UK Goverment Confirms WannaCry Speculation

Last week reports emerged of the UK government confirming their suspicions of WannaCry being a state sponsored attack involving North Korea.

Earlier this year, just after WannaCry came to prominence I wrote an article What is WannaCry.  In which I speculated due to the nature and style of attack, it did not appear to follow the traditional Ransomware style. What I mean by this is, from the outset WannaCry was targeting and effecting core infrastructure as well as the Public sector in the UK. Resulting in WannaCry becoming somewhat of a disruption, as a rule Ransomware attacker aim to make the process of decrypting the data as smooth and straight forward for the victims as possible. This is likely due to them being after one thing, money. Mozilla conducted an investigation as part of there Online Life is Real Life podcast series a from their investigation they rated Ransomaware customer services. This highlights how the process of ransomware cannot be to complicated as it will reduce and limited their overall ability to collect the ransom

But there are numerous article floating around the web that indicate WannaCry made between $20,000 – $100,000. For an attack of this level that impacted hundreds of thousand of people it was a very poor take.
But the level of chaos and “denial of service” that WannaCry caused indicated to myself that their was more to it than just the money. I am aware that the traditional sence a denial of service or DDoS is targeting web services and flooding them with packets. But in this case WannaCry effected ATM machine as well as computer within hospitals, effectively denying service to them.

Of course the North Koreans released a statement to the effect of them having no involvement and that these accusations are nothing but wild speculation. But it is important to consider that this “speculation” was floating around from the beginning of WannaCry and was stated by a number of security research teams that looked into WannaCry. As well as this, the UK government would not make these accusations without a substantial level of evidence.

The north Koreans have in te past been accused of other attacks, mainly the attack on Sony. This attack was alleged to have happened due to the upcoming release of movie The Interview.

Please let me know your views on the North Koreans involvment in WannaCry in the comments below.

 

 

What is WannaCry

Recently you might have read that a computer virus by the name of WannaCry has been extorting money from people and organizations all over the world. But what is WannaCry and should you be worried?

WannaCry  (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a computer worm that has been effecting Windows computers over the past week. It is rumored to have been enabled and aided by some of the recent Vault 7 vulnerabilitys including EternalBlue that the NSA (National Security Agency) had been collecting and storing over the past few years. This has lead to one of the most widespread and effective ransomware’s that has been seen to date. Not just targeting your average user but also going after large corporations and organization such as the NHS (National Health Services)

wannacry_05_1024x774-0
The WannaCry GUI that users have been met with

But what does it all mean, this ransomware could have sat dormant for month (It very likely has) just trying to spread the infection to as many vulnerable machines as possible. Until it is then activated by either the creator or by s spesific time and date. Once the infection is triggered the malicious package then encrypts the users PC and demands the user to pay the “Ransom” in this case the amount was $300 or £231.59. This is a rather large amount of money and on the scale of the attack would have made it a very profitable venture if all of the effected users pay the money to gain access back to there device.

In the case of WannaCry effecting the NHS it could have potentially cost human lives as well, because it was effecting hospitals and GP surgery’s. Without having access to the patient information the medical practitioner might have been unable to proceed with a user treatment or potential be unable to access the patients personal information.  But WannaCry made a few fatal error is the design and execution of the virus. Firstly the ransom payment was required in bitcoins (Bit coins are a digital currency with no central regulation making it hard to track) but because there what only 4 addresses to pay the bit coins too and because they where hard-coded into application it means that the possibility of tracking them is a whole lot easier. And then there is the built in “Kill Switch” that was again hard coded into the application. This meant that to deactivate the ransomware, a website address needed reached. Meaning that researchers were able to find the target URL and register it meaning they then had the ability to deactivate the program.

