Skip to main content

Wannacry Ransomware: What It Is and Why Everyone is Worried

So the most popular question I got asked by people in the past week was “what on earth is Ransomware?” So let me put it this way, imagine you wake up in the morning and you turn on the data on your phone so you can see the WhatsApp messages that came in while you were asleep. You are then greeted by a screen on your phone with a message written across the whole screen saying, “Your phone has been encrypted. To regain access to it, send 10 BTC to Bitcoin account XYZ”. You are puzzled because not only have you never seen this message before, but you don’t even know what “encrypted” means or what BTC or a Bitcoin is. Now you, assuming this is a typical “gadget” error, restart the phone (like you would any PC) and the same message pops up again. You think of Googling the problem on your phone, but then you can’t access the Google app. Then realization slowly sets in that you can no longer access your WhatsApp, your contacts list, your music or even the Date/Time app itself! That is basically ransomware at work.

By definition, with ransomware a hacker basically locks all the files on your computer and promises to give you the key to unlock them only after you pay said hacker in some form of currency. This payment is commonly in Bitcoin primarily because Bitcoin offers anonymity to its users thus making such accounts much more difficult to trace than regular bank accounts.  As most of us may be thinking, this issue of ransomware may sound like a first world problem, but the WannaCry ransomware that is currently running amok on the internet does not discriminate at all. Lots of media outlets in the UK ran with headlines about how most medical institutions had been brought to a grinding halt by this ransomware and how it has spread to over a hundred countries to date.

WannaCry ransomware typically affects a number of Windows operating systems (such as Windows XP, Windows 7 and Windows server 2012 among others) as long as they have not been patched against a particular flaw that they have. The flaw, or vulnerability in technical terms, is in the file sharing functionality that is in most Windows operating systems known as Server Message Block (SMB). This basically means that users of Linux and Mac platform are quite safe from this particular exploit.

Adding more flesh to WannaCry, it is not your typical run-of-the-mill ransomware as described earlier. It comes fitted with an extra functionality in that it spreads like a Worm. In information security, a worm works like a virus in that it causes all kinds of havoc on your computer and network. The definitive difference between it and a virus though, is that a worm can spread across a network without the victim or target doing anything to trigger it. With a virus you usually have to click something or download some application for it to execute. However, a worm, just scans your network for vulnerable targets in a predefined sequence and proceeds to spread and infect as many of those computers as it can.

What this means is that if any computer on your network is infected with WannaCry, the infection will spread to other vulnerable Windows computers on your network as well. The impact of this ransomware is so severe that Microsoft even decided to send patches to operating systems that they no longer support such as Windows XP!
Now that the severity of such an attack may have sunk in a bit, it is only appropriate that we share with you a few possible incident preparation and response activities you or your organizational Computer Emergency Response Team (CERT) can implement. One way is to keep your operating systems patched and up to date. If you don’t have a patch management system/framework, then you should probably look into implementing one. Another option is to frequently back up your data. By doing this, if your data is encrypted by the ransomware, you can always have another copy of it on hand.

As a final point to note, it is never a good idea to pay the ransom. This is because of two main reasons; one is that the hackers may not send you the key to unlock your files even after you pay them. Secondly, even if they do send you the key, there really is nothing stopping them from blocking the security patch from installing and then encrypting your files all over again. Remember, they are really just criminals after all.

Comments

Post a Comment

Popular posts from this blog

Part 4 - Static and Dynamic analysis of a Remote Access Trojan

Now we delve into the world of Malware analysis, This can be either Basic static, basic dynamic, advanced static or advanced dynamic malware analysis. By static we just mean we do not execute the malicious program but simply analyse it by looking at the headers, the linked libraries it calls, its resources, etc. When it is advanced, this would mean breaking it down and analysing it with tools such as IDA Pro. Dynamic means we run it in a safe environment and see what it does. Basic tools include Regshot which simply takes a snapshot of the registry before and after the malware was executed. It then returns only the changes made in between those two points in time. Advanced would involve the use of a sandbox that monitors all the calls the malware makes as well as the connection attempts it tries to make to outside terminals or C&C servers. The video below illustrates Basic Static and Dynamic malware analysis.
Post a Comment
Read more

Password Cracking: RainbowCrack table generation, sorting and usage

I had to do this demo after one of my students asked for my assistance regarding how to use this tool. Usually, I just assign different tools to them individually depending on the aspect of penetration testing we are covering (session hijacking, vulnerability scanning, etc) and then tell them to submit a report and a video demo of how the tool is used. Anyway, after a brief one-to-one discussion I realized the student had actually done the research on how rainbow tables operate (above and beyond the material in the lecture slides) so I figured that if he was here asking for assistance, he genuinely needed it. The tool is available at the RainbowCrack site.  A detailed description of this nifty tool can also be found here . So, firstly I had to generate the rainbow tables. The command line syntax is: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index where: hash_algorithm  Rainbow table is hash algorithm sp...
Post a Comment
Read more

Forensics: Recovery of Files Ep 2 - Data Rescue PC3

This is the second episode in the Recovery of Files series.  Episode 1  has a little more background on the whole aspect of file recovery. The video below shows a demo of how to recover lost/deleted files using the proprietary tool commonly known as  Data Rescue PC3 . As in episode 1, in the video, we format the USB drive, add stuff to it, and then format it again in order to recover the deleted files. Again, just like in episode 1, you will also note that not only the files we lost upon formatting are the ones that are recovered, but this will also include the files from previous drive formats too.
1 comment
Read more