critical agencies make for popular ransomware victims because they have an urgent need to restore service for their customers. They may therefore be more likely to pay criminals to reinstate systems. They also often make for relatively easy targets.

The NHS portion of the attack has rightly been drawing the most focus, because it puts human lives at risk. Victims have paid hackers to unlock systems following ransomware infections.

Lessons Learned

The infiltration in this case was made via network scan. The objective is clear, which is infection of host to lockdown information for ransom. The organisations affected mainly were operating on legacy systems and weak gateway controls.

Possible Solution: Application WhiteListing, a method in which ransomware attacks, regardless known or zero day types, which definitely are not in the list of trusted applications, will be prevented from executing on the host.

Learn about Application White Listing in an upcoming article.