For such an effective and wide spread virus it looks as if corners where cut, for example if the URL that was required for the “Kill Switch” had been coded to be random it would have made the pressure of finding the target URL much greater as there would not have been a clear target. And the next blunder was in the form of having only used 4 Bitcoin payment addresses, because of this it will make the authority’s job of tracking the Bitcoins slightly easier as they will just have to monitor bitcoins public transaction ledger know as the blockchain. It has also been found by Cisco researchers that the “Check payment” button did not actually do anything other than display one of 4 possible out come, meaning that the decryption of the devices was most likely done manually. But there is also speculation that the creator may just have send out a random handful of decryption keys to make it appear as if the payment has gained the user access to there machine again. If that is the cases then this virus should not really be called ransomware at all, as there is a strong possibility that even after the ransom has been paid the user will not just be given access back to their files, making this more Theftware.

hacking

But there has been further speculation from other security researches that this attack might have been made to look as if it was ransomware. This could mean that the creators had alternate motives. This could have been for a number of things, but when you consider the sort of things that where effected and completely parallelized (Hospital equipment, Trains and ATM’s) could it be possible that the ransomware side of this attack was merely a cover up? And when you consider that researchers at Kaspersky Lab have been finding evidence linking WannaCry to North Korea. This was in the form of similar code that had been used in a previous attack this year. A number of other big names in cyber security have also backed up these claims as they too have noticed drastic similarity within the code that has been used in both attacks. And when you look at the raising tensions between the USA and North Korea and acknowledge the fact that “cyber space” is the new battle field this could have just been a test run for bigger things to come, but of course this is all merely speculation.

But what do you do if your computer if effected by Ransomware and are there any procotions that you can take to make it less damaging.

Precautions to take


  • Always keep regular backups of any documentation and files that you need or do not wish to lose. You could back them up to an external devices such as a USB stick or an external HDD. The other option would be to back up your files and documents to one of the many cloud services such as GoogleDrive or Microsoft’s OneDrive.

 

  • Make sure you download and install regular updates on your operating system, this should hopeful help to prevent the vulnerability being present on your computer.

 

  • If you machine does get infected by ransomware the first thing you should do is disconnect your devices from the internet, this could possibility prevent the virus from encrypting all of your data.

 

 

 

 

McAfee 2017 Threat Predictions: Are they right?

At the beginning of the year McAfee release a document laying out there predictions for cyber security. And with it being almost half way through the year I feel it would be appropriate to write a review on how there predictions are coming on and if they are coming true.

The initial part of the document I am going to cover is the prediction that “Ransomware subsides in the second half of 2017” For those that don’t know ransomware is a type of malware essentially take control of the users data until the demands or ransom are met. and it is becoming a much greater issues, there have even been cases of not just PC’s but also mobile devices being effected by ransomware. And although the measures to stop these types of attacks are improving the methods for delivering these attacks is also becoming an issue. This could be in the form of using multiple vulnerability to achieve the final goal.  These current point of Internets to the Ransomware attacks are:

  • Adobe Flash
  • Microsoft Internet Explorer and Edge browser
  • Java, PDS and Microsoft office
  • Windows Kernel
  • Infrastructure software
  • Virtualization software
  • Security Products

But McAfee’s prediction of ransomware reducing by the second half of the year could look to be incorrect, this is because of a recent attack that has effected the NHS (British National Health Services) There where a number of services effected including a number of Hospitals, Pharmacy’s and GP Surgery’s. The attack was encrypting data and then demanding £230 to decrypt the files. This could have had a massive effect on the health and live of real people. Usually when you see a large scale cyber attack it is on large organization and companies that do not literally have peoples lives in there hands. This attack could have lead people dying.

The attack is called WannaCry worm and how was it so effective. Well it is rumored to have used some exploits that where found when a large number of NSA documents where leaked earlier this year. These leaks where called Vault 7 that detailed a number of exploits that the NSA had been finding and collecting .

How the WanaCry worm works, is when it finds a vulnerability machine on a network  it will infect that machine and sit and wait until it can find more vulnerable machines on the network and then it will keep the processes going until as many machines as it can infect are infected. From there there could be a trigger for the attack to start or it could open up the infected machines to more complicated attacks, this could be in the form of allowing malicious files to be download to the machine or it could simply be that the worm will in fact deploy the ransomware attack.

There have been reports all over the world in the past few days about large scale attack of this nature, so is this the end or is it only going to get worse?