Wanna Crypt: Not the first and definitely not the Last

In the last week, World news has been filled with words like ransomware, virus attack and ‘Wanna Cry’. However, apart from these buzz words it’s hard to tell what has been going on, how it works, who was behind the attack and what is likely to happen next. Here we briefly try to answer those questions. Near term, we expect attacks to target smartphones as well as PCs and IoT devices.

What is Wanna Crypt?

Wanna Crypt is designed by professional and well-funded hackers to spread quickly among computers on the same network using Peer-to-Peer (P2P) networking technology. It encrypts files using strong encryption and demands ransom in the form of relatively small amounts of Bitcoin ($300-$600 per affected computer) to decrypt the files.

Creation of Wanna Crypt: Conspiracy Theories

NSA’s Plot:

  • On 14th April, a hacking group called Shadow Brokers released a trove of alleged NSA data, detailing exploits and vulnerabilities in a range of technologies. A framework called Fuzzbunch was especially designed to upload exploit binaries into any systems. There were various exploits and vulnerabilities disclosed. Wanna Crypt uses only two:
    • ETERNALBLUE for the initial compromise, it exploits MS17-010, a Windows SMB (Server Message Block) vulnerability.
    • DOUBLEPULSAR is used to propagate to new machines, it allows hackers a “backdoor” to later gain further access to infected systems.
  • Back in 2013-2014, there was a similar controversy about the NSA’s alleged attempts to create a backdoor in TrueCrypt, widely used as a tool to strongly encrypt and decrypt entire drives. However, an audit from iSec Partners, a U.S. non-profit organization, shows no sign of NSA’s involvement.
  • Brad Smith, President and Chief Legal Officer at Microsoft stated, “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.” Which suggests Microsoft thought the NSA was involved in some significant way.

Lazarus group theory:

  • Lazarus Group, is a cybercrime group and rumoured to have links to North Korea.
  • Wanna Crypt is a form of the same Secure Sockets Layer (SSL) which has only been seen across Lazarus tools by implementing a specific sequence of 75 ciphers.
  • Cybersecurity firm, Kaspersky Lab, says Lazarus has a sub-group called Bluenoroff that specializes in financial crime. Kaspersky Lab found multiple attacks worldwide with direct links (IP address) between Bluenoroff and North Korea.

Wanna Crypt Timeline

Wanna Crypt’s Effect in first 7 days:

  • It infected more than 130,000 organizations in 150 countries.
  • Energy Companies like WBSEDC in India, Iberdrola in Spain, Petrobras in Brazil etc.
  • Telecom companies like Telefonica, Portugal Telecom, MegaFon and Telenor Hungary.
  • Banks like Sberbank, Bank of China and Russia Central Bank.
  • The United States Department of Defence is moving 4 million computers to Windows 10 as Pentagon was still using Windows 95 and 98 on several missile control computers.
  • On 17th May 2017, at least 16 hospitals in the United Kingdom were forced to divert emergency patients as core equipment was compromised.

IP’s Infected in May 2017

Ransom in Bitcoin: why?

  • Bitcoin operates as a decentralised currency, without a middleman like a bank or credit card company.
  • Easy for money laundering as untraceable.
  • Time value of money inversely applies on Bitcoins, similarly to gold, however the rate of increasing value of Bitcoin can be far higher.

New and Upcoming Versions:

  • UIWIX /Wanna Crypt 2.0: The only way it is same as Wanna Crypt 1 is that it is executed in memory after exploiting EternalBlue. However, it is different in many ways:
    • Does not include a kill switch domain just opposite of Wanna Crypt.
    • File type of .DLL instead of exe.
    • It terminates itself if found in Russia, Kazakhstan and Belarus.
  • EternalRocks: From all those various exploits and vulnerabilities released by Shadow Brokers it uses seven SMB exploits, while Wanna Crypt uses only two.
    • Does not include a kill switch domain.
    • Instead of P2P it follows Command and Control (C2C) Protocols.
  • Athena: For now, it can compromise any system running on Windows operating system including Windows XP to Windows 10.
    • It allows for total system control and to send, retrieve and delete data from remote locations.

Future of Cyber Security:

As we predicted in our blog Road block for IoT Revolution: IoT Privacy and Security, threats are moving as we expected. Wanna Crypt is the perfect example of exploiting vulnerabilities in real-time operating systems. First Distributed Denial of Service (DDoS) attacks on IoT Devices, then permanent encryption base threat attacks on PCs.

Wanna Crypt is a wake-up call to the industry and users that many of the most vulnerable devices are the ones we use in our daily life, smartphones. While almost 95 % of PCs have endpoint security of some sort, ~90 % of smartphones have no such security, despite them carrying sensitive data. Smartphones today are as powerful as a PC but have little or no security.

There is already a lot of spyware for Android and iOS and it’s getting more aggressive. If the trend continues, we will likely see more synchronised and well-equipped attacks on smartphones, the outcome will be severe. However, the awareness will be the one of the important keys to this upcoming issue.

In the crisis of Wanna Crypt, we saw most of the cyber security companies coming forward with their respective patches and anti-virus solutions, which only reduces the aftermath.  However, there will likely be similar or even more serious attacks in future. To face these cybersecurity companies, need to deliver stronger firewalls. Nevertheless, unless users adopt appropriate measures they will remain vulnerable to attack.