My Take On WannaCry
Reading media coverage of the WannaCry, ransomware attack has been excruciatingly frustrating because little to no information was offered on how infection happens and how to protect yourself.
This issue has been a bit frustrating and unhelpful as an IT professional and user if I didn’t find the right answers there is something seriously wrong. I couldn’t find the important information in any of the mainstream articles so certainly a novice or amateur user would have no chance of protecting themselves.
How Did WannaCry Infect and Spread?
Long version here from Malwarebytes
One of the key ways is still the oldest “phishing” trick in the book, via e-mail which many users are tricked into opening infected attachments. This was not readily available in media coverage and this simple warning or announcement could have prevented a lot of new infections. I believe this is a key factor that has not been discussed since many networks will be behind NAT and external SMB services would be blocked, having users on the LAN install the worm is an easy way to get inside and spread the infection to areas that are hardened on the outside.
The more technical explanation there is an exploit called “ETERNALBLUE” which was a hacking tool leaked from the NSA which exploited a weakness in Microsoft’s implementation of SMB (Server Message Block/filesharing protocol). This has been widely reported but the simple way to prevent automatic infection through this method has not.
Once infected the worm essentially scans your LAN and then the internet to spread the infection further which quickly multiplied the damage and scope of this attack.
How to protect yourself?
- First and foremost is to update your Microsoft Windows regardless of OS (whether you have XP, Vista, 7, 10, 12 or any Server) because all Microsoft versions are apparently impacted by MS17-010 ETERNALBLUE/WannaCry
- Disable SMB/Filesharing in Windows and if that is not possible at least use firewall settings to block SMB/filesharing/CIFS.
- If the above is not possible you should physically unplug any impacted machines from the network (it could be a simple as disabling all ports on your network/switch or even unplugging entire switches if possible).
Who is to blame?
There is plenty of blame to go around but currently a lot of it is coming from Microsoft who is blaming users for not patching and the NSA for hoarding these exploits and not notifying them or users beforehand.
In all fairness Microsoft did issue patches for even unsupported OS’s like Vista and XP on March 14th, 2017.
Many have mused that the NSA should have at last notified Microsoft the moment they realized their hacking tools were leaked.
At the end of the day the question is how could Microsoft have left open such a serious vulnerability for so long? Was it an intentional backdoor and was it collaboration between Microsoft and the NSA or other third parties?
Some Can’t Patch
Some systems may be running on internal networks on their own LAN but were still infected so they wouldn’t be patched. To make matters worse the chances are these would more likely be critical data and infrastructure that are impacted in this case.
Other machines are not managed properly or remotely and are deployed with internet access making them sitting ducks for these types of attacks.
There are also some who just don’t patch because the risk to impacting existing services is too great. Although I would argue the risk is much higher to not patch and not upgrade or migrate your applications to a more secure platform if you get hit with ransomware like this.
These Issues Are Nothing New
With the Snowden revelations many have worried that US tech companies being forced to provide backdoor access to the NSA would be vulnerable should other hackers discovery the vulnerabilities or intentional backdoors on their own, or in this case when the tools and exploits were somehow leaked.
In the wider scope of things Microsoft has seen worms of this scale in the past, it’s nothing new. There are no worldwide protocols for notifying users or defending against such worms and this will certainly become an increasingly problem with more and more devices online especially with IoT and so many devices that are connected that we don’t think about, and that don’t get patched or may not have an easy or automatic way of updating.