What we’ve learned from WannaCry
One of the worst cyber-attacks in the last decade.
Overview
In May 2017, the world witnessed one of the most significant and alarming cyberattacks in history: the WannaCry ransomware attack. Spreading across 150 countries and affecting over 200,000 computers, this global incident served as a stark reminder of the vulnerabilities inherent in the digital age. Let’s explore what led to this widespread disaster and the crucial lessons learned to prevent future occurrences.
Understanding the WannaCry Attack
The WannaCry ransomware attack leveraged a vulnerability in the Windows operating system known as EternalBlue (CVE-2017–0144). This exploit was initially developed by the U.S. National Security Agency (NSA) as part of a suite of tools to infiltrate systems. It targeted the Server Message Block (SMB) protocol, a network communication protocol used to provide shared access to files and printers.
EternalBlue specifically exploited a flaw in the way older versions of Windows handled certain requests via SMBv1. This flaw allowed attackers to execute arbitrary code on a targeted system remotely without authentication. Below is a simplified representation of how such an exploit could be initiated:
# Pseudo-code representation of an SMBv1 exploit
import socket
def create_malicious_packet():
packet = b"\x00" * 1024 # Fill packet with NOPs and shellcode payload
packet += b"\xCC\xCC" # Arbitrary code execution start
return packet
# Establish a connection to the target
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("target_ip", 445)) # Port 445 is commonly used by SMB
# Send the malicious packet
malicious_packet = create_malicious_packet()
s.send(malicious_packet)
s.close()Note: This pseudo-code is for illustrative purposes only and omits many complexities of the actual EternalBlue exploit. The real implementation involved carefully crafted packets to trigger memory corruption, leading to remote code execution. The actual programming of WannaCry would be in assembly and not python
How WannaCry Leveraged EternalBlue
Once the EternalBlue exploit gained access to a vulnerable system, WannaCry would deploy its ransomware payload. The payload encrypted the victim’s files using AES-128 encryption, appending the extension .WNCRY to affected files. This encryption process was backed by an RSA public key, ensuring that only the attacker could decrypt the data with the corresponding private key.
Example of encryption command below
# Encryption command example (not actual ransomware code)
openssl enc -aes-128-cbc -salt -in importantfile.txt -out importantfile.txt.WNCRY -k <encryption_key>Propagation: WannaCry was self-replicating, meaning it could autonomously spread to other systems within the same network by scanning and exploiting the EternalBlue vulnerability in connected machines. This behavior allowed the ransomware to propagate at an alarming rate, affecting critical infrastructure such as hospitals and businesses.
Kill Switch: The ransomware contained an embedded kill switch — a URL check coded by the developers to disable the malware if triggered. A security researcher, named Marcus Hutchins, advertently discovered this domain, registering it and halting the spread of the ransomware. This move prevented further infections but did not decrypt already encrypted files.
“I’ve had all these people inundating me with messages thanking me and calling me a hero, I just sort of made this domain for tracking and didn’t expect to all just blow up”
“I was just sort of doing my job and I don’t think I’m a hero at all.”
— Marcus Hutchins on The Telegraph “I’m no hero” interview.
https://www.youtube.com/watch?v=h5dNdnG_t1U
Why Did WannaCry Happen?
The key factors that contributed to the severity of the WannaCry attack were:
1. Many affected organizations were using older versions of Windows that hadn’t received recent security patches.
2. Despite Microsoft releasing a patch for the vulnerability months prior to the attack, many users had not applied it, leaving their systems exposed.
3. Essential infrastructure and services often relied on outdated software that was difficult or costly to upgrade.
What we learned and how can you prevent it?
The WannaCry ransomware attack left the world with important lessons that apply beyond the immediate aftermath:
1. Timely Software Updates are Critical
One of the clearest takeaways from the WannaCry attack was the importance of applying software patches promptly. Organizations must maintain a robust patch management strategy to ensure vulnerabilities are addressed as soon as updates are available. Failure to do so can have catastrophic consequences.
2. Outdated Systems are Liabilities
Critical institutions, including healthcare and public services, sometimes operate on legacy systems due to financial or logistical constraints. The attack highlighted that such reliance poses significant risks. Investing in updated software and maintaining infrastructure is not just beneficial but necessary to protect against modern cyber threats.
3. Global Collaboration is Essential
WannaCry demonstrated that cybersecurity is a collective responsibility that transcends national boundaries. Governments, private companies, and international organizations must collaborate to share intelligence, develop global security standards, and respond to emerging threats swiftly.
4. Awareness and Training Matter
Cybersecurity isn’t solely about technology; it’s also about people. Ensuring that employees and IT staff are aware of best practices and potential risks is vital for minimizing vulnerabilities. Regular training and simulated attack exercises can better prepare organizations to defend against real threats.
Changes We Need for a Safer Future
The WannaCry attack catalyzed shifts in how governments and organizations approach cybersecurity:
• Enhanced Public-Private Partnerships: Increased cooperation between governments and private sectors for threat intelligence sharing.
• Zero-Trust Architectures: The adoption of zero-trust models where every access request is continuously verified, making it harder for ransomware to spread within networks.
• Unified Regulations: The call for universal regulations and stronger enforcement of cybersecurity standards has grown louder, emphasizing that patching and software updates shouldn’t be optional but mandatory.
Thanks for reading my first blog post! I’d appreciate a follow or subscribe or whatever they call it here. Please let me know any improvements I can add to the style or writing of these posts also let me know if you guys wanna see a short extension on this post about The Shadow Brokers! Thanks, Calan.
Sources: https://pastebin.com/sV8ZAsuU
