One Bitcoin Ransomware attack on a global scale has literally lived up to its name “WannaCry.” The ransomware which is said to have compromised systems in more than 78 countries, including few vital networks like the ones belonging to UK’s NHS has received worldwide coverage. Based on the available reports, the ransomware worm also known as WannaCrypt, WanaCrypt or WCry targeted vulnerable computers running on Microsoft Windows and the person(s) behind the attack are demanding anywhere between $300 to $600 in Bitcoin per computer to provide the decryption key.
While the demand for Bitcoin ransom has got the mainstream media’s attention, adding fuel to the anti-Bitcoin commentary of the individuals and organizations, WannaCry has a much darker past. Analysis of the ransomware has shown that WannaCry spread itself throughout the network of vulnerable machines by exploiting a bug labeled “MS17-010” which was supposedly exploited by the US Government agency, NSA as well. The spy agency also had a tool codenamed “Eternalblue” which was exposed by ShadowBrokers earlier this year along with a much larger data dump of “stolen” cyberarsenal belonging to the agency.
The modus operandi of WannaCrypt involves infecting the vulnerable computers through the SMB (Server Message Block), a message format used by DOS and Windows to share files, directories, and devices. Once infected, the worm encrypts almost all the files on the compromised computer and installs a Doublepulsar backdoor. The backdoor hands over remote control capabilities to the ransomware’s creator.
After detecting the bug, Microsoft had issued necessary software patches to the computers running currently supported OS versions. However, devices running on now obsolete Windows XP, Windows 8 and Windows Server 2003 missed out on these updates and became targets to WannaCry’s onslaught. Considering the severity of the situation, Microsoft in an unprecedented move pushed emergency updates to the operating systems which are no longer eligible for official support.
A 22-year-old security researcher who runs Malware Tech Blog dissected the code to discover a kill switch, by accident. He proceeded to register an unregistered domain which proved to be a sinkhole that prevented the ransomware from spreading further. The domain registration and subsequent successful connections to the domain triggered a hidden condition within the ransomware code which prevented its spread.
While the WannaCry ransomware has been contained, it still opens up a huge question about the irresponsible and virtually unprotected nature of IT infrastructure in the public sector. NHS and numerous other networks, vital to the functioning of a country are riddled with systems running outdated software, making them vulnerable to attacks.
It is time the governments, banks and financial institutions woke up to the reality and ensured their infrastructure is up to date before pointing fingers at cryptocurrency community or other actors.