WannaCry was one of the deadliest ransomware attacks happened on the computer systems. If we look at Google Trends, we can see the same appearing in the worldwide trend result. It is time to take a deep dive to understand the subject.
WannaCry can be defined as a ransomware class of worm malware. Let’s break the technical component and try to understand each of the terms.
- Malware: In simple word, it is malicious code which has been developed to disrupt, damage or intrude into the computer system. This challenges the CIA Triad i.e. Confidentiality, Integrity, and Availability.
- Worm: There are different kinds of malware. The worm is one of the types which doesn’t want any user interaction to propagate. It self-propagates in order to spread and hence considered to be deadly compared to other types of malware.
- Ransomware: Ransomware is a class of malware which encrypts the hard disk of the system and demands ransom for decrypting the hard disk.
- Encryption is a cryptographic function which encodes the data with a key to ensure the message has not tampered and only authorized users can access it. The authorized users have counterpart key to decode.
So to summarize, we can say WannaCry was self-propagating malware code which demanded ransom after encrypting the drive.
To understand WannaCry, let’s understand the Cyber Kill Chain, developed by Lockheed Martin, breaks targetted cyber attack into different stages. Each stage provides an opportunity to detect and react to the attack. The stages have been mentioned below:
- Reconnaissance: Attackers probe for weakness.
- Weaponization: A deliverable payload is developed with exploit and backdoor.
- Delivery: The payload is delivered through a malicious link or another medium.
- Exploit: Payload is executed on victim’s machine.
- Installation: Installing malware on a target machine.
- Command & Control Center: Channel is established, facilitating the attacker to control remotely.
- Actions: The attacker carries out his intended actions.
We can break the WannaCry attack in different stages using the above-mentioned analogy.
- Reconnaissance: The attackers tried to identify the organizations who are having the weakness. They were looking for open port 445 and vulnerable to Eternal blue. Let’s try to understand what is port 445 and Eternal blue.
- Port 445 is used for Windows Directory Service also known as SMB over IP or Server Message block. It is the preferred port for carrying Windows File sharing and other services.
- Eternal Blue: This is zero-day vulnerability which was leaked by a hackers group. It works on all Windows version prior to Windows 8. The prior versions of Windows were having interprocess communication share that allows a null session. This can be explained in simple terms that anonymous login can be accepted and the null session can allow the client to send different commands to the server. SMB also supports interprocess communication share. This was the reason, attackers were looking for systems vulnerable to Eternal Blue and with open port 445.
- Weaponization: Payload was developed to be injected in SMB service and Kill-Switch mechanism was also put in the place. They had pointed code to check the live status of a gibberish iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com URL. Until the URL is not live, WannaCry will be spreading. This was identified by Malware Reverse Engineer who bought the domain and put the end to further spread.
- Delivery & Exploit: The payload was being delivered by exploiting the Eternal Blue vulnerability.
- Installation: Double Pulsar tool was used to bypass authentication and initiated code injection using SMB and becomes persistent after creating an entry in Windows registry.
- Double Pulsar tool is backdoor implant tool developed by US NSA group. It runs in kernel mode with 3 commands i.e. Ping, Kill, and Exec. Exec command enables attackers to run malware codes.
- Command & Control: After setting up connection, it searched further to identify any system which can be exploited with open port 445 and vulnerable to Eternal Blue.
- Actions: Got access to system files and deleted existing Shadow Copy folders to prevent the user from retrieving information. Didn’t allow booting in system recovery mode and hide recycle bin. It killed processes with an open connection to DB to ensure to get encrypted. It started encrypting with AES encryption algorithm which can only be decrypted with the private symmetric key. When file encryption finished, a pop up appeared on the screen requesting to deposit ransom.
300$ was asked for decrypting within first 3 days. After 3 days, the ransom amount was doubled to 600$ and if not paid within 7 days, they threatened to delete all files.
I hope, I was able to put some information together which can clear your doubts and help you to understand one of the deadliest ransomware attacks which had impacted approx 150 countries. The easy solution to safeguard from such attack was to keep the system updated with the vendor patches and keep unuseful services in the stop state.
Plagiarism Score: 0% Calculated from SmallSEOTools