How does WannaCry, Petya and Other Ransomware spread so fast.

For thousands of people, the first time they heard of “ransomware” was as they were turned away from hospitals in May 2017.

The WannaCry outbreak had shut down computers in more than 80 NHS organisations in England alone, resulting in almost 20,000 cancelled appointments, 600 GP surgeries having to return to pen and paper, and five hospitals simply diverting ambulances, unable to handle any more emergency cases.

But the outbreak wasn’t the birth of ransomware, a type of computer crime which sees computers or data hijacked and a fee demanded to give them back to their owners.

Some of the earliest ransomware claimed to be a warning from the FBI demanding a “fine”, simply tricking users into paying up, or blackmailing them with accusations of trafficking in child abuse imagery.

Their tactics didn’t work for long. Bank transfers were easily tracked, cash payments were difficult to pull off, and if any variant got successful, people would trade tips on how to defeat it rather than pay the bill.

The modern ransomware attack was born from two innovations in the early part of this decade: encryption and bitcoin.

The modern ransomware attack was born from encryption and bitcoin.

• Ransomware such as Cryptolocker, which first appeared in the wild in 2013, didn’t just lock up the screen – it encrypted all the data on the computer.
• The only way to get it back was to pay the toll in return for the unlock key.
• Even if you managed to uninstall the ransomware itself, the data was still locked up.

Bitcoin suddenly meant ransomware authors could take payment without involving the trappings of the conventional banking system such as pre-paid credit cards.

For almost five years, so-called “cryptoransomware” bubbled below the surface, struggling to spread. Generally it was centrally controlled, attacking new victims through direct mail campaigns, tricking users into downloading it, or through botnets of computers infected with other malware– going in through the front door, so to speak, rather than using weaknesses in computer systems to spread.

WannaCry changed that.

Ransomworms

May’s ransomware outbreak was notable for a number of reasons: the scale of the damage; the unusual way in which it came to an end, with the discovery of a badly hidden “kill switch”; and the growing belief that its architects were not cybercriminals, but state-sponsored actors, most likely working for or with the North Korean government.

But the most important aspect is why it managed to go from unknown to taking out a significant chunk of the NHS in a matter of days.

WannaCry was the first “ransomworm” the world had ever seen.

A “worm”, in computing parlance, is a piece of malware able to spread itself to be far more damaging than your typical computer virus.

They self-replicate, bouncing from host to host, and obeying all the epidemiological rules that real diseases do, growing exponentially and taking off when they infect well-connected nodes.

• As computer security techniques have improved, worldwide worm outbreaks have become rare.
• It is hard to engineer a piece of malware that will automatically execute on a remote machine without any user involvement.
• Before WannaCry, the last major worm to hit the wild was Conficker.
• One variant spread to almost 20m machines in one month in January 2009, infecting the French Navy, the UK Ministry of Defence and Greater Manchester Police.

But since Conficker, major worms had been rare other than the Mirai worm and botnet infecting badly-designed Internet of Things devices such as webcams.

WannaCry had a helping hand to break through. In April 2017, a mysterious hacking group called The Shadow Brokers released details of a weakness in Microsoft’s Windows operating systems that could be used to automatically run programs on other computers on the same network.

• That weakness, it is believed, had been stolen in turn from the NSA, which had discovered it an unknown period of time before, code-naming it EternalBlue.
• EternalBlue was part of the NSA’s toolbox of hacking techniques, used to attack the machines of US enemies – before one of them turned the tables.
• The true identity of the Shadow Brokers is still unknown, although every piece of evidence points strongly to them being affiliated with the Russian state.

The Shadow Brokers first made themselves known in public in August 2016, auctioning a job-lot of cyber weapons which it said were stolen from the “Equation Group” – code-name for the NSA’s hacking operation.

Four more leaks followed including EternalBlue in April.

Microsoft fixed the EternalBlue weakness in March, before it was released by the Shadow Brokers, tipped off by the NSA that it was likely to be made public. But two months later, many organisations had yet to install the patch.

Outbreaks

A message demanding money on a computer hacked by a virus known as Petya in June 2017.

• Ultimately, WannaCry was too successful for its own good, spreading so fast that security researchers were tearing it apart within hours of it appearing in the wild.
• One of them, a young Briton called Marcus Hutchins, discovered that affected computers tried to access a particular web address after infection.
• Curiously, the address wasn’t registered to anyone, so he bought the domain – and just like that, the malware stopped spreading.

It’s still unclear why WannaCry included this kill switch. Some researchers think it was because the authors had watched the progression of Conficker, which attracted undue attention.

Others speculate the version of WannaCry “accidentally” escaped the network it was being tested on.

Even with the kill switch active, the outbreak caused enormous damage. A report released in October focusing just on the effects on the NHS concluded that “the WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients”.

It said that WannaCry “was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice” such as installing the fixes that had been released in March.

“There are more sophisticated cyber-threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

A month later, one of those attacks arrived dubbed NotPetya, due to an initial, erroneous, belief that it was an earlier variant of ransomware called Petyna.

The malware was clearly built on the lessons of WannaCry, using the same EternalBlue weakness to spread within corporate networks, but without being able to jump from one network to another.

Instead, NotPetya was seeded to victims through a hacked version of a major accounting program widely used in Ukraine.

It still took out companies far and wide, from shipping firm Maersk to pharmaceutical company Merck – multinationals whose internal networks were large enough that the infection could travel quite far from Ukraine.

NotPetya had another oddity: it didn’t actually seem created to make money.

The “ransomware” was coded in such a way that, even if users did pay up, their data could never be recovered. “

I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,” UC Berkley academic Nicholas Weaver told the infosec blog Krebs on Security.

That realisation meant the focus on Ukraine took on a new light. The country has long been at the forefront of cyberwarfare, constantly trading digital blows with its neighbour Russia even while the two countries trade actual blows over the Crimea.

If a nation state were to write malware with the aim of crippling the economy of its target, it might look a lot like NotPetya.

More to come

With Eternalblue slowly being patched, the age of the ransomworm might be over until a new, equally damaging vulnerability is found.

Instead, it looks like old-school ransomware will begin to take back the limelight – with a twist.

• “People have become desensitised to common ransomware, where it just encrypts your files,” says Marcin Kleczynski, the chief executive of information security firm Malwarebytes.
• Widespread backing up of data means fewer are willing to pay up.
• So instead of just locking data away, attackers are threatening the exact opposite: publish it for all the world to see.
• Such attacks, known as “doxware”, have already been seen in the wild, but currently just at a small scale or carried out manually, as when a Lithuanian plastic surgery clinic saw its files published for ransoms of up to €2,000 (£1762).