Ever since the massive attack in 2017, WannaCry ransomware is very much still active and has been found infecting hundreds of thousands of computer in different organizations worldwide. The ransomware is so much in demand that the percentage of infection attempts in 2018 is actually higher than in previous years.
Figures from Kaspersky Lab threat report for Q3 2018 cite WannaCry as the number 1 in the list of the most widespread cryptor families. The report highlighted that the ransomware infected around 74,621 computers between July and September 2018. This accounts 29 percent of all ransomware attacks conducted during the Q3 2018.
WannaCry is a worm that distributes a ransomware payload. It composes two part: a worm module and a ransomware module. The worm module uses the Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0144) and Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0145) to spread.
The vulnerabilities impact all the versions of Windows system running SMBv1. On the other hand, the ransomware module relies on the companion worm module to spread. The worm module of WannaCry is used for self-propagation, whereas the ransomware module is used for handling the ransom-related activities.
WannaCry primarily affects Windows operating system. Once installed, the ransomware encrypts files and demands a ransom to decrypt them. Security researchers have linked the ransomware to the Lazarus group, a cybercrime organization that is connected to the North Korean government.
When the worm module of WannaCry is executed, it attempts to connect with one of the following remote locations: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com. These are non-registered domains which means that the worm can launch its activity silently. As soon as it connects with one of these domains, the worm registers itself as a service for further propagation.
The ransomware module comes embedded within the worm itself. After a successful launch of worm module, it attempts to drop the ransomware module by replacing the existing tasksche.exe with %Windir%\tasksche.exe.
Later, the worm module is used to download and install TOR which is used to connect the Tor domains. These domains are intended to provide unique Bitcoin payment address and decryption keys to a victim in case of an infection.
The massive WannaCry ransomware attack started on May 12, 2017, affecting companies and individuals in over 150 countries. This includes government agencies and multiple large organizations. It propagated through Eternal Blue, an exploit which was stolen by the Shadow Brokers threat group from the National Security Agency (NSA) a few months prior to the attack.
The attack had affected more than 200,000 computers across the 150 countries. Among the companies impacted by the ransomware includes Nissan Motors, FedEx, China National Petroleum, Renault SA, Deutsche Bahn, Hitachi, Sberbank of Russia, Yancheng police department in China, and the Russian Interior Ministry.
The attack was stopped within a few days after the discovery of the kill switch. An emergency patch - MS17-010 - to address the security flaw in SMBv1 was released by Microsoft in order to mitigate the attack.
Taiwan Semiconductor Manufacturing Company (TSMC) said it has shut down its factories after it was attacked by a variant of WannaCry. TMSC was running unpatched Windows 7 on systems being used for critical processes. The attack occurred when a supplier connected an unpatched software to TSMC’s network without a virus scan, This caused the virus to spread swiftly and hit the facilities in Tainan, Hsinchu and Taichung.
It is advised to apply the security patch MS-17-010 on all available Windows Operating Systems including Windows Server 2008, Windows Server 2012, and Windows Server 2016 to stay safe. In addition, users all users and administrators should adhere to other best practices such as:
Despite the damage done by WannaCry, there are still a large number of users who still have not applied the update, thus making the systems vulnerable. Attackers are aware of the power of EternalBlue and can deploy it in future attacks, that could be probably bigger and massive than the one occurred in 2017.