Over the last few months there have been a series of ransomware attacks that affected both individual users and businesses.
The ‘Petya’ family of ransomware included the WannaCry and SambaCry attacks which exploited a known vulnerability in older versions of Windows machines. The vulnerability allowed attackers to exploit and control a machine via a bug in the Microsoft Server Message Block 1.0 (SMBv1) on port 445.
WannaCry ransomware attack
What is WannaCry?
WannaCry was a unique beast because it’s a trojan, a worm, and a piece of ransomware. It was most likely distributed as a standard trojan, attached to an email and mass-sent. However, unlike most trojans, WannaCry didn’t require the recipient of the email to be tricked into downloading the attachment. Just receiving the email was enough for the computer to be taken over and encrypted. And then it self-propagated and would spread the virus among other vulnerable computers in the network, encrypting them all and demanding a ransom to return access to files. The code was built with a self-replicating payload that allowed the ransomware to propagate virally among machines on the same network without any user input.
WannaCry encrypted the files, sent the encryption key to the hackers, and then the script deleted the key from the local computer. The only way to unencrypt was to pay the bitcoin ransom. Of course, the hackers could choose to just keep the money and not decrypt the files.
Who was affected by WannaCry?
The victims included Nissan, FedEx and perhaps most critically the National Health Service. Hospitals all over the country were affected by the hack that encrypted files on machines and demanded a ransom (paid in bitcoin) for the files to be unencrypted.
The reason that the NHS was so badly affected by the attack is because a lot of NHS machines (not only desktop computers, but MRI machines, scanners etc.) still run Windows XP – a 15-year-old operating system that reached end-of-life with Microsoft in April 2014.
The vulnerability was originally discovered by America’s National Security Agency who created the exploit for their own purposes (nicknamed ‘EternalBlue’). The NSA was infiltrated by Russian hacking group ‘TheShadowBrokers’ who tried to sell EternalBlue (among other exploits) on the internet. Eventually, TheShadowBrokers just released it publically.
Microsoft actually released a patch for the vulnerability in March – shortly after it was distributed by TheShadowBrokers. Microsoft rolled out the patch to the SMB vulnerability onto newer operating systems for users who had agreed to automatic updates. However, many businesses and users manage the update process manually, so if they hadn’t updated they were vulnerable to WannaCry.
Unfortunately, WannaCry wasn’t the only exploit in the EternalBlue release. There was a wave of blunt and visible attacks like WannaCry, but more worrying were the invisible attacks with no sign of compromise – just a background collection of data.
One similar attack that had a damaging effect was an exploit of ‘Samba’, a tool that allows interoperability between Windows and Linux machines. Samba is built around the SMB protocol, so was vulnerable to the EternalBlue exploit.
At the end of May, one attacker group targeted machines running the Samba tool and began exploiting the vulnerability, because of its similarity to WannaCry, the Samba exploit became known as ‘SambaCry’. Although both exploited the hole in the SMB protocol, there are key differences between the two attacks.
What is SambaCry?
The first obvious difference is that WannaCry is ransomware, and SambaCry is not. WannaCry used the vulnerability to encrypt a user’s machine, and then demanded a ransom to return that access. However, SambaCry used the vulnerability to turn a machine into a miner for virtual currency.
Because it demanded a ransom, WannaCry was by definition, a form of ransomware. Although, it’s been noted that the WannaCry attack was not a particularly efficient or effective money-making scheme, as the Venn diagram of people who are running Windows XP and people who know how to transfer bitcoin looks rather like two nonintersecting circles. However, because of how widely it spread, WannaCry did make a fair chunk of change. As of writing, 337 ransom payments were made totalling over $131,000 worth of bitcoin.
The SambaCry attack was also a money-making scheme. The attackers uploaded two malicious files to vulnerable machines. The first file gave them full root access to the machine, and this allowed them to install the second file – the cryptocurrency mining tool known as ‘cpuminer’.
This turned affected machines into miners of Monero, an alternative cryptocurrency to bitcoin. Monero was mined on the exploited machines and transferred to the hacker’s Monero wallet. At last count over $5,000 worth of Monero was mined as a result of SambaCry. This is significantly less than WannaCry, but SambaCry’s reach was far less.
How to protect yourself from ransomware
These weren’t the first attacks of their kind, and nor will they be the last. Attackers are always finding new vulnerabilities in software, particularly in software like Windows XP that is no longer supported or updated by its developers.
There’s not really anything that can be done to stop people from creating ransomware, but there are ways to protect yourself from it.
Do your updates
Keeping software up to date is a vital defence against malware. So, don’t ignore the message that pops up on your desktop every day saying ‘updates are ready to be installed’. These updates often fix vulnerabilities that have been found. Ignoring the updates could leave you susceptible to attack.
Installing antivirus software on your computer or network will give you added protection. Again, it’s important to keep this software up to date to make sure you’re getting the full protection.
As well as from emails, malware can come from pop-ups. A good web browser like Google Chrome should give you a basic level of protection, but installing a pop-up blocker add-on to your browser will increase your safety.
For users with no external access requirements, it would be a good idea to configure the Windows firewall to not allow file-sharing traffic.
As well as all of the technology and software solutions, a certain amount of protection comes from just being smart and careful. If something looks fishy (or phishy), then it probably is. Be careful when clicking links or opening attachments from unknown entities. In a business scenario, it’s worth investing in staff training to increase online security awareness and vigilance across the company.
If you do get hit by malware or a ransomware attack like WannaCry, it’s possible (and probable) that you’ll lose access – temporarily or permanently – to the data and files on your machine. That’s why it’s important to keep a backup of all of your important files. Files can be backed up to an external hard drive or server, or to cloud storage tools like OneDrive, iCloud or Google Drive.
For information read our previous blog post on how to keep your emails safe, and how to reduce the amount of email spam you receive.