WannaCryptor: What you need to know about the ransomware

A new and adverse form of malware

A new and adverse form of malware has taken the world by storm. Riding on the ubiquitous nature of the Windows OS in PCs, the WannaCry ransomware program (detected by ESET as Win32/Filecoder.WannaCryptor.D) has put most cybersecurity executives in tears as it has ploughed through various organisations on an unprecedented scale.

The African digital ecosystem has not been spared either. WannaCryptor has hit numerous institutions throughout the Continent. The nations which were adversely hit include: Kenya, Ethiopia, Tanzania, Mozambique, Sudan, South Sudan, Uganda, Algeria, South Africa and Nigeria.

On the 13^th of May 2017, the Communications Authority of Kenya in conjunction with the National Kenya Computer Incident Response Team Coordination Center (National KE-CIRT/CC) issued a press statement alerting members of the public of the presence of the WannaCrypt0r ransomware epidemic throughout the globe.

As predicted, cybercriminals are beginning to take notice of the numerous vulnerabilities present in Africa’s digital ecosystem and are innovatively exploiting the numerous loopholes within our digital technologies.

Understanding Wannacryptor

WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting Microsoft Windows operating system.

On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.

The attack spreads by multiple methods, including phishing emails and on unpatched systems as a computer worm.

The attack has been described by Europol as unprecedented in scale.

WannaCrypt0r uses the EternalBlue exploit, which was developed by the U.S. National Security Agency (NSA) to attack computers running Microsoft Windows operating systems.

Although a patch to remove the underlying vulnerability for supported systems (Windows Vista and later operating systems) had been issued on 14 March 2017, delays in applying security updates has left numerous users vulnerable.

Does your machine run on Windows?

The Windows Operating System remains the main operating system which runs on laptops and desktops in Africa.

With negligible usage over mobile phones in Africa, the Windows OS maintains a significant 35% usage statistic in our continent as over 80% of enterprise devices run on the Windows OS.

This essentially means that if you are a Kenyan reading this article on a Personal Computer or laptop, then there exists an over 80% chance that it is running on Windows.

This, coupled up by the immense chance that the Windows Operating System your device is running on is not updated, increases your vulnerability to the Wannacrypt0r ransomware even further.

What you need to do to stay safe

According to ESET’s Michael Aguilar, here are some tips which we strongly recommend:

Install Anti-malware Software – You may have heard this over and over, and it seems very repetitive mentioning it now. However, if we had not encountered multiple instances where I was told, “It is a server, and we have firewalls, so I will leave anti-malware off of this machine” or “I have too many problems to install antivirus on this server”, We would not mention it. But, that has happened. So, we are stating it. Please install reputable anti-malware and give yourself a fighting chance at stopping this before you are affected.
Update Your Windows Machines – Please! I know that patches can be very, very difficult to get deployed across the entire network. This one, you will want to install. It has been available since mid-April and stops the exploit from gaining a foothold in your environment. The patch listing for the entire listing of Equation Group files can be located here.
Be Intelligent! – As a person who researches infections, exploits and various other information security related items, knowing is half the battle. Especially when items are being leaked and created in this kind of rapid-fire fashion. Using Threat Intelligence, ESET was able to create the appropriate YARA rules that identified the droppers, files and characteristics pertaining to the Equation Groups leaked exploitation files. There has been plenty of detections of these object.. This kind of intel, and more importantly, the feeds that are provided, could help you to make better decisions on what to protect and how to protect it.

In Conclusion

It is important for institutions to invest in reputable malware protection products. As an example, ESET’s network protection module was already blocking attempts to exploit the leaked vulnerability at the network level before this particular malware was even created. ESET increased the protection level for this specific threat before the exploit was utilised.

Sometimes, investment in technology is not enough. Despite the immense investments in cybersecurity tech, employees remain the weakest link in an organisation’s cybersecurity environment. It costs little more than a cup of coffee to effect security awareness training for a single employee and saving the face of your organisation in the modern, digital world.

In many ways, the ubiquitous growth of Wannadecrypt0r in the modern digital age may serve as an unforgettable lesson for Kenyans; that cybersecurity is not a priority just for the Mzungu, but the Mwananchi as well.

