SecureMac, Inc.

Checklist 38: 5 Things to Know About WannaCrypt

May 25, 2017

The world saw one of the largest ransomware attacks conducted so far just a couple of weeks ago. The story has captured public attention for longer than most digital security stories, and for good reason. From its shadowy origins to its very visible effects, the ransomware known as ‘WannaCrypt’ or ‘WannaCry’ is the topic for today’s edition of The Checklist.

Checklist 38: 5 Things to Know About WannaCrypt

  • How did the WannaCrypt ransomware attack start?
  • Why did it spread so fast?
  • What kind of an impact did it have?
  • How was the initial attack stopped?
  • What comes next for WannaCrypt?

If you’ve been watching the headlines recently, you already know that the world has now seen one of the largest ransomware attacks ever conducted. The story has captured attention for longer than most digital security stories, and for a good reason. Not only did this attack strike more than a hundred countries and affect critical institutions worldwide, but it has also showcased the efforts of the security community. From its shadowy origins to its very visible effects, the ransomware known as ‘WannaCrypt’, ‘WannaCry’, and other names, is our topic for today’s edition of The Checklist. What do you need to know about this attack, and how could it have had such an immense, global impact?

How did the WannaCrypt ransomware attack start?

We’ve briefly touched on the concept of state-sponsored malware in a couple of previous episodes. One example that’s always easy to return to is the Stuxnet worm that attacked and damaged Iranian industrial facilities. Russia-linked malware efforts have also received some widespread attention, particularly in the last couple of years. For a nation-state to deploy malware, it must engage in security research of its own. One might expect that to mean uncovering vulnerabilities to exploit, too.

Why do we bring up this subject? At the root of the entire WannaCrypt fiasco is an exploit that was originally developed (or purchased on the grey market) by the US’s National Security Agency, or NSA. This story began almost a year ago and sparked a chain of events that finally led to the unleashing of this ransomware attack.

So, let’s build a quick timeline, beginning with last summer. A group calling itself the Shadow Brokers appeared early in August, claiming to have in its possession a large cache of “cyber weapons” and tools useful for exploiting vulnerabilities. Their source, they said, was a hack they conducted on another collective known as Equation Group, which has links back to the Stuxnet worm. Several researchers, including Kaspersky Labs, have speculated that the Equation Group is, in fact, the National Security Agency. This is due to the high level of sophistication seen throughout the group’s activities. Recent events seem to corroborate this and point to this being more than likely true.

To demonstrate that there was some truth behind these claims, the Shadow Brokers began to release a slow stream of information on the web. Their goal — of course — was to extract payment in exchange for these tools. Unfortunately for them, potential buyers were skeptical so they found few takers. They posted information and data that seemed to be real — at the very least, some of the file names and other material matched up with what we know from the Edward Snowden leaks.

Several Shadow Brokers leaks contain screenshots of folders and files that seemed to indicate Equation Group-linked tools. The group even released a set of exploits that affected a large number of Cisco routers, plus an exploit that functions only on a certain Unix system. Despite these leaks, no significant damage or significant attacks occurred.

During this time, the Shadow Brokers continued trying to sell the entire data set. Their first demand was an outrageous 1 million bitcoins — a sum that no one could ever pay. Later on, they revised the price to 10,000 bitcoins, and they even attempted an auction format. However, despite subsequent postings showing off more data to prove their claims of an enormous cache of tools, no one paid.

Where did the Shadow Brokers get all this information? Were they able to penetrate the NSA and steal files? That seems unlikely. In October of 2016, news broke that an NSA contractor was suspected of a massive data theft. In total, the man, Harold Martin, was alleged to have hoarded nearly 50 terabytes of data. Much of that included highly sensitive and powerful hacking tools and NSA-developed exploits.

Naturally, there is some speculation that the Shadow Brokers hacked or stole the data from Martin. While some think Martin is behind the leaks, there is no concrete evidence to that effect — he was in custody while the Brokers continued to release information on Twitter. For now, the identity of the person or persons behind this group remain a mystery.

Then, April 14, a leak dubbed “Lost in Translation” occurred.

The Shadow Brokers tweeted a link, which led to another site, which hosted an encrypted download of some files. The password was supplied alongside these files. Immediately, researchers realized that the Shadow Brokers had finally released something with true potential to cause damage. Inside this leak were a number of tools and exploits that exposed severe vulnerabilities in Windows systems. The portion of this leak that led to WannaCrypt is called the ETERNALBLUE exploit.

