It’s May, which means it has been one year since the infamous WannaCry attack, an unprecedented malware attack spread worldwide in a matter of hours, infecting 75,000 computers in more than 70 countries. That’s according to Ars Technica, who shared the news on May 12, 2017, in an article titled, “An NSA-derived ransomware worm is shutting down computers worldwide.”
By the time the attack was stopped about a day later, the number of infected machines had reached 300,000 in more than 150 countries. The impact was felt globally, affecting individuals, hospitals, schools, businesses, and homes. Lloyd’s of London estimated the cost of WannaCry at $8 billion.
In this episode, host Mike Storm takes a deep dive with the people who were on the frontlines of the WannaCry attack as it happened. Who was responsible? Who was impacted? What have we learned from the WannaCry, Nyetya, NotPetya attacks? What is being done to prevent this type of attack in the future?
Whether you’re new to security, a seasoned security professional, or you’ve stumbled across this in a quest to learn more about these specific attacks, you’ve come to the right place. Enjoy this insightful and interesting podcast episode!
The Root Access Podcast is sponsored by Cisco Umbrella. More information and free trials available at: signup.umbrella.com
Listen Now: Root Access Season 2 Episode 6: WannaCry
Follow: Root Access on Twitter
Download: Cisco’s 2018 Annual Cybersecurity Report
Root Access S2:E6: WannaCry
Owen Lystrup: Hello dear listeners. Root Access writer and producer Owen Lystrup here. I just wanted to take a moment and let you know that this will be the final episode of Root Access season two. Before we dive into it, I wanna thank everyone for tuning in and keeping with us. Next season we’ll be adding significantly to our staff and we’ll have some great episodes in the lineup for season three. Hit subscribe and give us a review on iTunes or SoundCloud or Google Play, or wherever it is you go to get our voice into your ears. Now, onto the episode. Take it away, Mike.
Mike Storm: Last season the Root Access team covered ransomware. At the time, it had gone from an attack novelty to a full-blown security epidemic. Last May, the entire ransomware game changed for the worst.
Speaker 3: I’d like to talk to you today about a cyber issue of significance in May of this year. A dangerous cyberattack known as WannaCry spread rapidly and indiscriminately across the world. The malware encrypted and rendered useless hundreds of thousands of computers in hospitals, schools, businesses, and homes in over 150 countries. While victims received ransom demands, paying those demands did not unlock their computers. This was a careless and reckless attack. It affected individuals, industry, governments, and the consequences were beyond economic.
Mike Storm: In this episode of Root Access, we’re going to revisit two of the largest ransomware attacks just before their anniversary. We’ll examine what we’ve learned, what we need to work on, and where hackers might be going next. In May of 2017, an unprecedented malware attack spread worldwide in a matter of hours. It caught the entire security community, not to mention its victims, completely off-guard. Around noon on May 12th, Ars Technica first reported that a ransomware attack had been observed by numerous security researchers and was spreading quickly, infecting 75,000 computers in more than 70 countries. No one knew exactly how it was spreading or who was behind it yet, but it was clear that whoever it was meant business. By the time the attack was stopped about a day later, the number of infected machines had reached 300,000 in more than 150 countries.
Craig Williams: You know, when this first happened, people panicked. A lot of companies came out and said it was actually spreading over email. At the end of the day, it couldn’t have been further from the truth. WannaCry was actually the world’s first ransomware worm that was spreading using the EternalBlue vulnerability. This was one of those worms that was not trying to spread in a hidden manner. It was spreading across the internet, and laterally within networks as loudly and as fast as it could. It’s kind of a catch-22, because on one hand attackers wanted to spread quickly so they could monetize it, but on the other hand it gets security researchers and law enforcements attention immediately.
Mike Storm: This is Craig Williams. He’s a senior technical leader and outreach manager for Cisco Talos. You might remember him talking about hacker screw-ups in Root Access season one. We had the chance to sit down with Craig again to talk about the WannaCry event. Talos was one of the first teams to discover this attack and nail down the attack vectors as the global spread intensified. WannaCry had multiple moving pieces that made it one of the most fascinating and significant events the world has ever seen. From the makeup of the ransomware to the targets it hit, even the exploit it used, even the way that the attack was eventually stopped, this is a cyber security case study for the ages.
