In the wake of the recent cyber-attack on the NHS Dr. Stilianos Vidalis, Director of Training for the Cyber Security Centre at the University of Hertfordshire, takes a look at ransomware and the vulnerabilities it exploits.
It is my understanding that a number of information environments across the world have been affected by a ransomware called WannaCrypt0r 2.0. This specific ransomware, and all of it variants, is not something new. Previous iterations have been classified as low impact. Ransomeware is a type of malware that encrypts the contents of the secondary storage devices of a computer until a payment is made. In some occasions, like in the recent incident, the ransomware will also propagate to other active nodes of the same environment. Malware is a type of software virus that is specifically designed to cause a detrimental effect to a computer or a network of computers. This detrimental effect can be disruption, physical or logical damage, unauthorised access to data, or any of the above combinations.
In this occasion, it is believed that the ransomware only caused a disruption by encrypting contents of hard disks using the Advanced Encryption Standard with a 128 bit key, asking for $300 to be paid in bitcoin. Unfortunately, this disruption was caused to a number of hospitals in the UK, telecommunication providers in Europe and other companies overseas. The impact to society was significant. Apropos, it is a daily and rather well documented type of attack that has become very prevalent since the days of cryptocurrencies and anonymising technologies were made available to the public.
It is reported that WannaCrypt0r 2.0 takes advantage of the EternalBlue Windows SMB vulnerability to propagate. SMB stands for Server Message Block. SMB is a network file sharing protocol, mainly implemented in Windows domains. According to Microsoft:
"The Microsoft SMB Protocol is a client-server implementation and consists of a set of data packets, each containing a request sent by the client or a response sent by the server. These packets can be broadly classified as follows:
• Session control packets—Establishes and discontinues a connection to shared server resources.
• File access packets—Accesses and manipulates files and directories on the remote server.
• General message packets—Sends data to print queues, mailslots, and named pipes, and provides data about the status of print queues."
The particular vulnerability WannaCrypt0r 2.0 takes advantage of, was discovered at the end of 2016. A proof of concept exploit was made available to the public at the beginning of February 2017.
This leaves the question of how the ransomware managed to infiltrate the information environments. There can be a number of potential sources: spearfishing attacks (spam email campaigns), intrusive ads, pop-ups, notifications that come up in internet browsers… The point being that one way or another, users have to allow (without them realising what it is they are actually doing) for the initial infection.
Microsoft addressed the technical issue at the beginning of March 2017. Unfortunately, companies around the world without appropriate risk and threat assessment processes got affected. Immediate solutions are to inform computer users about this specific malware and malware type, and apply the official patch regardless of the business sector you operate in. The long term solution is the identification of the baseline security and the development of a security culture within the organisation.
This can be broken down to the:
• development and application of a comprehensive vulnerability identification process.
• policy regarding internal and external penetration tests.
• policy regarding a comprehensive risk and threat assessment process
• policy regarding end user training.
The University of Hertfordshire has a number of solutions and products that can assist organisations in developing and establishing a security culture. The School of Computer Science offers technical and non-technical undergraduate and postgraduate programmes of study in cyber security and computer science including a degree apprenticeship. Our Cyber Security Centre can offer advise and consultancy on the aforementioned topics and issues.
Dr. Stilianos Vidalis
Director of Training
Cyber Security Centre
University of Hertfordshire