Australia spared the worst of WannaCry

Australia has so far been spared the worst of what is being called the worst ransomware outbreak to date, but the threat from the attack is far from over.

The WannaCry — also known as WannaCrypt — ransomware attack over the weekend hit around 200,000 victims across 150 countries. But as of early this morning there had only been three Australian companies confirmed as being affected, according to the Prime Minister’s top cybersecurity advisor, Alastair MacGibbon.

Overseas, particularly hard-hit organisations include the UK’s National Health Service, with at least 16 hospitals being forced to divert emergency patients due to their computer systems being infected with ransomware. An estimated 90% of care facilities in the NHS are still using Windows XP, leaving them vulnerable to the attack.

“When a cyber attack literally puts people’s lives at stake, and not just their data, it indicates just how serious and vindictive hackers have become,” LogRhythm ANZ Regional Sales Manager Simon Howe said.

“Attacks on critical national infrastructure are becoming increasingly common, so it’s no surprise that hospitals are a prime target yet again. Health care is such a lucrative target for ransomware because there is a direct correlation between downtime and lasting damage, and as a result, most will surrender to the hacker’s demands immediately.”

Other notable victims include Spanish telecoms operator Telefonica, FedEx in the USA, German railway company Deutsche Bahn and South America’s LATAM Airlines.

The attack used the high-profile Windows Exploit EternalBlue, a component of the suite of NSA hacking tools leaked by suspected Russian hacking group The Shadow Brokers in April. EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol that had been patched in a security update issued two months earlier.

“Frankly, if you wait two months to apply a critical Microsoft patch, you’re doing something wrong,” commented Kasper Lindgaard, senior director of Secunia Research at Flexera Software. “This time, we even had a warning in April that this could very likely happen, so businesses need to wake up and start taking these types of threats and risks seriously. There is simply no excuse.”

Once infected, impacted systems’ files are encrypted, and a decryptor is run with a message demanding $300 worth of Bitcoins per infected machine. The program offers to decrypt some files for free as a demonstration, and demands payment within a three-day time limit. After this time, the price is doubled, and after seven days files will be lost forever.

The message states that the attackers plan to hold “free events for users who are so poor they couldn’t pay in 6 months”.

In the wake of the attack, Microsoft has taken the highly unusual step of issuing patches for the vulnerability for unsupported versions of Windows, including Windows XP and Windows 8 and Windows Server 2003, despite these operating systems being past their support cycles.

The attack was able to spread so rapidly because it acts as a worm and self-propagates. Analysis from Malwarebytes shows that the attack uses an initial infection vector of a malicious PDF to download and infect a single system. Once there it uses the SMB exploit to spread to all other endpoints on the internal network, making it the first massive worm discovered in around 15 years.

“This is a fast propagating ransomware that is crippling critical infrastructure. There are strong indications it could be using a known vulnerability to penetrate networks and then spread laterally,” Malwarebytes Regional Director for ANZ Jim Cook commented.

“Our research shows the encryption is done with RSA-2048 encryption, which means that it is near impossible to decrypt unless the coders have made an error somewhere.”

As widespread as the attack was, it could have been even worse if a pair of young security researchers hadn’t accidentally discovered a way to issue a “kill switch” stopping the propagation of the worm.

A security researcher known online as MalwareTech discovered the WannaCry code pointed to an unregistered domain, and promptly registered it. Another security researcher, Proofpoint’s Darien Huss, meanwhile discovered a kill switch within the malware. By linking the kill switch with the domain, MalwareTech was able to halt the spread of the attack.

But this reprieve will be short lived, with MalwareTech warning that it will be trivial for attackers to create a new version removing this domain check.

This means that Australian organisations could still be vulnerable to a second wave of attack, warned Geek founder and Chairman John Paior. “It’s very likely that someone will reverse engineer this ransomware worm to generate an updated version which you can guarantee will not contain a ‘kill switch’,” he said.

While Geek, which specialises in recovering encrypted data from ransomware attacks, said that only 2–3% of the more than 1500 PCs the company actively monitors are vulnerable to the attack, data from Flexera indicates that this number could be significantly higher. Flexera found that 9.9% of Australian PC users were running unpatched Windows operating systems during the first quarter, up from 5.9% in the same quarter a year earlier.

Another underwhelming element of the attack is how much it appears to have raised for the culprits. Security researcher Brian Krebs noted that as of Saturday the Bitcoin account linked to the attacks had only received around US$26,000 in payments, a pittance compared to the “massive financial damage likely wrought” by the campaign.

“Unfortunately, this glaring disparity is par for the course with cybercrime in general. As I observed on several occasions in my book Spam Nation — which tracked the careers of some of the most successful malware writers and pharmacy pill spammers on the planet — it was often disheartening to see how little money most of those guys made given the sheer amount of digital disease they were pumping out into the internet on a daily basis,” he said.

“In fact, very few of these individuals made much money at all, and yet they were responsible for perpetuating a global crime machine that inflicted enormous damage on businesses and consumers.”

Regardless, Splunk Director of Threat Research Rich Barger warned that the attack should serve as a “global wake-up call. Ransomware is arguably the number one method of cyber attack in 2017, and this attack demonstrates the paramount need for critical enterprises to have a ransomware playbook in place for when they are attacked.”

Image credit: ©stock.adobe.com/au/robsonphoto

Follow us on Twitter and Facebook