Posted by David Harley on May 17, 2017.
…Not that we’re exactly in the post-WannaCryptor era yet. But forgive me if you’ve heard enough of the saga of the ransomware ESET calls Win32/Filecoder.WannaCryptor.D (after just a few days, I certainly have). Craig Williams, of the company Gigabyte IT Solutions on St. Helena, mailed me wondering about my take on the issue.*
Here are a few points I thought were worth keeping in mind at this point and beyond, plus one or two that have occurred to me since.
- The security community usually frowns on paying ransomware gangs for recovering files because it encourages the criminals. I can understand people paying up when there’s no other way to recover or replace their files, though. However, in this case, it seems likely that the criminals won’t and can’t recover the files, apart from the handful of files they do allow a victim to recover for free to ‘prove that they can be recovered’. The recovery mechanism only works for those files, and there doesn’t seem to be an equivalent mechanism for recovering all the others.
- The combination of ransomware and worm has certainly accelerated the spread of the malware, though it hasn’t matched some of the worm attacks we were dealing with in the early 2000s. Of course, the potential effects are nastier than most of those earlier worms. Fortunately, its reliance on a vulnerability that has been widely patched has reduced its effectiveness.
- People with machines that were patched back in March for MS17-010 probably weren’t affected unless they had data on a machine (a server, for instance) that was still vulnerable. The patch was available for Windows versions after (but not including) Windows XP with the exception of Windows 8.0. Microsoft, very unusually, also made available a patch for systems no longer normally supported with updates (XP, 8.0, Server 2003) on the 12th of May, so some systems no longer supported can now be patched.
- If you have a machine that can be updated but hasn’t been, clearly you should. The threat from what ESET calls WannaCryptor hasn’t passed: we’re seeing not only variants but copycat and pre-existing malware using the same eternalblue exploit, and there are other features that might be copied. If you can upgrade an unsupported Windows version, do. If for some reason your machine can’t be upgraded or updated, at least take Microsoft’s advice to:
- While the SMB exploit allowed an infected machine to pass on the infection to other accessible machines, it’s not clear what the primary infection vector(s) was/were. While I do have a report of emails with infective attachments, that seems to have been unusual. (At least one subsequent report has put the blame squarely on SMB, but I’m not sure that’s the whole story. Notwithstanding, it’s certainly still a good idea to be wary of emails that carry attachments, wherever they may seem to come from.
- There was a lot of fuss made over the ‘accidental hero’ who was able to ‘switch off’ the attack by registering a domain to see what happened. (‘Accidental hero’ finds kill switch to stop spread of ransomware cyber-attack.) While it sounds as if this bought the world a little time, it didn’t mean there wouldn’t be further attacks. I still recommend that you upgrade or patch if you can (and if you haven’t already, of course). There have been subsequent reports of further variants, including one which is alleged not to include a kill switch. That might not have be an accurate report, but certainly no-one should be relying on sinkholing or the neutralization of kill-switch domains rather than patching. I don’t begrudge malwaretech his $10,000 bounty or his year’s supply of free pizza, but it’s worth wondering how sure he was that registering the domain would have a happy outcome? Even more disconcertingly, I wonder whether the next malware to contain a conveniently unregistered domain might actually be setting a booby-trap? In any case, it’s reasonable to assume that the criminals will be trying not to be stymied so easily in future.
- A friend of mine who is CEO of a security company asked if that company was the only security vendor not to use ‘WannaCry’ for marketing. I won’t say which company, as I’m sure he wouldn’t want to be accused of sneaking in some marketing by the backdoor. 😉 It’s true, of course, that a high profile attack is likely to inspire a stampede of marketroids claiming that:
- Their company was the first past the post on detection. Actually, at least one product was detecting the malware generically from the word go, by detecting code intended to use the same exploit. I’m sure that others did the same. Unfortunately, not the company that claimed to be ‘totally protecting’ the NHS.
- Of course, any solution may be outflanked by malicious software somewhere along the line, so I’m not going to join in the finger-pointing. Still, such a grandiloquent phrase is asking for trouble, and I notice that the company has modified its advertising since.
- Their product is the only safe defence against all security breaches. And all that jazz.
All that aside, that’s a simplistic and rather cynical (not to say frankly insulting) view of what security commentators and researchers do. Even those of us who aren’t involved with direct marketing realize that companies we work for may see marketing value in what we say publicly. But that doesn’t mean everything we write relating to an event like this is purely intended to promote those companies and ourselves. It’s not ‘marketing’ to try to allay panic, discriminate between truth, fiction and speculation, or to use a high-profile security issue to make an educational point and raise awareness.
*If you’re wondering about the connection between the tiny South Atlantic island of St. Helena and an ageing security author in the UK working with a company in San Diego, this article will tell you how it came about: Child safety: An unexpected radio interview.
Submitted in: David Harley