In recent news and over the past few weeks in the cybersecurity research realm, everyone has been working on detecting, halting, and retrieving their files as a result from a Microsoft vulnerability (CVE-2017-0144) which exists within Microsoft’s Server Message Block (SMB) protocol. The vulnerability had spawned EternalBlue exploit and the WannaCry ransomware exploit. WannaCry ransomware was first reported to have launched on May 12, 2017, starting with the UK hospital system, and then spreading rapidly across the globe. The exploit first was reported when it wreaks havoc on The United Kingdom’s (UK) public hospital system. It shutdown many of the UK’s hospital computer operations. EternalBlue along with WannaCry exploits affected many unpatched Microsoft Window’s systems. The most popular operating systems affected were Windows XP and Windows 7. Many security researchers, because of the exploit vulnerability to popular unpatched Windows operating systems, assesses that the WannaCry ransomware exploit, alone has affected millions of devices as it continues to spread. Unfortunately, a majority of ransomware victims are likely to be consumers. Ransomware does not affect critical infrastructure owners and operators. However, the WannaCry ransomware exploit has the capability to restrict users’ access to their computer files and demands a ransom to unlock it. The U.S. Department of Justice (DOJ) has defined ransomware as, a type of malicious software (malware) which cyber threat actors can use to deny access to systems or data until the ransom they demand has been paid, the payment is usually in the form of cryptocurrency such as Bitcoins. In the WannaCry initial infection of the ransomware it can spread through victims’ computer enterprise systems and networks. The WannaCry ransomware was initially delivered by phishing emails with a link. Thereby, The WannaCry ransomware could spread quickly to other systems and computers as it exploited security vulnerabilities by moving remotely between other unpatched computers. When the WannaCry ransomware was going global, a young high school teenager was examining a sample of the malware and discovered a URL Link embedded in the malicious code. The teenager simply went and bought the domain link and essentially killed the spread of the malware virus which was spreading like a worm through unpatched computer systems. At this time, Microsoft was aware of the WannaCry ransomware epidemic and quickly developed a patch fix for the latest Microsoft Windows operating systems and it included Microsoft Windows operating systems that were now considered out of cycle for software updates. The Microsoft patch fix (MS17-010) was available for distribution on May 14, 2017. Everyone, was worried about the new WannaCry ransomware exploit, however, little did users know that another exploit was spreading but not as fast as the WannaCry ransomware. The other exploit, was named Adylkuzz and it was exploited in the same manner that the EternalBlue exploit was spreading but it spread much more slowly. Adylkuzz was discovered and observed by security researchers back on May 2, 2017 and was the first exploit to use the Zero-Day vulnerabilities stolen from the U.S. Government agency by Shadow Brokers. It is very apparent after reading this blog that users should immediately download the released Microsoft WannaCry patch (MS17-010) to prevent infection of their computer systems. As well, if your system has been compromised with WannaCry ransomware, victims should first attempt to use the available decryptor to retrieve their files before paying any ransom demands. Users should always make sure that they keep up to date back-ups and constantly update their systems to be prepared for any future ransomware attacks.

References:
http://www.foxnews.com/tech/2017/05/15/what-is-wannacry-ransomware.html
http://thehill.com/business-a-lobbying/334205-tool-decrypts-wanna-cry-files-some-operating-systems-some-times

By Randall Sylvertooth, D.Sc.



For more information about Redport’s information assurance and cyber security services, visit www.redport-ia.com, email us at info@redport-ia.com, like us on Facebook, and follow us on Twitter@redport_ia.

Gaithersburg, MD, USA