How would you feel if your important doctor’s appointment had to be canceled due to a computer lockdown? That’s what happened when many state-run medical facilities in the United Kingdom came to a halt when a ransomware attack encrypted files on their network computers. Thousands of operations and medical appointments were called off as the attack hit the National Health Services, making them one of the biggest victims of WannaCry.
But, as we know, WannaCry didn’t just affect the UK. Infecting over 150 countries, 200,000 computers and earning around $51,000, the WannaCry outbreak is now the biggest cyberattack the world has seen in recent years. Since this attack made such a large impact, a few questions come to mind: What allowed the attack to proliferate across the globe? How did so many organizations fall victim to this ransomware attack? How do we contain or assess the impact of this attack?
The Origin and Propagation Methods
For any large-scale attack, the intrusion and propagation stages are crucial. While intrusion happens mostly through email phishing, how propagation is executed determines the reach of the attack. The main challenge for most hackers is choosing which vulnerability to pursue, since the rate of attack (proliferation) is directly proportional to the vulnerability or security loophole that they use.
WannaCry is no exception, topping the list of the most impactful attacks this year. WannaCry utilized phishing for network intrusion, sending potential victims emails that escaped spam filters. The malware comes as an attachment from a legitimate mail source with an authentic email message.
Once WannaCry is on a computer, it exploits Microsoft’s Server Message Block (SMB) protocol vulnerability, EternalBlue, to propagate itself across the network. This vulnerability was detected by Microsoft well before WannaCry and is even listed in the Common Vulnerabilities and Exposure (CVE) list as CVE-2017-0144. And Microsoft didn’t stop with just reporting this vulnerability in its operating system; it marked this as a critical vulnerability and provided a security update for EternalBlue on its TechNet site. Since WannaCry exploits the EternalBlue vulnerability, unpatched Windows systems helped transmit WannaCry around the world.
WannaCry has a backdoor program installer, or “dropper”, that executes and propagates the ransomware through the MS SMBv1.0 exploit as well as two other malicious files that include encryption plug-ins. These plug-ins are responsible for encrypting the files on the victim’s system.