In one of my more recent articles, I brought attention to the release, or better yet, the data dump, of exploits and hacking tools targeting Microsoft’s Windows OS, Linux, firewalls, and others. One of the main purposes of my post was to bring attention to the grave dangers that these exploits bring to the world. As such, I really hoped that there would be enough interest from individuals in the industry for them to get a copy of the exploits and contribute to the countermeasures needed to better protect and defend the companies and corporations we all represent. I was absolutely sure that there would be many individuals around the world who would reverse engineer the exploits for more devious purposes. We have just experienced the first of what I believe will be multiple attacks unleashed across the globe.
Worthy of note is that it was less than thirty days between ShadowBroker’s release of the exploits and the “WannaCry” ransomware’s release into the wild. At the time of this writing, WannaCry had already infected over 200,000 computers across ninety-nine countries, and it had achieved this over the course of forty-eight hours. The average ransom demand was about the equivalent of $300 in the Bitcoin digital currency. Think about that for a second. $300 x 200,000 = $60,000,000, in forty-eight hours. Imagine what that would work out to be if the ransomware had continued on its rampage. Luckily for us, in this case, a kill switch for the ransom was discovered in the form of an unregistered domain name. The ransomware would query it, and if the domain name came back as registered, the ransomware would stop. It appears the rampage has been halted, but we are not out of the woods yet by any means. Also at the time of this writing, WannaCry 2.0 has been released into the wild, and this variation appears to have removed the kill switch altogether.
In case you are not familiar with what ransomware is, the most basic definition is “malicious software that locks a device such as a computer, tablet, or smartphone and then demands a ransom to unlock it.” The locking mechanism generally comprises the encryption of the data on the infected device. The only way to decrypt the data is to have the “key” used in the creation of the encryption. Even if the ransom is paid, there are no guarantees that you will get access to all your files intact. Ransomware is not something new; the first documented case appeared in 2005 in the United States and quickly spread around the world. What is different this time is the methods being used to spread the ransomware.
When you read different articles about this issue, the most common advice given is to upgrade and/or patch your systems to the latest version. For most home users, this is the advice they need to know. However, once you move into the corporate world, upgrading the base operating system is not always as easy or as possible as it may sound, for a variety of reasons. It appears that some very large companies have fallen victim, companies like Telefónica, FedEx, Deutsche Bahn, and the UK’s National Health Service (NHS), just to name a few. Now that the second generation has been released without the kill switch, look for this list to increase. I am willing to bet that this second generation will make its way to the United States and beyond.
The idea of ransomware and other digital extortion methods is not the most troubling part, in my opinion. What really worries me the most are the delivery methods being used. The exploits that were released were allegedly the creation of and were developed by the United States National Security Agency (NSA). The idea that the NSA would have these kinds of tools is expected. However, if these tools were “acquired” from the NSA without their knowledge, there is a chance that this could happen to other countries’ intelligence services as well. What does this mean for the future of the internet? If dumps continue like this, how do we protect ourselves, our data, and our privacy? This attack is the one seen around the world, but it is only the first shot in a bigger war.
A technical side note: The WannaCry ransomware is based on the EternalBlue exploit supposedly developed by the NSA. EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol, despite the fact that the vulnerability was resolved by security update (MS17-010), provided by Microsoft on March 14, 2017.