Whoever the authors of WannaCrypt are, they quickly jumped on the opportunities presented by this leak. We’ll discuss more about what EternalBlue does in a moment. For now, what’s important to know is that it is an undetectable way for someone to gain access to almost any Windows machine through a file sharing protocol. The WannaCrypt authors created malware that leveraged this exploit to open a backdoor to a machine, allowing them to dump the payload that encrypts your files quickly.

An interesting point to note: the vulnerability exploited by EternalBlue was actually patched in current versions of Windows, like 7 and 10, back in March. How could they know to patch this very obscure and secretive exploit before it was revealed to the world? The Washington Post reports that the NSA tipped off the Redmond giant in advance of the leak, recognizing the potential damage it could cause. Unfortunately, Microsoft decided not to release a patch at that time for the systems that would likely be the most vulnerable: the untold number of legacy systems still running Windows XP and Vista, which had reached the end of their service life.

Why did it spread so fast?

So now, with EternalBlue out in the wild, it was only a matter of time before someone sought to exploit it in some way. In fact, it turns out that other hackers were using these same exploits weeks before WannaCrypt appeared on the scene. The difference was that instead of holding data for ransom, these hackers silently installed mining software for a cryptocurrency similar in style to Bitcoin. Infected machines joined a global botnet aimed at generating more of this currency, called Monero.

On Friday, May 12th, the ramifications of the Shadow Brokers leaks became a harsh reality. Around 4 AM Eastern time, the first WannaCrypt infections began to enter the wild. Through the use of both the EternalBlue exploit as well as another exploit, DoublePulsar, the malware had the ability to quickly and rapidly infect a machine. It would then begin making the jump to more PCs. Let’s try breaking down exactly how it accomplished what it did. We can start by asking: “What exactly is EternalBlue and how does it work?” This can help us understand why WannaCrypt is so virulent and difficult to stop.

EternalBlue exploits a vulnerability in a portion of Windows networking code called the SMB, or Server Message Block. It’s a protocol for allowing access to file-folders across a network. This could include the ability to write data as well as read it. There are two versions of SMB. SMB v1 is old and mostly obsolete, but still in use in some forms; SMB v2 is the more modern version.

EternalBlue is a method for creating a very special packet of data to pass through the SMB protocol. Think of it as figuring out a password to a very exclusive club: once you say it to the doorman, you’re in — except this password makes everyone think you own the place! WannaCrypt uses the EternalBlue exploit to gain a foothold on the user’s machine at which point it deploys the NSA-developed DoublePulsar backdoor.

DoublePulsar runs with kernel-level permissions — meaning the hacker can control the entire machine remotely as if he were the user himself. At this point in the infection, the actual WannaCrypt ransomware installs itself and begins to encrypt all your files. It seems some initial versions were distributed via an infected word processing file — but after that, the malware’s worm capabilities took over.

WannaCry includes a scanning module that looks for open ports on machines connected to the Internet that it can access. This aggressive scanning enables the malware to find and infect unpatched computers sometimes in as little as three minutes. One machine set up as a “honeypot” trap recorded six infections over an hour and a half! Worse still, the worm scans the local network as well, blasting out data traffic in every direction possible. As soon as it finds another machine on the network, it sends a copy over and infects that machine, too. It was this function that allowed WannaCry to run rampant and virtually unchecked through corporate and medical networks built on older Windows machines.

What kind of an impact did it have?

As you might expect, any malware with the ability to grant itself unfettered access to a vulnerable machine is going to spread like wildfire. With the malware in the wild, some of the first initial infections occurred in Spain. From there, it moved on to infect scores of machines in Russia. In fact, that’s where the lion’s share of infections took place over the duration of the attack. Other countries, like the UK, suffered more severe effects.

Overall, this event provides a case study in what could happen when malware rises to the level of a major threat. Obviously, what it does is simple enough, but the consequences of that “simple” action were far-reaching and quite damaging. Let’s spend a minute talking about what the actual ramifications of this were outside of individual user cases.

If you watched the headlines, you probably saw the story as it was reported when it broke initially: that the UK’s National Health Service was being struck by a ransomware attack. As it happens, the NHS, in part due to a lack of adequate technology funding, mostly ran old and unpatched versions of Windows XP. As a result, many doctors and nurses soon found themselves staring at the ransom demand of roughly $300 in Bitcoins before their lunch break.

