WannaCryptor, aka WannaCry, is one of the biggest cybersecurity stories of 2017. In fact, you could go as far as to suggest one of the biggest in years. Since news first broke on Friday, broadcasters, journalists, bloggers, commentators, experts and security vendors, to name but a few, have reported on, discussed and analysed this global threat with a level of attention unseen before.
While this all welcome, it can sometimes feel like information overload. Aware of this, we’ve put together this Q&A, bringing together some of the key points. There’s enough information to know all the salient points without getting too lost, but also plenty of links if you want more detail on certain areas related to the story.
What is WannaCryptor?
WannaCryptor, and its variants, is a type of malicious software known as ransomware, an increasingly popular attack method deployed by cybercriminals that involves the illegal encryption of files and devices. A ransom is demanded for the ‘safe recovery’ of said files and devices.
According to Carey van Vlaanderen, CEO at ESET South Africa, WannaCryptor, also known as WannaCry and Wcrypt, is “unlike most encrypting-type malware: this one has wormlike capabilities, allowing it to spread by itself”. ESET clients were already protected by ESET’s network protection module.
The English version of the ransomware message, which can be displayed in several languages based on geolocation, appeared on infected computer screens, read: “Ooops, your files have been encrypted!” The authors of the malware added that it was futile to look for a way to access the files, without their assistance. Which, of course, comes with at a cost – about R4,000 in bitcoin per infected computer.
What happened?
In the UK, news outlets in the country reporting that multiple NHS sites had been hit with a massive cyberattack. Services were disrupted, with doctors, GPs and healthcare professionals unable to access computers or files However, it’s unclear how much of the disruption was due to the precautionary shutting down or isolation of systems rather than direct breaches.
Soon enough it became clear that the cyberattack was, in fact, global in scale, affecting close to 150 countries (including, to name but a few, Spain, the US, India, Russia and China) and impacting all sorts of organisations and government agencies. In South Africa, 386 ESET clients were the targets of WannaCryptor, however, luckily, they were unscathed as the attacks were unsuccessful.
Over the weekend, internal and external security specialists responded swiftly to the attack, including NHS Digital, ESET, Microsoft and the UK’s National Cyber Security Centre, all of which has gone a long way to limiting the damage and reach of WannaCryptor.
Further, ‘luck’ has also played a part in at least slowing down the malware. An individual, based in the UK, who goes by the moniker MalwareTech, accidentally activated what was later discovered to be a kill switch in the malware.As he tweeted on May 13th: “I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental.”
This is, by no means, the end. The story is still unfolding, with new infections still being reported across the world, though seemingly with ‘less energy’ than the initial outbreak. Still, many are calling for vigilance, as, due to the complexity of this ransomware, aftershocks are likely.
How did this happen?
It’s currently unclear what the original source is for this malware, but it’s likely that WannaCryptor was either delivered by email – hidden in an attachment – or via a backdoor (suggesting that a system had already been compromised).
In this particular instance, the malware has exploited a vulnerability in older (Windows XP, Windows 8.0, Windows Server 2003) and/or still-supported versions of Microsoft’s Windows operating system where the MS17-010 update wasn’t applied. Computers that have been infected have, for whatever reason, not updated the operating system with the latest version. The MS17-010 update has been available for supported systems since March 2017, and was made available for Windows XP/Windows 8.0/Windows Server 2003 on May 12th.
The case has highlighted many flaws within some organizations, security agencies and governments, including poor and untimely information sharing; inefficient and slow to react cybersecurity efforts and financial underinvestment, all of which have created a perfect hailstorm of opportunities for cybercriminals to exploit.
What are experts, decision makers and organizations saying?
Rob Wainwright, executive director of Europol, said in an interview with British broadcaster Robert Peston: “We’ve seen the rise of ransomware becoming the principal cyber threat, but this is something we’ve never seen before – the global reach is unprecedented.”
In an official company blog, Brad Smith, president and chief legal officer of Microsoft, described the WannaCryptor as a “wake-up call for all”. He added: “We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it’s needed now.”
Mark Porter, council chair of the British Medical Association, noted: ‘We need to quickly establish what went wrong to prevent this happening again and questions must also asked about whether inadequate investment in NHS information systems has left it vulnerable to such an attack.”
David Harley, a senior research fellow at ESET, said: “If you didn’t take advantage of the patch for supported versions of Windows (Vista, 7, 8.1 and later) at the time, now would be a good time to do so (a couple of days earlier would have been even better). If you’re running one of the unsupported Windows versions mentioned above (and yes, we appreciate that some people have to because of hardware or software compatibility issues), we strongly recommend that you either upgrade or take advantage of the new update.”