WannaCry Ransomware: A Brief Q&A with a CyberArk Labs Researcher
August 7, 2017 | Security and Risk | Amy Burnis
In May, we offered a 30 minute webcast focused on deconstructing the WannaCry ransomware attack. Led by CyberArk Labs Researcher Shaked Reiner, the webcast delved into specifics of the attack, as well as proven methods organizations can implement to prevent WannaCry’s ability to spread through networks and encrypt system data. We’ve compiled some of the questions attendees asked Shaked during the session, and the highlights are shared here:
Q: Can you describe the propagation technique used by WannaCry?
A: The WannaCry ransomware’s technique is based upon code originally developed by the NSA and leaked by the hacker group known as Shadow Brokers. It uses a variant of the Shadow Brokers’ leaked exploit and utilizes strong encryption on files such as documents, images and videos. The ransomware was able to spread at an unprecedented rate via a sophisticated, built-in “worm” capability. Additionally, it specifically targets the MS17-010 SMB vulnerability in Microsoft systems that many people had left unpatched, and therefore, exposed.
Q: Which account does WannaCry use to install itself, and if the user does not have administrative privileges, shouldn’t it disallow WannaCry to install itself?
A: This specific strain of ransomware is special in that aspect. Administrative privileges are not required to execute the initial infection. However, in order to propagate throughout the organization’s network, it needs to escalate privileges through the Microsoft vulnerability described above. After successfully exploiting this vulnerability, the ransomware has access to the highest tier of privileged credentials, enabling it run code in SYSTEM user context. WannaCry is then able to operate in an offline environment, encrypting the user’s files with an RSA-2048 key pair. After the encryption process, the ransomware demands $300-$600 in Bitcoin to decrypt the files.
Q: Why can’t Bitcoin payments be tracked?
A: Bitcoin is often described as an anonymous currency because it is possible to send and receive Bitcoins without sharing any personally identifying information. It works by leveraging digital wallets untethered to a central management or processing system. This allows each digital wallet to operate independently, and it makes tracking and identification of the wallet holder incredibly difficult.
Q: How is it possible to detect and block such an attack?
A: Our CyberArk Labs team conducts ransomware testing daily to help organizations better prepare for such attacks. Based upon tests of more than 600,000 ransomware samples (including WannaCry), the team has found that the combination of enforcing least privilege on endpoints and application greylisting control is 100 percent effective in preventing ransomware in general, and WannaCry specifically, from encrypting files.
CyberArk Endpoint Privilege Manager helps organizations remove common barriers to enforcing least privilege, such as user productivity loss and increased burden on IT teams. It also allows organizations to block and contain attacks at the endpoint, reducing the risk of information being stolen or encrypted and held for ransom. A combination of privilege security and application control reduces the risk of malware infection. Unknown applications can run in a restricted mode to contain threats while maintaining productivity, and behavioral analysis identifies and blocks credential theft attempts. These critical prevention and protection technologies are deployed as a single agent to strengthen existing endpoint security.
Q: How difficult is it to create malware such as WannaCry?
A. It’s important to separate the two components of this malware to answer this question. In the case of WannaCry, the ransomware component itself was very ordinary – there are a few open-source ransomwares widely available on the internet and one does not need advanced programming knowledge to figure out how to compile one. What makes WannaCry unique and viral in nature is the highly sophisticated worm component that allows it to spread as quickly as possible to as many machines as possible. It’s likely two malware authors were involved in the creation of WannaCry, as the infection component is so advanced, while the ransomware itself is not overly sophisticated.
Q: Are there any additional tools from the NSA leak that could lead to another attack of this magnitude and scale?
A: Yes. The Shadow Brokers group offer a monthly subscription program that promises more data will be released from the NSA leak. It’s important to note that the previous leak did not contain any exploits’ source code, so WannaCry was constructed by fully reverse-engineering the software that was released. This indicates that the attacker responsible for the WannaCry worm component was extremely sophisticated, as noted previously. The NSA leak most certainly contained more tools that savvy hackers may leverage to wreak additional, future havoc and harm.