Due to the nature of the worm, it quickly leapt from computer to computer in hospitals and doctor offices around the UK. In all, at least 16 separate NHS organizations suffered disruption due to the attack. Thankfully, no one was hurt as a result of the incident — there were no sudden failures of life support machines or anything to that effect. Instead, patient files became inaccessible and wait times skyrocketed as teams tried to figure out what to do.

Elsewhere in the world, WannaCry was spreading like wildfire, infecting tens of thousands of machines — ultimately spanning the globe, with problems appearing in more than 100 countries. In the US, FedEx confirmed to the media that “some” of its Windows systems had been compromised. Major telecom providers in Russia and Portugal saw infections. In Germany, riders waiting for their trains were treated to giant display boards showing off the ransom message. A similar outcome occurred in China, where one of the nation’s largest banks, the Bank of China, saw its ATMs infected as well. Social media quickly filled up with images of ATMs and other electronic kiosks obviously affected.

In the midst of this, Microsoft quickly released additional patches covering products all the way back to Windows XP. Many viewed this as an extraordinary move that signaled the gravity of the vulnerability and the attack. Now, users and businesses would have a way to protect their older software from WannaCrypt. While it wouldn’t do anything to help those already infected, it was a good step towards slowing down the malware’s advance.

Even systems which were not infected went offline for the duration of that weekend. Why? Many companies judged the risk to be too great. Applying updates immediately was not always an option due to the perceived risk of how those updates might impact their other applications. Therefore, the prudent choice was to turn off the computers and wait out the attack. As it turned out, the worst of it would be over sooner rather than later.

How was the initial attack stopped?

Throughout the chaos on the initial day of the attack, security researchers and anti-malware authors alike worked around the clock trying to stem the tide of new infections. For those who were already infected, the question of the day was “How recent are our backups?” With businesses shutting down machines throughout the weekend to prevent the possibility of WannaCrypt spreading throughout their network, many returned to older pen and paper systems. Yet the attack could have been much worse than the events we’ve already described.

By the early afternoon, new infections had slowed down immensely — but why? It turns out that a lone security researcher, digging through the programming of WannaCrypt, uncovered a hidden “kill switch” that would stop the malware’s spread dead in its tracks. So how exactly does that work — and why would malware have such an “off” switch built into it in the first place? This switch was uncovered by an anonymous researcher we only know as “MalwareTech,” and it’s more straightforward than you might expect.

While analyzing a sample of WannaCrypt provided by another researcher, MalwareTech realized that during its operation, the malware made requests to a web domain. The URL for this site was a long, nonsense string of alphanumeric characters — and it was unregistered. Why would the malware need to query an unregistered domain? That’s the question MalwareTech asked himself, so he did the next logical thing: he registered the domain himself, then pointed it to “sinkhole” servers.

What’s a sinkhole? It’s a method researchers use to capture and analyze malicious web traffic while preventing it from going elsewhere. While MalwareTech and others continued to look through this information, they realized they were now having problems replicating some of the ransomware behavior. It didn’t take them long to realize that they had flipped a “kill switch.” In WannaCrypt’s code was a command to quit running if and only if the domain in question responded to its query. Why?

MalwareTech and others speculate this may have been an anti-analysis tool. Many anti-malware teams use virtual environments to check out malware in a way that won’t infect their actual machines. To do that often requires trying to trick the malware into thinking it is running on a real machine and not a virtual computer. One important component to this involves simulating web connections — which would mean a fake response from a domain that shouldn’t be registered at all. Thus, the malware would terminate itself before a researcher had the opportunity to pull it apart.

Some also think it may have been a method for stopping the spread of the software if it went out of control. For now, there is no clear way to know, but what is certain is that it dramatically slowed the pace of new infections throughout the weekend of the attack. The original version of WannaCrypt, at least, had finally been tamed after hours of chaos and distress.

Unfortunately, it wasn’t long before new variants of the threat began to appear. Some versions changed the domain name in the code, while others lacked the kill switch altogether — and thus could spread unchecked on unpatched systems. So far, though, that hasn’t happened en masse like the original version. Different Bitcoin wallets would seem to indicate these new versions aren’t produced by the original authors. Instead, it’s probably opportunists looking to cash in on the back of a successful attack.

