Self-propagating ransomware: What the WannaCry ransomworm means for you

Many IT professionals were caught by surprise by last week's huge cyberattack largely because they didn't expect ransomware to spread across their networks on its own

What WannaCry ransomware means for you

The reports came swiftly on Friday morning, May 12—the first I saw were that dozens of hospitals in England were affected by ransomware, denying physicians access to patient medical records and causing surgery and other treatments to be delayed. Said the BBC:

The malware spread quickly on Friday, with medical staff in the UK reportedly seeing computers go down "one by one".

NHS staff shared screenshots of the WannaCry programme, which demanded a payment of $300 (£230) in virtual currency Bitcoin to unlock the files for each computer.

Throughout the day other, mainly European countries, reported infections.

Some reports said Russia had seen more infections than any other single country. Domestic banks, the interior and health ministries, the state-owned Russian railway firm and the second largest mobile phone network were all reported to have been hit.

The infections spread quickly, reportedly hitting as many as 100 countries, with Russian systems affected apparently more than others. What was going on? The details came out quickly: This was a relatively unknown ransomware variant, dubbed WannaCry or WCry. WannaCry had been "discovered" by hackers who stole information from the U.S. National Security Agency (NSA); affected machines were Windows desktops, notebooks and servers that were not up to date on security patches.

Most alarming, WannaCry did not spread across networks in the usual way, through people clicking on email attachments. Rather, once one Windows system was affected on a Windows network, WannaCry managed to propagate itself and infect other unpatched machines without any human interaction. The industry term for this type of super-vigorous ransomware: Ransomworm.

Ransomworms spread quickly

Knowing this was a ransomworm, rather than a normal ransomware, I turned to one of the experts on malware that can spread across Windows networks, Roi Abutbul. A former cybersecurity researcher with the Israeli Air Force’s famous OFEK Unit, he is founder and CEO of Javelin Networks, a security company that uses artificial intelligence to fight against malware.

Abutbul told me, “The WannaCry/Wcry ransomware—the largest ransomware infection in history—is a next-gen ransomware. Opposed to the regular ransomware that encrypts just the local machine it lands on, this type spreads throughout the organization’s network from within, without having users open an email or malicious attachment. This is why they call it ransomworm.”

He continued, “This ransomworm moves laterally inside the network and encrypts every PC and server, including the organization's backup.”

The good news is that Javelin’s software was able to prevent the spread of WannaCry on their customers’ computers, right out of the gate, explained Abutbul.

“Javelin’s solution is specifically designed to automatically detect, respond and contain such spreading in a corporate network in real time," he said. "This ransomworm specifically used Microsoft SMB vulnerability MS17-010 to spread internally," which is the same vulnerability the NSA utilized for a couple years and was recently exposed via the January NSA tools leak.

WannaCry leverages a Windows vulnerability that the NSA knew about, and which was disclosed in January 2017. Microsoft, like other vendors whose vulnerabilities were in that NSA data dump, moved quickly to verify the defect and offer a patch. The problem is that not all customers installed the patch.

Microsoft Security Bulletin MS17-010, published on March 14, 2017, describes:

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

The bulletin goes on to say,

An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server.

To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.

Affected Windows systems include everything from Windows Vista, Windows Server 2008, Windows 7, Windows 8.x, Windows Server 2012, Windows 10 and Windows Server 2016.

Safe for now, but maybe not for long

The good news is that by Monday morning, WannaCry was a known quantity and already no longer a serious threat, though China appears to be really messed up because so many copies of Windows there are allegedly pirated—and Microsoft’s patch won’t install systems without a valid Windows license. Still, beyond the piracy issue, we will no doubt hear for weeks about WannaCry infections because some organizations will be slow to install the patches.

However, other ransomworms like this are probably out there, and already we’re seeing variants on WannaCry that can evade signature-based detection systems, though it’s unclear if they can work on systems that are protected by Microsoft’s patch.

Roi Abutbul warned me, “This time, the attackers used an unpatched rare vulnerability, but there are many other ways to move laterally and spread inside the network. Javelin specifically focuses on the malicious lateral movement in its early phases and has the ability to stop every spread attempt regardless of methodology and help the organization recover automatically.”

My advice:

First, keep up to date on patches to Windows and all your other platforms. Too many organizations, particularly those in the public sector or with limited IT resource like hospitals, defer the installation of patches.

Second, use state-of-the-art tools to protect the network against known and unknown malware and attacks.

Third, don’t be complacent with the usual ways that malware spreads. As we’ve seen with WannaCry, ransomware (and other malicious software) can spread virally, without user interaction. That means you can’t train your way out of this.

If you’re not patching, if you’re not using tools like this, and if you’re not being somewhat paranoid, there is zero doubt: You are vulnerable.

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022