WannaCry Ransomware and the NHS attack
Ransomware continues to escalate globally targeting essential services. The NHS attack has been particular devastating for the UK, knocking out patient records and rendering hospitals at its mercy forcing a diversion of patients and ambulance routes across the UK. With no ability to access patient records and essential data, patients are being turned away on a large scale. Hospitals have become an increasingly larger target in recent times due to the large number of vulnerable systems in these institutions. They also pay the ransom, as in the case of Hollywood Presbyterian Medical Center last year.What is particularly interesting about this attack is that it exploited a vulnerability that was discovered and developed by the National Security Agency which was recently leaked by a group called the shadow brokers. They leaked a number of important techniques and methods used by the NSA to take over or eavesdrop on a computer or mobile device. The weaker security protocols and systems in place at many of these hospitals allowed the ransomware spread quickly, in this case via an encrypted email attachment.
How does it work?
Once the ransomware has been installed on a computer it executes on the local machine and then contacts a third party server to download other payloads (applications) and activate the application. It then starts encrypting all the files on your drive. After it has completed it will popup a paywall requesting payment to have your files decrypted. If you don’t pay the ransom then the files can be deleted by the hackers.
The NHS attack has been particularly severe and rapid and took only 4 hours to spread to the NHS, originally infecting systems at Telefonica in Spain. The ransomware itself is known as WannaCrypt or WannaCry and is a variant of WeCry which was discovered in February 2017 and infects any Windows based operating system (no known Mac variants have been found yet). It appears from several reports as though this software was initially infected via email and then spread through the internal NHS network using SMB shared drives across the organization. Microsoft has been aware of the vulnerability since March of 2017 and have posted a security update to address this.
Early indicators seem to point to the attack originating in China, but more evidence is needed.
We have confirmed that this ransomware has affected Windows computers on shared networks in at least 150 countries worldwide, with 200,000 reported individual cases and more than 10,000 companies being affected as of May 14, 7:03 am US Pacific Time.
Analysis of the Attack
After the initial payload is on your computer the application will download the anonymous network client “tor.exe” along with its dependencies. Once this has been downloaded the main executable will be able to communicate to its command and control servers anonymously.
Once started it then tries to change the access rights of all its files to obtain total access to your machine. According to Kaspersky the sequence is as follows:
- attrib +h .
- icacls . /grant Everyone:F /T /C /Q
- @WanaDecryptor@.exe fi
Then, as is typical with a lot of ransomware, it will then try to disable Volume Shadow Service so that you cannot recover from the decryption by running a command line sequence. This will trigger a UAC popup, which should be a clue that it should not be allowed.
It will then contact the anonymous servers and begin encrypting all your files.