You heard Craig mention two important points. They are a major part of why this attack was so important, and why it’s the focus for this episode. The first important point is that WannaCry was a worm. Worms have been in existence since the Morris worm back in the 80’s. This event had a worm-like spread with a ransomware component, which makes it unique and really damaging. Not only was it self-propagating, but it required no user interaction to infect and spread, but we’ll get to that in a little bit.
The other word Craig mentioned was the name EternalBlue. The EternalBlue exploit, along with a large collection of other zero day tools was stolen and then leaked to the public by a group called Shadow Brokers. That group could be an entire episode on its own. This entire topic in fact, could spark a lengthy and circular ethical debate about whether or not the US government is responsible, or whether Shadow Brokers are responsible, or whether system administrators are responsible for not patching. It’s not our place to hash these things out. The fact is, a taster’s choice collection of exploits did get out into the wild, and hackers immediately started using them because they work, especially EternalBlue. One former NSA agent spoke to the Washington Post and described it as “fishing with dynamite.” It was an absolute sure thing. Well, early versions apparently caused some Windows installs to blue screen, but they fixed that, and then, it became a sure thing.
Let’s talk about how this thing works. EternalBlue uses a flaw in a protocol known as SMB. I’m sure you’re familiar with it, since it’s been around since 1990 or so. Just in case you’re not, SMB stands for Server Message Block. It’s a network protocol that operates over TCP port 445 and a few others, and it’s used mostly for remotely controlling printers, file sharing, and communicating between server nodes. These are the type of operations that you do not want to be open to the public internet obviously. The general sentiment is to not leave port 445 or any other SMB port open, but of course, people still do it.
EternalBlue establishes a sort of foothold by exploiting the open 445 port. A second shadow broker’s exploit called DoublePulsar creates a functional backdoor. The malware then runs and encrypts pretty much any useful file on the machine and pops up the infamous ransomware screen demanding a bitcoin payment. Nothing so far makes this form of ransomware unique, with exception of the exploits used and where those exploits come from.
What makes WannaCry unique comes after a host is compromised. Once the malware payload is dropped and the backdoor is open, a service searches for removable storage devices and any mapped network drives. It also scans the entire IP subnet for open 445 ports, and then uses the same exploits to gain access and encrypt the files of every computer it can get to on the same network. This was the big differentiator. It’s how the worm spread from tens of thousands to hundreds of thousands of computers in just hours.
Speaker 5: It looked at first like an attack just on hospitals in the UK, but it’s now becoming clear that this malicious software has run riot around the world. Russia, the United States, and many points in between have been hit by what’s now a common form of cyber crime.
Speaker 6: Ransomware has become a tool of choice for an awful lot of criminals, simply because it’s very, very easy to make money very quickly. You can buy ransomware online.
Speaker 7: Here in the UK, hospitals have been badly hit, including this one in Central London. Since Friday, it’s been struggling to get back online.
Speaker 8: The hospital told Ken Robbins his cancer surgery was delayed.
Ken Robbins: They phoned me up this morning and said it’s too important to have my operation. Coming straightaway and they’re going to do it.
Speaker 10: What is your message to the hackers who have created this ransomware?
Ken Robbins: To put it bluntly, [expletive]. They need to go to prison for 20 years. They don’t realize what impact they’re having on patients.
Mike Storm: My guess is the actors behind WannaCry were aware of the damaging effect they were having, and according to Craig, it didn’t appear that the point of this ransomware attack was to make money.
Craig Williams: I don’t think it was nearly as lucrative as it could have been, because they didn’t really have a good way to associate victims with ransom payments. Now, eventually people did start hearing about payments actually being made and victims getting their computers back, but the problem was, they combined the fastest spreading mechanism, a worm like behavior and then they had a manual payment verification system. So, it’s like having a F1 engine in a car that has a transmission with two gears, it just doesn’t work. So, people thought it was fake. My personal opinion is that it was not really designed to make money, it was designed to just damage and hold systems hostage.
Mike Storm: It’s easy to dismiss an attack that demands a mere 300 bucks and doesn’t have a good way of verifying payments. It won’t exactly rake in the dough. You heard Craig say the business model was pretty flawed compared to other ransomware attacks that made millions. Estimates for this event are in the low hundred thousand range, but the ransom aspect was not the danger here. This event was deadly serious for its interruptive impact on critical systems. 61 hospitals in the UK were hit. A surgeon remarked that he was unable to look at vital CT scans for a patient who was in need of an urgent neurosurgery.
