Are You Ready for The Next Variant of “WannaCry”?

A ransomware called WannaCry has widely spread and infected tens of thousands of computers around the world since May 12, 2017. In just a few days, the WannaCry ransomware had attacked over 200,000 victims in over 150 regions within three days, revealing its severe impacts on cybersecurity worldwide. According to the Hong Kong Computer Emergency Response Team (HKCERT), there are a total of 31 reported cases in Hong Kong as of May 17. All of them used Windows 7 system without any regular security update, which significantly increased the security vulnerability inside the network. The National Health Service in the UK is less fortunate - sources are reporting that the ransomware attack has “crippled the health system’s ability to treat patients.” Thousands of non-emergency appointments have been canceled, and ambulances have been diverted to other facilities. As I have previously preached, cyberattacks are not only causing loss in financial terms but also threatening human life.

What makes WannaCry powerful and different from other ransomware is its worm-like activity that has been widely observed across the internet. It appears to primarily utilize the ETERNALBLUE modules and the DOUBLEPULSAR backdoor. The malware uses ETERNALBLUE for the initial exploitation of the Server Message Block (SMB) vulnerability, which was then addressed as part of Microsoft Security Bulletin MS17-010. If successful, it will then implant the DOUBLEPULSAR backdoor and utilize it to install the malware. If the exploit fails and the DOUBLEPULSAR backdoor is already installed, the malware would still leverage this to install the ransomware payload.

In fact, Microsoft had created a patch for the vulnerability back in March, but hackers took advantage of those who hadn’t implemented it yet. Many sectors were slow to address the vulnerabilities, so staying informed of new threats, although a daunting task, is the only way to keep ourselves ahead of the game against the attackers, and you need an army of security experts to back you up so that you are keep abreast of the most recent development of new attacks.

Security intelligence crucial in knowing your enemy

Cisco Umbrella analyzes billions of internet requests from millions of users around the world every day to detect patterns and uncover attacker infrastructure. It ingests all of that internet activity data from our global network in real-time into our massive graph database, and then continuously run statistical and machine learning models against it. This information is also constantly analyzed by the Umbrella security researchers and supplemented with intelligence from Cisco Talos. Indeed, in the WannaCry incident over the weekend of May 12, Talos observed an uptick in scanning of our internet facing honeypots starting shortly before 5am EST (9am UTC) on the Friday. Talos successfully detected that there would be a large-scale of cyberattack happened in a while. Automatically, Talos protected customers from the attack, minimizing the loss effectively.