Many worried that these new versions would cause problems of their own when systems came back online Monday morning. However, the application of updates and the use of the kill switch seemed to prevent any more major outbreaks. While the attack is still ongoing in a low-level form, the peak intensity has passed. We think it’s important to note, though, that many machines still suffer from vulnerability to EternalBlue and DoublePulsar. The chances that we will see additional malware using these attack vectors on Windows machines in the future is quite high.

What comes next for WannaCrypt?

So, between the MalwareTech kill switch and the proliferation of Microsoft’s patch, it seems that the main brunt of this attack is mostly over for now. Even though there are a new versions out there that lack the original kill switch, it’s unlikely that we will see another similarly widespread attack of this nature using the same exploits. Of course, that’s true with one caveat: enterprise machines must have the patch installed. Windows machines that don’t install the patch will still remain vulnerable.

As much global disruption as the software caused, it generated a comparatively small return for its creators. By the end of the initial weekend, only about $25,000 had been generated in ransom. As of today’s podcast, the Bitcoin wallets attached to WannaCrypt still show less than $100,000 in total ransom funds. One might imagine the hackers expected something more substantial. Also important to note: with so much visibility for the attack, those wallets will now be watched quite closely for any signs of activity.

Overall, this attack could have been much worse. For example, what if it had been targeted, rather than a “shotgun” approach? Deployment of malware like this on systems for infrastructure even more critical than hospitals could have resulted in more than inconvenience. It will be interesting to see in the coming months whether similar attacks leveraging these exploits will arise, or if the Shadow Brokers will expose new threats.

The good news, obviously, is that Mac users were spared from this attack. EternalBlue and other NSA-linked exploits almost exclusively focus on dominating Windows systems. If you run Bootcamp on your Mac and run an older version of Windows, however, you could be affected! This is neither the time be smug nor relaxed; in fact, we should all take this for the eye-opening lesson it is: major malware attacks can and will happen, and with increasing frequency it seems.

In the face of that, we need to choose not to respond with fear or anxiety. Instead, vigilance and a determination to develop good security is the better choice. Just because Mac users were safe from the WannaCrypt attack in general doesn’t mean we won’t face other threats in the future. Regular listeners might remember that last year, we saw the emergence of the KeRanger ransomware that infected Macs through the Transmission BitTorrent client. While the impact was limited, it proved that there are malware authors out there trying to find ways to attack Mac users. That’s why making a proactive effort to defend yourself is so important. It also demonstrates the importance of staying up to date on your security patches!

Think about it: if everyone took the time and energy necessary to keep crucial software up to date, malware authors would have a tougher time attacking our data. While WannaCrypt preyed on the tendency to rely on old operating systems, there was a patch available for newer systems already. If everyone took the time and effort to stay on top of system updates, perhaps a great number of Windows users would never have seen the WannaCrypt screen at all. Though the introduction of NSA hacking tools into the equation certainly complicated matters, out of date systems remained a root cause of the attack.

Apple’s commitment to hardening their software systems remains apparent, at least. Coincidentally, in fact, Apple dropped a round of patches for many of its products on the exact same day WannaCrypt was unleashed on the world. These included updates for everything from macOS and iOS all the way to more niche, minor products like watchOS and Apple TV. If you haven’t grabbed these updates yet, we suggest you do so soon!

In total, Apple corrected almost 70 flaws in all, each of them a unique and possibly potent vulnerability on its own. These would have allowed an attacker used the correct methodology to gain privileges on your system and begin executing code arbitrarily. In other words, they could also have been leveraged in some way to deploy all manner of nasty software — including ransomware.

This is a topic we come back to a lot, both here and elsewhere: update your devices! When your iPhone pops up the update window, do you find that you’re always pressing “remind me later”? It’s a habit that’s easy to get into — updates take time, and when do we have the time to be away from our devices on a busy day?

Take a step back and weigh the reality of the situation. It might take time, but the result is a secure device protected from the latest threats. Safeguarding your data is worth the ten or fifteen minutes it might take to update. Since Apple is also often quick to issue patches as soon as it becomes aware of a threat (or even a potential threat), it can help prevent being swept up in a sudden wave of malware — like the way WannaCrypt wreaked havoc across the globe.

Problems? Questions? Security concerns? If you have anything to ask us, send us an email at!

Join our mailing list for the latest security news and deals