WannaCry Ransomware: What We Know So Far

Posted on by RSAC Editorial Team

Late in the day on Friday, May 12, a massive ransomware attack hit 200K organizations in 150 countries. The ransomware that has been named “WannaCry,” took advantage of Windows systems that had not yet been updated with Microsoft’s March security patch. Per the ransomware playbook, this attack locked people out of their computers, encrypted files and demanded those impacted pay up to $300 in bitcoin -- a price that doubles after three days. What's worse is the malware also behaves like a worm, potentially infecting computers and servers on the same network.

As an industry, security professionals from both the public and private sectors have been moving quickly to resolve the issue. However, those following news via social media also know it’s a who’s who of finger pointing - from the criminals responsible, government bodies, Microsoft, and the victims themselves. 

Rather than get caught up in this blame game, we want to share the facts as we see them today and start discussing how we can avoid such attacks in the future.

Is it as simple as just keeping an eye to patch updates?

Maybe not. As recently reported in The Verge, “the underlying problem is a weakness in the patching process itself. Some bugs are more patchable than others, and often a quick patch will only paper over a more profound weakness in how a system is built. The result is a profound tension between robust patching and building systems that are secure in the first place. A major bug like Stagefright or Heartbleed can be exploited dozens of different ways, making it nearly impossible to block all of them at once. You can protect against one exploit, but it’s only a matter of time before someone finds another one — and they may not tell you when they do. From a coder’s perspective, the best fix is to tear the whole system down and build it back stronger, letting everyone know to stop doing things the old way as soon as possible.”

Did the attack start via email or a phishing link?

According to Kaspersky Lab: “To date, we could not find an e-mail attack vector for Wannacry. We are still investigating leads that suggest compromised sites were used to target some customers. So far, we can confirm that our users are getting attacked using an implementation of the famous EternalBlue exploit leaked by the Shadowbrokers in April. The exploit installs the DoublePulsar backdoor, which is further leveraged to infect a system. Even if the EternalBlue exploit fails in the first place, the attack code still tries to leverage the DoublePulsar backdoor which might have been installed in a previous attack.

Perhaps the main reason why Wannacry was so successful is the fact that the EternalBlue exploit works over the Internet without requiring any user interaction. It works on top of TCP port 445. Last week, our internet facing sensors registered an uptick in port 445 connections on Thursday May 11th, one day before the major outbreak noted on Friday. This means it’s possible the worm was released on Thursday, possibly even late Wednesday evening. The uptick in Port 445 traffic is also confirmed by the SANS DShield project’s graphics.”

Is your organization still at risk? If so, here is how to stop it.

Any Windows machine that has not undergone the recent security updates from March is at risk. That said, there are a few steps you can take to lower that risk. As Bitdefender told CNN, follow these five steps:

1. Disable your computer's Server Message Block service.
2. Install 
Microsoft's patch
3. Back up your data on an offline hard drive. 
4. Install all Windows updates. 
5. Use a reputable security software to prevent attacks in the future.

We know that last step will mean something different to a variety of vendors and service providers. We’ll leave you – our community – to discuss what options you think are best to help prevent future outbreaks. With upcoming events in London, Singapore and Abu Dhabi, we know many of you will be walking our show floors and discussing this attacks impact. An interesting resource for RSA Conference APJ attendees may include the Ransomware seminar looking at the technical, policy, compliance, and economics of the issue, attendees will gain a better understanding of the ransomware ecosystem. Specific ransomware sessions will discuss innovative research, examine cases studies, look at current defenses, and debate the key question: should you pay the ransom? 

For those looking to learn more about this attack, here are some additional resources from around the Web:

CNN: Global cyberattack: A super-simple explanation of what's going on

NPR: WannaCry Ransomware: What We Know Monday

IDG News: WannaCry attacks are only the beginning

CNET: How to protect yourself from WannaCry ransomware

CSO: Ransomware makes healthcare wannacry


RSAC Editorial Team

Editorial, RSA Conference


Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs