WannaCry For Dummies
This is a follow on from my earlier two videos about WannaCry, see those here.
Ransomware is a type of computer virus that, once it is running on your system (which can be achieved in many ways), encrypts all your document files and ask you to pay a ransom. If you pay, and if the authors of the ransomware are both honest and made no mistakes, your files can be unlocked.
In general the files stay on your computer but they’re encoded so securely that nobody can decode them for you without a special key which only the hackers have. That key is unique to your computer. The hackers have to keep track of all the keys for all the computers they infect (which is why they usually have a time limit for you to pay them).
Sometimes ransomware is written so badly that if fails in the decryption phase. Some ransomware contains mistakes in the encryption that means smart people have figured way to decode and people have survived and recovered their files. In general, however, this stuff has been around so long now that mistakes in ransomware are getting rare.
WannaCry (also known as WCry, Wana Decrypt0r, WannaCrypt, and WanaCrypt0r) is a combination of a relatively unsophisticated piece of readymade ransomware and a mistake that Microsoft made years ago in Windows and which they never knew about. That mistake was first widely revealed to the public by a hacking group called Shadow Brokers last month. Shadow Brokers had stolen knowledge of this flaw in Microsoft Windows from the NSA who have been sitting on it for a long time.
You need both parts to make a successful virus: the distribution system and the payload. In this case the payload is mundane but part of the distribution system comes from code stolen from the NSA.
Once this Windows mistake and the way to use it (given the name “EXTERNALBLUE” in the NSA documents) was made public, Microsoft rushed to fix it which they did in March with a patch called MS17-010. Unfortunately not everybody runs automatic updates and older Windows XP, Server 2003 and Windows 8 machines are no longer supposed to receive patches.
Because of this extremely dangerous flaw in Windows, WannaCry was able to spread from computer to computer within local networks (for example inside a big corporation or a hospital) very, very quickly. It still, probably, took one person to click on or run something they shouldn’t, but once one attack inside a corporation succeeds, if the Windows computers weren’t updated in March, the entire corporation would be infected very quickly.
The activity was (probably temporarily) halted by a researcher discovering a hidden “kill switch” which the writers and distributors of WannaCry had left inside it. They’ll probably be working to remove that. It is still spreading, but not encrypting things. That can change.
The final detail to mention is that Israel, as a country and with cooperation between large telecoms and private cybersecurity companies and Israel’s National Cyber Bureau took action block the spread of this in Israel. Sloppy language in the Times of Israel seems to say this attack was targeted at countries: it wasn’t. It will infect any computer it can get on anywhere. Israel seems to have been able to put up a wall against it getting in and stop it spreading within Israel. I can’t tell you more details about how they did this as I don’t get the impression that these have been revealed or that the tech journalists in Israel would have enough understanding to explain how they did this.
For much more detail, read this on BleepingComputer: Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage and this With the Success of WannaCry, Imitations are Quickly In Development. For a proper description on how the damage was halted, read the post of the guy who did it, MalwareTech. He also has an amazing live map which shows this thing still spreading along with other malware (press connect and turn on Norse Mode for the sounds!).
So what did the legacy media get wrong?
The main problem was giving the false impression that the NSA actually wrote the complete ransomware virus. They didn’t. From the New York Times:
The attack is believed to be the first in which such a cyberweapon developed by the N.S.A. has been used by cybercriminals against computer users around the globe.
That’s just plain wrong. NSA code is in the virus but it’s wrong to call the NSA code on its own a “cyberweapon”.
The WSJ said something similar, apparently quoting Microsoft:
Microsoft on Sunday said that the software tool used in the attack came from code stolen from the National Security Agency. The NSA has declined to comment on the matter.
Microsoft didn’t say that and both the NSA and Microsoft should be angry at WSJ for this. Microsoft did scold the NSA and other government agencies all over the world for finding bugs in Microsoft products and not telling anyone. This lack of disclosure, while being handy for NSA spies to get into target computers, means the rest of us are left unprotected if the NSA gets hacked or suffers an unauthorised leak as it did in this case!
This is what Microsoft did say and the comparison to letting terrorists steal some Tomahawk missiles is a very good one:
[T]his attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.
In late 2015, the NSA officially admitted it only discloses 91% of the vulnerabilities it finds, keeping the rest for the creation of cyber-weapons. I guess we should be happy about the 91% right?
The Times of Israel’s piece, as I mentioned before, focused on why Israel hasn’t been hit hard. Unfortunately I think the headline and lede give a slightly misleading view:
In Israel, cyber experts joined forces to help foil massive attack
Private and government professionals set up virtual war room to stave off WannaCry cyberattack, which affected over 150 countries
The mention of how many countries affected, combined with an article which correctly points at that defensive measures in Israel have prevented spread here, may give an impression that this ransomware was targeted at countries and Israel wasn’t targeted.
As expected, the first comment on the Times of Israel piece makes exactly this assumption:
“interesting how israel is the only nation not affected by this. And bitcoin is a currency completley started and run by jews” – oh well, Jew haters always going to find any excuse to hate Jews.
The reality is WannaCry doesn’t see national borders at all. Unless those borders are defended. It would appear Israel has built a proper, national cyber defence wall and it acted fast enough to make it work to block this.
As best I can tell there are some infections in Israel but probably far, far fewer than we should have given the disproportionate number of computers we have.
I also mentioned above that WannaCry is relatively unsophisticated, BleepingComputer explains:
WannaCry is mundane, nothing special
In a very simplistic explanation, under the hood, the WannaCry ransomware is made up of two main parts: the ransomware itself — which encrypts users’ files — and the SMB worm — the component that spreads the ransomware to random computers that have an exposed SMB port (port 445).
The SMB worm is top-shelf code, mainly because it’s a modified version of the ETERNALBLUE exploit, an alleged hacking tool created by the NSA, stolen and leaked online by an anonymous group known as The Shadow Brokers.
On the other hand, the ransomware module is quite mundane —your run-of-the-mill ransomware. It’s not as bad as other ransomware variants Bleeping Computer has analyzed in our ransomware write-ups in the past 3-4 years, but it’s nowhere near as sophisticated as top ransomware threats such as Locky, Cerber, or TeslaCrypt (now defunct).
This lack of sophistication extends to the payment system: only 3 bitcoin addresses. More sophisticated ransomware would give every new infection a new bitcoin address making it possible to figure out which computer owner had paid and making tracking of the recipients of the bitcoin much harder.
Legacy media have got all the various stories of who was hit and what effect it’s having, that’s what mainstream legacy media seems to be good at doing these days. For the tech stuff you’ve got to stick to the blogs.
I hope this helps explain this, if I’ve done a better job than the legacy media, share this, like it or comment below and if you can point me to new information I’m happy to include more details.