asdr-intro-bg1.png

Mobile App Security Insights

10 Things You Need To Know About The 'Biggest Ransomware Attack in History'

Jun 15, 2017 12:45:06 PM / by Sung Cho

10-Things-You-Need-To-Know-About-The-Biggest-Ransomware-Attack-in-History-Blog-IMG.png

It seems like another massive cybersecurity breach occurs every time we blink an eye. From Yahoo to Nintendo, it appears that no one is safe from the persistence of hackers determined to worm their way into existing systems and exploit them for their own ends. Security has never been more paramount than it is today, especially considering how prevalent technology has become in our everyday lives. So much of our sensitive data is kept on our computers and mobile devices as well as in the cloud. Users simply cannot afford to leave their data unguarded.

Case in point, ransomware attacks are the latest topic of concern for the cybersecurity community. Such an attack occurs when a user accidentally runs malicious code on their computer, typically enabling the so-called “ransomware” to encrypt files within the user’s own hard drive. Then, once the foreign code has taken hold, it demands a ransom, after receipt of which it claims it will unencrypt those files. This troubling trend has only become more common nowadays, with the recent WannaCry ransomware attack cited as the biggest of its kind in history.

Brushing Up on WannaCry

On Friday, May 12, 2017, the ransomware attack commonly known as “WannaCry” launched, leaving more than 150 nations and over 200,000 computers affected in just a single day. WannaCry is so named due to the WannaCry ransomware cryptoworm used to ensnare and later demand ransom in the form of Bitcoin cryptocurrency (normally, $300, according to reports). Since the event occurred, the world has been grappling with the sheer scope of the attack as well as actively devising ways to combat the damage. While there’s still much to learn, here are a few of the key elements of WannaCry that we know so far. 

  • We still don’t know the exact attack method: Even though some of the tactics behind WannaCry have been unveiled, no email attack vector has been identified. Some leads suggest that compromised sites were employed to target customers, though another theory implies that the Eternal Blue exploit used by WannaCry may simply be so expansive because it does not require users to interact with it at all. 
  • The killswitch only works in certain cases: Before the attack fully commences, the WannaCry worm tests its connection to a hardcoded website online, and if it works, the worm simply exits. A UK researcher has used this approach to design a killswitch, though it’s not fully effective. If the worm winds up on a corporate network will firewalls blocking the internet connection, it will still spread within the local network. That is, until the attackers design a new version which does not offer the opportunity for a killswitch. 
  • The malware’s worm specifically targets Windows machines: Rest easy, Apple users. Inherent in WannaCry is the fact that its malware is designed to attack unpatched Windows systems inside a local area network. After scanning for open ports, it delivers the EternalBlue exploit, originally leaked by the hacker group Shadow Brokers. 
  • Both SMBv1 and SMBv2 are involved in the attack: Reports have muddled the question of whether SMBv1 or SMBv2 -- that is, which Server Message Block -- is involved in the WannaCry attack. As it stands, the EternalBlue tool targets and exploits a vulnerability in the SMBv1 implementation. But it can only do so by also using SMBv2. To prevent this, users should disable only SMBv1 going forward. This should greatly reduce your risk and avoid the problems caused by disabling SMBv2. 
  • The majority of attacks are in Russia: No specific geolocation appears to be definable within the ransomware distribution itself, as it randomly selected IPs and affected networks. Yet, roughly 66 percent of total attacks occurred in Russia, which may be connected to the presence of Kaspersky Lab -- the Russian multinational cybersecurity and antivirus provider -- and the fact that many systems throughout the nation remain unpatched. 
  • We still don’t know who is behind it: Unfortunately, we still have no clues regarding who may be responsible for the WannaCry attacks. Several different leads are reportedly being pursued, with both anti-virus companies and law enforcement offices collaborating to get to the bottom of it. So far, no known cyberattack groups have been linked to the WannaCry ransomware, though this may change as the investigation continues moving forward.
  • Victims have paid nearly $55,000 USD to the attackers: According to estimates via transaction trackers, the attackers have received roughly $55,000 since the WannaCry attacks began. However, because bitcoins can be easily tracked, it’s unlikely that the hackers will be able to spend this money, as any subsequent transactions may be able to be traced back to them. Moreover, the victims who submitted to their demands have no guarantee that their files will now be released. After all, criminals aren’t exactly known for their honesty.
  • An international digital convention is currently being discussed: Microsoft itself is part of a movement to spearhead a Digital Geneva Convention to prevent government from stockpiling cyberweapons, and Kaspersky Lab supports the initiative for both governments and industries alike to move toward a stronger digital future, one in which offensive cyber activities are effectively combated and users are protected. 
  • You can protect your system from attack: Though ransomware is rightfully intimidating, there are many ways in which you can minimize your risk of attack. First of all, install the updated Microsoft security patches, and backup your data regularly in an offline storage location. In addition, be sure to limit access and privileges to your network, ensuring that it is effectively segmented. Anything you can do to ensure that your software’s and system’s security -- especially those for embedded systems -- is updated will be a tremendous boost as well. 
  • The situation appears to be under control, at least for now: Tracking began soon after the attack hit, and all indications lead us to believe that the current variants of WannaCry have been controlled. However, this doesn’t mean that it has entirely run its course. Two new variants have since emerged, perhaps created by others hoping to capitalize on WannaCry. In other words, protect your systems now.

Looking Ahead

To be certain, it’s a whole new age of cybersecurity we find ourselves in. Keeping up on the latest security standards and taking extra steps to safeguard against hackers is no longer a luxury but a necessity. With each passing year, these cybercriminals are finding more and more innovative ways to infiltrate our systems and on a scale that few had previously even imagined was possible. Ransomware adds a disturbing new layer to it all, and WannaCry is perhaps the most startling example of just how much havoc a single ransomware attack can wreak. After all, ransomware makes it even easier to monetize these cybercrimes, allowing hackers to extort limitless amounts of money from hundreds and thousands of users in one fell swoop.

Of course, that’s all under the assumption that the attacker will release the stranglehold on your data once you’ve paid up, which is often not the case. That’s a terrifying prospect that should inspire anyone to upgrade their cybersecurity measures, especially since this is only the beginning. Expect ransomware to only continue to threaten your devices throughout 2017, with authorities expecting specific connected devices such as smart TVs and fitness trackers likely next on the list. Make sure you’re ready for the next wave of ransomware attacks before it’s too late.

Cloud Based App Security Start Now

Topics: Security Breach, Ransomware Attack

Sung Cho

Written by Sung Cho

Head of Marketing at SEWORKS Co., Ltd.