What is WannaCry

Recently you might have read that a computer virus by the name of WannaCry has been extorting money from people and organizations all over the world. But what is WannaCry and should you be worried?

WannaCry  (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a computer worm that has been effecting Windows computers over the past week. It is rumored to have been enabled and aided by some of the recent Vault 7 vulnerabilitys including EternalBlue that the NSA (National Security Agency) had been collecting and storing over the past few years. This has lead to one of the most widespread and effective ransomware’s that has been seen to date. Not just targeting your average user but also going after large corporations and organization such as the NHS (National Health Services)

wannacry_05_1024x774-0
The WannaCry GUI that users have been met with

But what does it all mean, this ransomware could have sat dormant for month (It very likely has) just trying to spread the infection to as many vulnerable machines as possible. Until it is then activated by either the creator or by s spesific time and date. Once the infection is triggered the malicious package then encrypts the users PC and demands the user to pay the “Ransom” in this case the amount was $300 or £231.59. This is a rather large amount of money and on the scale of the attack would have made it a very profitable venture if all of the effected users pay the money to gain access back to there device.

In the case of WannaCry effecting the NHS it could have potentially cost human lives as well, because it was effecting hospitals and GP surgery’s. Without having access to the patient information the medical practitioner might have been unable to proceed with a user treatment or potential be unable to access the patients personal information.  But WannaCry made a few fatal error is the design and execution of the virus. Firstly the ransom payment was required in bitcoins (Bit coins are a digital currency with no central regulation making it hard to track) but because there what only 4 addresses to pay the bit coins too and because they where hard-coded into application it means that the possibility of tracking them is a whole lot easier. And then there is the built in “Kill Switch” that was again hard coded into the application. This meant that to deactivate the ransomware, a website address needed reached. Meaning that researchers were able to find the target URL and register it meaning they then had the ability to deactivate the program.

For such an effective and wide spread virus it looks as if corners where cut, for example if the URL that was required for the “Kill Switch” had been coded to be random it would have made the pressure of finding the target URL much greater as there would not have been a clear target. And the next blunder was in the form of having only used 4 Bitcoin payment addresses, because of this it will make the authority’s job of tracking the Bitcoins slightly easier as they will just have to monitor bitcoins public transaction ledger know as the blockchain. It has also been found by Cisco researchers that the “Check payment” button did not actually do anything other than display one of 4 possible out come, meaning that the decryption of the devices was most likely done manually. But there is also speculation that the creator may just have send out a random handful of decryption keys to make it appear as if the payment has gained the user access to there machine again. If that is the cases then this virus should not really be called ransomware at all, as there is a strong possibility that even after the ransom has been paid the user will not just be given access back to their files, making this more Theftware.

hacking

But there has been further speculation from other security researches that this attack might have been made to look as if it was ransomware. This could mean that the creators had alternate motives. This could have been for a number of things, but when you consider the sort of things that where effected and completely parallelized (Hospital equipment, Trains and ATM’s) could it be possible that the ransomware side of this attack was merely a cover up? And when you consider that researchers at Kaspersky Lab have been finding evidence linking WannaCry to North Korea. This was in the form of similar code that had been used in a previous attack this year. A number of other big names in cyber security have also backed up these claims as they too have noticed drastic similarity within the code that has been used in both attacks. And when you look at the raising tensions between the USA and North Korea and acknowledge the fact that “cyber space” is the new battle field this could have just been a test run for bigger things to come, but of course this is all merely speculation.

But what do you do if your computer if effected by Ransomware and are there any procotions that you can take to make it less damaging.

Precautions to take


  • Always keep regular backups of any documentation and files that you need or do not wish to lose. You could back them up to an external devices such as a USB stick or an external HDD. The other option would be to back up your files and documents to one of the many cloud services such as GoogleDrive or Microsoft’s OneDrive.

 

  • Make sure you download and install regular updates on your operating system, this should hopeful help to prevent the vulnerability being present on your computer.

 

  • If you machine does get infected by ransomware the first thing you should do is disconnect your devices from the internet, this could possibility prevent the virus from encrypting all of your data.

 

 

 

 

Google Cracks SHA-1

A couple of weeks ago a report by Google came out stating they had managed to crack the SHA-1 (Secure Hash Algorithm 1) This Hash function was original developed by the NSA in 1993. And it is still used by a lot of websites today, although there are much newer versions that offers a lot more security as the maths and computing power to crack it is even greater it has not been as widely adopted.

These issue with the Hash Collision is that the idea behind SHA-1 was essentially each file would be given a unique header and in 1993 when this was first developed the for-site that there could potentially be a collision would have seemed impossible due to the amount of computing power required to even entertain this and the fact that PC and computer use was no where near as common as it is today. But although Google has managed to force a collision between 2 items having the same SHA-1 hash it did however take them 2 year with support from the university of Amsterdam. Combine the resources and computing power both a university and Google have and given it took them 2 years to achieve this means as an out-and-out security vulnerability it is not all that feasible that a hacker would be able to force a collision and potentially cause damage.

GoogleCollisionCrackImae
Source: Google Security Blog

Another reason this isn’t to much of a concern to the integrity of cyber security in my option is that SHA-2 is readily available, and already deployed meaning that even if the collision is able to be simulated again in much less time there is a very accessible upgrade path that will offer much greater security and also not lead to a time between SHA-1 is vulnerable and SHA-2 is being developed.

The Creator of both Linux and Git was warned about the possible vulnerability with SHA-1 in 2005 and proceed to continue using it for Git. This is because he felt it would be far to expensive and Git has layered security meaning that one layer might be compromised but that isn’t the end game.

In my opinion although it has been cracked in an experimental setting it would not be as accessable to do for malicious purposes unless it was a state sponsored attack because the resources and time required are not anywhere close to where hackers would feel it a useful tool. And furthermore companies such as Google and Microsoft already use SHA-256 so your average joe who uses YouTube and Gmail will have nothing to worry about in regards to their online privacy and security.

 

If you enjoyed that check out some other posts below

McAfee Cyber Threat Predictions 2017

Paid vs Free Anti-Virus Software