With medical systems down, doctors and nurses could not process patients. There were reports of ambulances being turned away from hospitals while these systems were down. Universities and ATMs in China were hit, fuel pumps in Singapore, even one of the largest Telecom companies in Spain, and FedEx was hit here in the States. A hospital in 10 different schools in Taiwan were all hit. We had a car manufacturing facility in France that had to stop production entirely because of the event. Hours after the initial hits on the British National Health System, the control systems and timetables at Deutsche Bahn, Germany’s largest train service, were hit and service was interrupted.
Speaker 11: [Recording of news announcement in German]
Mike Storm: Petrobras, the state-owned petroleum company in Brazil, even their national social security system, the Foreign Ministry and court systems were all hit there. This was all done automatically in a self-perpetuating, self-propagating manner within about a 48 hour period. No tricky email attachments or elaborate phishing sites were required. The real kicker was that the majority of victims could have avoided this attack on three fronts, first, by making sure port 445 on network computers was not left open to the Internet, second, Microsoft had actually issued a patch for the exploit months before the event for all Windows versions except for Windows XP, and to be honest, if you’re a Sysadmin or IT director working in an organization that still uses XP, you need to find a new job. Thirdly…
Craig Williams: Get a backup. Use the backup. Verify that your backup’s working. I can guarantee you that every single person will have a hard drive that fails. All hard drives fail. If you don’t have a backup of that hard drive, you’re going to lose that data anyway. So spend the money that you would have paid on the ransom and just buy a hard drive, it’s like 50 bucks on Amazon, they’ll ship it to you the next day. Now, the most important part though, is making sure that your backup actually works, that’s the step that most people forget.
Mike Storm: Now is where we get to the really interesting parts of this story, namely the kill switch that stopped the attack, and the trojan that is potentially even more dangerous than WannaCry.
Speaker 13: The hearing today was to determine whether or not Marcus would be detained as a result of the charges and the indictment. The judge agreed with me and saying that he was going to be released, pending certain conditions that he has attached to the bond and that he has to post a $30,000 cash bond, and that’s coming from a variety of sources. He has tremendous community support, local and abroad, and in the computer world. So, many people are trying to put money together and raise the amount for the bond.
Mike Storm: During WannaCry’s global spread, security and threat intelligence researchers were frantically trying to get an understanding of how the malware worked. One such researcher, a 23 year old who lives in the UK and works for the security firm Kryptos Logic, was examining the malware and found a rather odd domain that the malware called out to during its course of unpacking itself and encrypting the files. It’s purpose was unknown, but it turned out to be pretty critical. Here’s Craig again.
Craig Williams: WannaCry did a lot of really weird stuff. If I had to nail down the one unique feature, it was that it was the world’s first ransomware worm. It also had a lot of other really, really weird things going on. The first one, I think was that the fact that it was fairly buggy, the real first version of WannaCry actually had a broken scanning algorithm. When we first saw it, we actually were wondering if it was using a favoritism algorithm to target certain countries more than others, but it turned out that wasn’t the case, it was just using uninitialized stack variables sometimes, so the scan would just fail right away. Yeah, the other really weird part was this kill switch. Have you heard of that one? Yeah, I’ve never seen anything like that. I can’t think of any logical reason to have that in your malware. It’s just the most bizarre thing. At a really high level, what the kill switch allowed someone to do was remotely shut off the worm from a global perspective.
I don’t know why a malware author would want that. It would effectively be like having a car and having someone blink a light at it a certain way and the car turns off. Why would they do that? Some people guess that it was designed to help avoid sandboxes. I don’t think that makes sense. The way the kill switch worked doesn’t seem like something a sandbox would fail. Effectively, what it did was it tried to look up this really long alphanumeric domain, it looks super sketchy, of course Umbrella saw it, and Umbrella immediately flagged it as a malware C2, because it saw so many people trying to look up this non-existent domain.
So, what happened was, if the domain lookup worked, have they got a domain? Have they got a server? The worm would shut off. I think it was just a really poorly thought-out way to avoid sandboxes. I don’t know of a sandbox that operates like that. I was giving a talk at Cisco Live Cancun, and one of the audience members said they were aware of a sandbox that actually would fake look ups, but they couldn’t remember the name. So, there might be one out there, but it’s certainly not popular and I can’t think of a good reason, but that’s the best thing I can think of.
