What is the WannaCry ransomware, and why should organizations be concerned?

There’s a new ransomware attack that has affected several organizations globally, and although it’s slow-moving, security experts are urging companies to keep their antivirus programs up-to-date, as well as their software.

The ransomware — dubbed WannaCry (WanaCrypt0r 2.0/WCry) — has hit Britain’s National Health Service, some of Spain’s big companies, and has spread across Russia, the Ukraine, and Taiwan. Additionally, the malware has infected over 200,000 Windows-based machines in more than 150 countries, according to Synopsys.

According to Cisco’s Talos Intelligence Group, the “malware has the capacity to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin.” The group also notes that this is not a threat that just scans internal ranges to identify where to spread, the threat is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the Internet.

The best thing for organizations to do right now, according to Cisco’s Talos Intelligence Group, is to ensure that devices running Windows are fully patched and deployed with best practices. Also, organizations should have SMB ports (139, 445) blocked from all externally accessible hosts, the group wrote.

Rushing patches for Windows
Microsoft rushed out a patch for Windows XP, Server 2003, and Windows 8 on Friday, since these were versions of Windows that had not previously been patched against SMB vulnerabilities, according to Robert Vamosi, a security writer for Synopsys.

Brad Smith, president and chief legal officer for Microsoft, said this attack was an eye opener that the web needs to take better action  when it comes to keeping people safe online. “We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it’s needed now. In this sense, the WannaCrypt attack is a wake-up call for all of us. We recognize our responsibility to help answer this call, and Microsoft is committed to doing its part,” he wrote.

Vamosi suggested companies and users turn off any Windows features that their machines do not use. Microsoft even published a how-to for turning off SMBv1 if it’s not business-critical, he wrote.

As WannaCry continues to shake things up around the world, Flexera is offering a warning to individuals and companies — and that is, people are getting lazier when it comes to protecting themselves against serious vulnerabilities.

Earlier this year, Flexera’s annual Vulnerability Review found that in 2016, 17,147 vulnerabilities were recorded in 2,136 products from 246 vendors. A total of 81 percent of vulnerabilities in all products had patches available on the day of disclosure in 2016, according to Flexera.

But, despite the availability of all these patches, including the Microsoft patch, there were plenty of companies and individuals that just simply did not apply them.

“Frankly, if you wait two months to apply a critical Microsoft patch, you’re doing something wrong,” said Kasper Lindgaard, senior director of Secunia Research at Flexera Software. “This time, we even had a warning in April that this could very likely happen, so businesses need to wake up and start taking these types of threats and risks seriously. There is simply no excuse.”

Andreas Kuehlmann, senior vice president and general manager of the Software Integrity Group at Synopsys echoed the sentiment that this ransomware outbreak is a “wakeup call” for the world. Not only does it highlight the “world’s interconnectedness and deep-seated dependence on technology,” it also highlights the big challenge of how to secure the ecosystem of software and systems that we depend on.

“Software is not just eating the world—it is the world we live in today,” said Kuehlmann. “That is why the security and quality of software is so important in the current operating landscape. Forward-thinking organizations know that they must be able to account for the integrity of every piece of software that is exposed to the Internet.”

WannaCry’s ransom and “the kill switch”
The really unique part about this ransomware is in fact, the ransom itself, according Synopsys’ Vamosi. The ransom payment for WannaCry is bitcoin, and the amount requested is $300 in local currency. For some parts of the world, that’s a lot of money, he wrote.

“As of Saturday, the amount earned by the authors of WannaCry was $26,000, and by Sunday morning $30,000. As of Sunday night, the amount collected by the bad actors appears to be about $35,000. This is not nearly the millions that some first expected. While there is still time for people to pay up, they only have a few more days to pay before their data is permanently locked up. It appears that people are either walking away from their data or restoring from backups,” wrote Vamosi.

Security experts, however, advise individuals against paying the ransom, since it not only could fail to release the blocked data, but it could expose the victims to additional risk.

“Reports indicate that many of the victims who have paid the ransom have had their data restored, however there is no guarantee,” said Synopsys’ Kuehlmann. “Experts are working to develop a decryption tool, but that could take weeks, so victims are facing a tough choice. As a preventative measure, everyone should update to the latest version of Windows, install the patch MS17-010 and back up their data. For an extra layer of protection, disable SMBv1 if it is not necessary.”

Cylance, a software security company, has a research team looking into not only the ransom aspect of this malware, but the kill switch component, too. According to chief scientist and cofounder at Cylance, Ryan Permeh, “the kill switch is a contingency in malware to keep it from going wild once it gets out. It’s a holdover from the worm wars of the early 2000s, developed as a way for original coders or owners to dismantle a botnet when it achieved their goals. However, this also means that other threat actors can appropriate the code and alter the kill switch for their own ends.”

That means attackers can alter the code so the bitcoin instructions go to their paypoints; but if the kill switch is removed altogether, the downside is malicious actors will lose control over the worm once it goes out into the wild, according to Permeh.