Do you WannaCry? I didn’t think so.

Do you WannaCry?I delayed this week’s blog, just to let some of the dust settle on the whole WannaCry (also known as WCry or WannaCrypt) furore and see if we can learn anything from it that will help protect my readers going forward. I’ll start with some easy background on Ransomware and them explain what was special with WannaCry. Then we’ll get to protecting you.

This story is going to disappear from the news headlines fairly quickly, as there is nothing massively new or worrying coming out for the moment, so we’ll probably be back to normal by next week.

What is Ransomware?

Ransomware has been around for a good few years. Earlier versions were fairly rudimentary, as they only prevented the victim from using their PC and were easily mitigated. The term itself comes from the techie habit to combining words and in this case it is a combination of Ransom Software.

It normally spreads by e-mail attachment/link or a poisoned web page/online ad. If you open the attachment or click on a poisoned ad, a little piece of computer code executes, which downloads the actual  ransom software from the internet. This software then generates an extremely complicated “key”, which is used to scramble the data contained in your files (documents, spreadsheets, photos, videos, databases, etc.). It will carry out the scrambling on any drive that the PC running it can see (so hard drives, network drives, external drives, USB sticks, cloud drives, etc.).

A screen is popped up advising the victim about what has happened and provides instructions for how they can pay the ransom in order to get the “key” to unlock and recover their scrambled files. In some cases the “key” is stored on the evil doers servers, so if the victim does pay, they will be given the key and will be able to get their files back. There may even be a helpdesk telephone number which you can call to get assistance on how you can pay. This is usually because not everyone knows how to go through the cumbersome process of acquiring BitCoin … “Ah here! WTF is BitCoin?” I hear you cry! ? Basically BitCoin is a virtual currency, which is untraceable and that’s why the bad guys like it.

If the victim does get their files back, there is a good chance that the crooks will leave behind a “present”, which will wait a few weeks, then execute on it’s own and scramble the files again. The victim paid once, so there is a good chance they will do it again. However there is also a high probability that paying the ransom won’t mean you get your data back, as you might never get the key from the bad guys.

So that’s a very brief outline of what Ransomware is. In the last 2 years, it has become extremely prevalent. Over 50% of evil email contains some form of Ransomware.

What was special about WannaCry?

What made WannaCry special was the fact that it spread all by itself. It did not require anybody to click on a link or open an attachment. This is what technical types call a “worm”. What it does is it finds a machine on the internet that has a specific vulnerability which it exploits and loads itself into that machine, scrambles the data and then looks for more machines to infect on the local network, as well as on the internet.

My most avid readers ? will remember back in a March post, I discussed the Microsoft Patch Tuesday was a double month, because there had been none in February. Then in an April post, we found out why there was secrecy around the previous month’s patching. The US’ National Security Agency (NSA) had their hacking toolkit released to the internet and Microsoft had spent February urgently patching vulnerabilities that the NSA toolkit exploited.

Which brings us neatly to WannaCry. The evil doers used one of the NSA tools to have their ransomware scan for machines that are vulnerable to a specific exploit and then infect any such machines it finds. Microsoft has issued the patch for this vulnerability in March however it was only issued for the versions of Windows that they still support (Windows Vista, 7, 8.1 and 10 as well as a bunch of server operating systems). Anybody running a Windows XP or 8.0 machine would be vulnerable. The British NHS still has a lot of Windows XP machines and these were the ones that got all of the attention when thousands of them became infected causing surgeries, diagnostic procedures and clinics to be cancelled as a result. In fairness to Microsoft they did subsequently release the patch for the unsupported versions of Windows, which will prevent this attack vector being used in future.

It started circulating on Friday 12th May, and by Saturday it was very widespread, so much so that it grabbed a lot of media attention. This is where it get my first problem – advice from newspaper “Tech” journalists. I’ll possibly get stick for this, but most of them are nothing more than shiny gadget reviewers. They don’t actually truly understand the underlying technology and just parrot “don’t click links”, “patch your software”, etc. While that is good advice, I then see them giving inaccurate reportage like “this was spread by somebody clicking on a link”. No it wasn’t! That’s not how a worm works!!! ? … On a related matter, which I think is hilarious … the shiny gadget reviewer on Ireland AM on TV3 gave better advice than any “Tech” journalist I’ve read this week. ?

My second problem was advice from “Experts” from larger cyber security firms. In the last few days I’ve heard two such experts (from different unnamed companies) say the same thing as the “Tech” journalists, except they made it worse by saying “this worm was spread by somebody opening an attachment.” THAT IS NOT HOW A WORM WORKS FFS!!! ?

My third problem is with technology vendors that try to capitalise on the fear, uncertainty and doubt (FUD) that was present in businesses across the globe on Monday morning. Coming out with nonsense like, “Our Whizz-Bang product will fully protect you from WannaCry.” as Mrs. Brown is known to say “That’s nice.” See below for some simple steps on how you can protect yourself, that is available for free and for nothing.

There are a lot of small to medium-sized, independent security consultancy firms out there that have been giving excellent, accurate and timely advice. These are the ones you should be listening too. They are staffed by people who actually truly know what is happening. I’d like to think I’m also in that category as I don’t state something unless I know it to be a fact. If I don’t know something, I will say so and will go and educate myself.

The spread of WannaCry was stanched by a Cyber Security blogger in the UK (@MalwareTechBlog) who discovered that if a certain internet domain name was registered and active, the worm would not carry out it’s scrambling and scanning function. This was a great help to the world, which has led the young man to be hounded by tabloid newspapers. There you go – no good deed goes unpunished. ?

There is one aspect about this, that I’ve only seen mentioned once. What if the culprits behind this didn’t use Ransomware as the payload? They used the NSA tools to scan the internet for the vulnerability that allowed them execute something on hundreds of thousands of PCs. They chose Ransomware, which kinda gets in your face when it has done it’s dirty deed. What if they chose keyloggers (software that logs all key presses – used for stealing passwords) or other surreptitious, stealthy, spying software? We might never have realised there was something afoot. ?

There’s talk that it was the North Korean’s what did it! Is that interesting? … Maybe. I would have thought they might have preferred the stealth route, but their leader might have had other ideas.

How do I protect myself?

This is the insanely easy bit, believe it or not. All you have to do is follow 4 of my 10 commandments:

  • Commandment 1 Keep all software up-to-date with automatic patching/updating
  • Commandment 2 Use and keep up-to-date Anti-Virus software
  • Commandment 4 Take regular backups of all your data and test that you can restore.
  • Commandment 5 Ignore email from strangers and be careful of email from friends, family, co-workers.

Do those few things and you shouldn’t have to pay any ransom to anybody, because if 1, 2 and 5 fail you (for whatever reason), then 4 will recover you. ?

Let’s be careful out there!