Are You Susceptible to Wannacry Ransomware?

With the ransomware WannaCry (also called Wcry and Wanna Decryptor) currently sweeping media headlines, we at BitFlip Labs wanted to take a moment to explain just what has happened, what makes computers vulnerable, and more importantly how to avoid vulnerability.

What is WannaCry?

The WannaCry worm takes advantage of an exploit in Microsoft Windows first used by the Equation Group’s malware, EternalBlue. The Equation Group have reportedly been using this malware for years to remotely commandeer computers. The EternalBlue exploit was made public by The Shadow Broker’s hacker group in April and on May 12, 2017 was used by the malware WannaCry to hold data on vulnerable systems ransom and spread.

How does WannaCry spread?

WannaCry spreads in two ways; like a conventional virus, and more concerningly like a worm. Viruses spread through emails and require user activation, worms do not. They spread through vulnerable machine to vulnerable machine without requiring any action from users - no opening e-mails or clicking on links. The WannaCry worm takes advantage of a fault in the network sharing software present on computers running Microsoft Windows XP up to all but the most recent (March 14, 2017) versions of Windows 10. This fault has existed in all Windows operating systems produced in the last 15 years. Once a computer is infected the worm searches for other susceptible computers on the local network, and the broader internet before locking all of the files on the infected system and demanding a ransom.

What makes networks vulnerable to WannaCry?

WannaCry takes advantage of an exploit that exists because the default operating system settings were not set up to turn off unused services. If you are running any of the vulnerable Windows software it’s important you patch your system with the latest update. Even older Windows operating systems that are not technically supported anymore but are affected by the worm have been issued patches to address this vulnerability.

How do I protect my network from similar vulnerabilities?

The WannaCry outbreak is an opportunity to bring people’s attention to the risks of generalized network configuration and the belief that there is safety in anonymity. WannaCry capitalizes on a security weakness in software left on by default. BitFlip’s customized network security setup allows us to shut down often overlooked attack surfaces like the one WannaCry takes advantage of.

Another security feature we prioritize, but few others do, is network partitioning. By dividing the systems within a network we can isolate initial infections and prevent malware from spreading from individual workstations into servers and other critical systems. If this practice were used by the systems vulnerable to WannaCry it would have minimized the growth opportunities of the worm. Additionally, regular network audits like the ones we practice would flag machines which had the smb service running unnecessarily.

Our final security recommendation is to be aware that “obscurity isn’t security”. WannaCry targets IPs and email addresses at random. It searches for a weakness it can take advantage of. Customized assessment of your company’s patterns of use allow us to lock down your system and close doors that could be found through network scans and exploited.

Advanced

For our more hands on and experienced followers, if you would like to disable the protocol that allowed WannaCry to function (SMBv1) without updating Windows you can follow Microsoft’s instructions here (caution the instructions are difficult to follow despite coming directly from Microsoft).