Mike Storm: So, out of curiosity, this young researcher, Marcus, not knowing what the domain written into the malware is for, decides to register the domain for ten bucks, unbeknownst to him, as you heard Craig describe, this essentially killed the malware’s ability to spread. Since the malware was calling this domain as it was going through it’s infection and encryption process, once it started connecting successfully, it would halt itself. That $10 proved to be a pretty hefty price tag for Marcus, unfortunately.
Marcus Hutchins: I’ve had people inundating me with messages just thanking me, saying that I’m a hero. I just registered this domain for tracking and I didn’t intend for it to blow up, and me to be all over the media. I was just doing my job and I don’t really think that I’m a hero at all. I’ve still been working of course for my company Kryptos Logic. We’ve been trying to provide the IP addresses to NCSC, the FBI, so that victims can be notified. I’ve been having queries from around the world, obviously journalists inundating me with queries. We’re just pretty much business as usual, except I have not had any sleep in three days. My lovely bosses offered me an all expenses paid vacation to Las Vegas and to Los Angeles as well, so I’m gonna head out on maybe next week, in a week’s time, I’m gonna chill out there for a bit, and then come back to work. My name is out in the papers, so my general location is, so I don’t think I’m ever going back to being the malware tech that no one knew.
Mike Storm: Rather than the malware authors retaliating against Marcus for him shutting down their campaign, it ended up being the tabloid media in the UK that doxxed him. A couple days after his work examining the WannaCry malware, Marcus woke up and checked the news, there he saw his face on the front page of a major UK news outlet. According to his own account of the events on his Twitter account, malware tech blog, by day two, he was hopping over his back fence to avoid reporters who had camped outside his house. Other reporters even attempted to get to him through friends and even an ex-girlfriend. He said one of the largest UK newspapers published a picture of his house along with the full address. From there, his celebrity only increased. The bug bounty firm HackerOne gave Marcus a $10,000 bounty reward that he ended up donating to charity. Then, he received a paid vacation to the DEF CON security conference in Vegas, and that’s where things turned sour for him.
Speaker 15: The man who stopped the WannaCry cyber attack was just arrested for creating a virus of his own. Marcus Hutchins, also known as MalwareTech, he was arrested for his alleged involvement in a cyber crime of his own. Hutchins is accused of helping create and distribute a malware known as the Kronos Banking Trojan. Kronos was designed to allow hackers to collect and log banker’s online information. It was first made available in 2014 and has been marketed and distributed through AlphaBay, a Marketplace on the dark web. AlphaBay has since been shut down by the DOJ. The bottom line, the man who helped stop the WannaCry hack was arrested on Wednesday.
Mike Storm: On his way back home to the UK, Marcus was stopped at the airport and arrested by the FBI. He was transferred to the state of Wisconsin for a bail hearing and indicted on multiple charges related to the creation and distribution of the Kronos malware, a banking trojan that had been on the black market since about June of 2014. Marcus has denied all the charges and entered a not guilty plea in court. The difficult part for him though is he has been released on bail but forbidden to leave the country, which means he can’t go home. Since his employer is based in LA, Marcus has been staying there until his trial concludes. As for WannaCry, or Wanna Decryptor or WannaCryptor, whatever you want to call it, the registering of the kill switch was not the end.
Speaker 16: WannaCry was written in such a way that it was very, very easy to modify even with a hex editor. So, within hours of the back door … sorry, not the back door, but within hours of the kill switch being turned on, people were already modifying it and mapping out that that section so that it wouldn’t shut down. So, it was very easy to modify. EternalBlue, the actual vector, continued to be used in several malware variants up until today still, it’s still very effective, because people just won’t patch. Malware authors learn from each other’s mistakes. They didn’t think it a good idea and somebody else did, they’re gonna steal it. Absolutely they’re gonna keep evolving the idea.
Mike Storm: So, WannaCry’s legacy continues, and it’s not just the variants in the wild that are active. Most news stories you’ll find covering the Bitcoin payments related to WannaCry stopped around August of last year. But in reality, the activity of these wallets has never stopped. There is an active Twitter account entirely devoted to tracking wallet transactions associated with WannaCry. The wallet accounts were reportedly emptied sometime in August of 2017 and the actors behind the campaign, converted the funds from Bitcoin to the more private altcoin called Monero. But the most recent payment to those crypto wallets, because they still exist, came in February of this year.
