The WannaCry ransomware swept through Europe and Asia in mid-May, locking the critical systems of the National Health Service in the U.K., Telefonica in Spain and many other organizations around the world, unless they paid the Bitcoin fine it demanded. However, WannaCry infections were quickly brought under control as malware researchers identified several preventive measures and mitigation techniques to stop the ransomware from spreading:
- A kill switch was identified to shut down WannaCry before it can encrypt any files.
- Microsoft released patches for older unsupported versions of Windows.
- Experimental techniques were revealed that could potentially reverse WannaCry’s particular form of encryption.
Kill switch identified
When malware researchers from MalwareTech reverse-engineered WannaCry, they discovered a kill switch that the original programmers had implemented. This mechanism checked for the existence of a specific live URL, which if present would prevent WannaCry from executing. The researchers paid $10.95 to register the listed domain, and as a result they prevented millions of new systems from being hijacked by WannaCry.
Microsoft patches released
Even though Microsoft had released a patch in March 2017 to fix the Windows vulnerability that WannaCry exploited, it was not available for older and less popular versions of the OS, namely XP, Vista and 8, which are still used in millions of embedded devices in hospitals, telecom infrastructures and manufacturing plants. In a rare move, Microsoft released an emergency patch to shield these aging platforms from WannaCry.
Encryption reversal techniques revealed
Finally, WannaCry’s encryption and file handling traits were not strong enough. Some researchers have used experimental “file carving techniques” to recover data from files encrypted by WannaCry. In other words, its particular implementation of encryption did not spell doom for stolen files.
Why ransomware is so effective and profitable
By encrypting a victim’s data and holding the key hostage, properly designed ransomware can credibly threaten to destroy important files, unless a ransom is paid in time. Modern ransomware has been strengthened by several intersecting trends in software, including:
- The rise of cryptocurrencies: Bitcoin in particular has facilitated easier ransom payments that are also more difficult to track than older methods.
- Advances in encryption: Long encryption keys have made brute-force attacks against ransomware (i.e., to decrypt stolen assets) increasingly impractical.
- More efficient distribution mechanisms: Exploitation of protocols such as Microsoft’s Server Message Block protocol, which WannaCry took advantage of, has accelerated the spread of ransomware far beyond its roots in physical media distribution.
Bracing for more powerful ransomware
Security teams can be grateful for now that WannaCry was not as damaging as it could have been. At the same time, they should consider the possibility of ransomware that exceeds the capabilities of WannaCry, both by closing its particular loopholes and widening its target range to devices in the Internet of Things.
“Imagine ransomware that could infect a car.”
For example, imagine ransomware that could infect a car, thermostat or any other “smart” device that had an IP network connection. The threat would be similar to WannaCry – encryption of data and demand for payment – but traditional workarounds such as using a backup system would be impractical.
To stay safe in the years ahead, implement a security operations center (SOC) to bolster defense against ransomware threats in the mold of WannaCry. Read this white paper to learn more about best practices to protect against ransomware.