By John Ahearne, Forensic Analyst When data is is needed for use as evidence, it…
By Michael Hall, Chief Information Security Officer
Last month, the ransomware known as WannaCry spread through the world at an astonishing rate, attacking hundreds of thousands of computers literally overnight and holding their data for ransom.
In 2016, ransomware cost its victims approximately $1 billion. That’s $1 billion for all victims of all ransomware programs over the entirety of 2016.
WannaCry cost victims that same amount in only twenty-four hours.
So how did it spread so quickly and do so much damage in only one night?
Weakness—Computer or User?
Previously, malware had to be downloaded to a target computer and executed, or set loose, by someone actively using that computer. Once activated, this malware could then encrypt important files with a code that could only be unlocked by using a decryption key held by the hackers who control the malware. This key could generally be obtained by paying a ransom, hence the term ransomware.
Why would anyone download ransomware to their own computer? They wouldn’t. Malware has historically been downloaded from innocent-looking emails or links. It might even look like a message sent by someone the user knows. This is known as phishing and it continues to be a growing problem.
Once the victim clicked on the bait link, the attack happened automatically and access to their data became blocked—just like somebody had slapped combination locks on their files and then demanded payment for the combination!
The WannaCry ransomware that disrupted businesses around the world last month, however, did not depend on the usual devices such as phishing. Instead, hackers used a new, more direct route to private information that bypassed users altogether.
The criminals responsible for WannaCry instead used stolen technology that was developed by the CIA for anti-espionage purposes, known as EternalBlue. EternalBlue was a type of technology known as a zero day exploit. An exploit is a program designed to take advantage of loopholes in commonly-used software and operating systems. When the exploit is based on a weakness that is otherwise completely unknown, it is known as a zero day exploit because, without knowledge of a weakness, there are zero days to protect against it.
Zero days are valuable for espionage because they can be used to enter into systems without detection. As WannaCry makes it abundantly clear, this type of exploit is also valuable for theft, ransomware and other malicious hacker activity. Less than a month after it was stolen and released online in April 2017, hackers used EternalBlue to enter computer systems through a gap in the Microsoft operating system and launch their attack of WannaCry ransomware.
For WannaCry, only Microsoft-powered computers are vulnerable. Microsoft has since produced a patch for the EternalBlue loophole, which Microsoft users can download. Windows 10 users should already be protected, but users of previous versions of the operating system software will need an update to bring their protection up to par. Users of Windows XP are especially vulnerable to such attacks and they should upgrade to a later version of the OS before the improved security measures can be put in place.
Don’t Let Your Guard Down
The Microsoft patch doesn’t mean the end to this type of malware access. Criminals continue to use similar technology and security vulnerabilities to take control of users’ systems for a variety of malicious purposes. In fact, the sale of exploits is a thriving trade in the criminal world.
As always, it is critical that all computer users—not just Microsoft users—check for new patches for their systems and update to the latest software and operating system versions on a regular basis. You can be certain that more zero day exploits like EternalBlue will be used for criminal endeavors like WannaCry ransomware in the near future.
Professional Ransomware Data Recovery
If you have been infected by WannaCry or any other type of ransomware, there is hope! Call DriveSavers at 800.440.1904 to find out more.