Ransomware WannaCry Cyber Attack : A D+10 report
WannaCry based Ransomware Cyber Attack began on 12 May 2017. It hit hundreds of PCs and Servers running outdated and unpatched version of Microsoft Windows OS. Users who had not installed Microsoft update patch MS 17-010 were mostly vulnerable to this attack. After gaining access to the system, WannaCry encrypted files of the user and displayed the ransomware message. Users were required to pay either $300 or $600 worth of BitCoins within 3 or 7 days. After expiry of deadlines they were threatened that their files will be lost forever. It is now 10th day since the cyber attack began. Let us summarize the latest developments.
Link to the previous article
Spread of infection
What was initially believed to be an unstoppable cyber attack slowed down due to the following reasons.
- Discovery of a Kill Switch mechanism discovered by Marcus Hutchins within hours after the attack was launched on 12 May 2017. He registered a domain name coded in the kill switch. As per the code, WannaCry used to check for a particular domain. If connection was made, the infection did not encrypt the files of that computer.
- Network Administrators went on an overdrive and quickly installed patches which further slowed down the spread.
- Some tools were released and used which disabled the SMBv1 protocol. Other tools provided a limited way to decrypt files.
Decryption options, was payment ever made
Payment mechanism to pay the ransom amount were three BitCoin Wallet addresses. BitCoin addresses are public. Also number of coins received by the address is public. Identity of the owner of the address cannot be found. Till date, a little over USD 100k worth of BitCoins have been deposited in the three addresses. This means that some people have paid the ransom amount. The nature of the payment system was such that hackers would have never come to know who paid the ransom amount. So basically it was a very rudimentary payment system.
There are two buttons labelled “Check Payment” and “Contact Us”. On clicking of Check Payment button a message was displayed “You did not pay” or ” We did not confirm your payment”. This message continued to be displayed even for users who paid the ransom amount. Contact Us button also was not of much help.
After the deadline for payment expired, users who clicked on Check Payment button received a new message “Your payment was received, start decrypting now”. This is followed by another popup windows which starts decrypting the files. Many users never made any payments. Rest did not provide payment details. Yet all of them received the new message and their files were decrypted.
Many affected users had their files backed up in the cloud. They simply formatted their system and work was back to normal.
Take aways and lessons learnt from WannaCry
- Cloud based backup systems proved their mettle once again despite privacy concerns and hacking issues in the past.
- Windows Operating systems are vulnerable, but patches are provided by Microsoft. Paying for latest Operating System now makes sense. Same goes for all software you are ever going to use.
- Always back up your files, either to a local storage or a remote storage. Use a RAID system for better technology.
- Do not pay ransom, even in real life scenarios. If something is important, plan ahead.
- If you are running an enterprise or organisation, do not compromise on patches and upgrades, just because you are going to save the Govt Exchequer.