Online cryptocurrency website MyEtherWallet.com has confirmed that some visitors could have been temporarily redirected to a phishing site designed to steal users’ credentials and – ultimately – empty their cryptocurrency wallets.

According to reports, whoever was behind the attack may have successfully stolen approximately US $152,000 worth of Ethereum-based cryptocurrency.

However, MyEtherWallet may not have been at fault, as the website explained in its statement:

“This is not due to a lack of security on the [MyEtherWallet] platform. It is due to hackers finding vulnerabilities in public facing DNS servers.”

British security researcher Kevin Beaumont confirms in a blog post that some of MyEtherWallet’s traffic had been redirected to a server based in Russia after traffic intended for Amazon’s DNS resolvers was pointed to a server hosted in Chicago by Equinix.

For the scheme to succeed, someone pulled off a hijack of a crucial component of the internet known as Border Gateway Protocol (BGP), to reroute traffic intended for Amazon’s Route 53 DNS service to the server in Chicago. As a consequence, for some users, entering myetherwallet.com into their browser did not take them to the genuine site but instead to a server at an IP address chosen by the hackers.

The only obvious clue that a typical user might have spotted was that when they visited the fake MyEtherWallet site they would have seen an error message telling them that the site was using an untrustworthy SSL certificate.

It seems that the attackers made a mistake in not obtaining a valid SSL certificate.

Despite the error with their SSL certificate, the hackers haven’t done badly for themselves – both in this attack and in the past. Fascinatingly, the bogus MyEtherWallet website set up by the criminals was moving stolen cryptocurrency into a wallet which already contained some US $27 million worth of assets. Inevitably that raises questions of its own – have the hackers already made a substantial fortune through other attacks, or might their activities be supported by a nation state?

In a statement Equinix confirmed that a customer’s equipment at its Chicago data center was used in the hackers’ hijacking of Amazon’s Route 53 DNS service:

“The server used in this incident was not an Equinix server but rather customer equipment deployed at one of our Chicago IBX data centers… We generally do not have visibility or control over what our customers – or customers of our customers – do with their equipment.”

Amazon however, do not find the blame to lie on themselves, communicating the following statement:

“Neither AWS nor Amazon Route 53 were hacked or compromised. An upstream Internet Service Provider (ISP) was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered. These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer’s domain to the malicious copy of that domain.”

Some advice from award winning security blogger, researcher and speaker, Graham Cluley – avoid putting your cryptocurrency wallet online, keep them off your smartphone or computer and perhaps instead invest in a hardware wallet.

Ransomware Revolution – Ransomware of Things

Technological advances and their accelerated use have led to a number of scenarios considered unlikely just few years prior, are now within the realm of possibility. The advice going into 2018 from ESET researchers is to back up everything that matters to you, often, by keeping at least some backups offline – to media that aren’t routinely exposed to corruption by ransomware and other malware – in a physically secure location. As the Internet of Unnecessarily Networked Things becomes less avoidable, the attack surface increases, with networked devices and sensors embedded into unexpected items and contexts: from routers to fridges to smart meters, from TVs to toys, from power stations to petrol stations and pacemakers. As everything gets ‘smarter’, the number of services that might be disrupted by malware becomes greater.

Criminals following the money

With data being the most valuable asset, ransomware is set to remain in great demand among cybercriminals. It is important to note that many ransomware attacks are not sophisticated enough or never intended to recover the victim’s data once the ransom has been paid. For these reasons we suggest not only backing up of data online and offline but also implementing proper security measures such as proactively training staff on what phishing emails entail and how to avoid clicking on them and entering any credentials.

Critical infrastructure attacks on the rise

Cyber attacks on the Ukrainian power companies resulted in electricity service being turned off in hundreds of thousands of homes. The implications of this for future attacks of this kind include more than just the power grid but also includes critical manufacturing and food production, water and transport and the defence and healthcare sectors.

Safer for all

This year has seen ESET’s malware analysts continue to help law enforcement crack down on malicious campaigns and, by extension, the criminals spewing them. We are confident that 2018 will bring further successful investigations as we will continue to lend a hand to authorities so that, ultimately, the internet can become a safer place for everyone – except cybercriminals.

Download the full Security Trends 2018 report here