So, whether they are from WannaCry infection specifically or some related malware, the attackers, or at least their attack infrastructure, appeared to be very much still active. Kryptos Logic, Marcus Hutchins’ employer even released a report just a few weeks ago on April 9th, saying that hundreds of thousands of un-patched machines are keeping this whole thing alive. As for who’s responsible and the identities behind the massive spread, it’s really anyone’s guess. News outlets were saying pretty quickly after the attack that it was North Korea and not only was it North Korea, but it was the same actors behind the Sony Pictures hack. Here is former Homeland Security Adviser Tom Bossert.
Tom Bossert: After careful investigation, the United States is publicly attributing the massive WannaCry cyber attacks to North Korea. We do not make this allegation lightly. We do so with evidence and we do so with partners. Other governments and private companies agree. The United Kingdom, Australia, Canada, New Zealand and Japan have seen our analysis and they join us in denouncing North Korea for WannaCry. Commercial partners have also acted. Microsoft traced the attack to cyber affiliates of North Korean government and others in the security community have contributed their analysis. So, two questions there, one, did we do it too slowly? No, my answer is no. I think the most important thing is to do it right and not to do it fast. We took a lot of time to look through classified sensitive information. What we did was rely on, and some of it I can’t share, unfortunately, technical links to previously identified North Korean cyber tools, Tradecraft operational infrastructure, we had to examine a lot and we had to put it together in a way that allowed us to make a confident attribution.
The difficulty in attribution is often to figure out who was operating the keyboard on whose behalf. So, those are the two biggest challenges. People operating keyboards all over the world on behalf of a North Korean actor can be launching from places that are not in North Korea. So, that’s one of the challenges behind cyber attribution. We’re comfortable in this case though that it was directed by the government of North Korea. We’re also comfortable in saying that there were actors on their behalf, intermediaries carrying out this attack, and that they had carried out those types of attacks on behalf of the North Korean government in the past. That was one of the Tradecraft routines that allowed us to reach that conclusion. That said, how they operate is often a little mysterious, if we knew better with perfect knowledge, we would be able to address North Korean problem with more clarity.
Mike Storm: So, according to Homeland Security, it was with a high degree of certainty North Korea, based on corroborated evidence from a number of different public and private security groups. Craig and the Talos team did not weigh in on who was responsible for the very reason that you heard Tom Bossert say, attribution is hard. It’s really difficult to be certain who did what for whom. Our friends at Flashpoint, the security intelligence firm, say that it’s more likely, based on linguistic analysis, that WannaCry actually came out of China, and they wrote code to make it seem like it was North Korea. There were other reports that China even blamed the US and not North Korea for the whole situation. So, say it with me, attribution is hard. Now that attackers have seen how effective this WannaCry event was, you can bet they will be looking to modify it and repeat the same kind of attack. According to Craig Williams, that’s already happening. In fact, an attack called Nyetya or NotPetya has proved to be more sophisticated and even more effective than WannaCry. It hit only a couple of months after the WannaCry fallout.
Speaker 18: The White House confirmed that Russia was behind a worldwide cyber attack that took place in June of last year. It said the attack, quote “Will be met with international consequences” The White House called the NotPetya attack the most destructive and costly cyber attack in history. The attack caused billions of dollars in damage in North and South America, Europe and Asia. It was part of Russian efforts to destabilize Ukraine which suffered major blows to it’s government, financial and energy institutions. The US now joins the British government in condemning the attack. The White House said it’s reviewing a range of options on how to proceed.
Mike Storm: One of those efforts was to slap sanctions on Russia, which the Treasury Department finally got around to on March 14th of this year. Last year, shortly after we had all recovered from the WannaCry event, another event in June started to spread, and the way it was constructed was so genius, it’s scary.
Craig Williams: Yeah, I think Nyetya was probably the most advanced piece of malware for 2017. One of the ways I try to explain it to people is, you can think of WannaCry like that ’87 Honda Civic you had in high school. It technically ran, but not well, you have to start it just the right way and be careful how you drove it because the wheels might fall off. Compare that to Nyetya which would be like a BMW m5 Competition Edition. It’s the same ballpark technically, but not performance wise. Nyetya had the fastest scanning algorithm we’ve ever seen, it was multi-threaded and capable of communicating in between the threads so that it could scan an entire IP space in a very, very minimal amount of time. We’re talking tens of thousands of victims a second.
Mike Storm: Nyetya gets it’s name for its similarities to Petya, another form of ransomware. You heard the newscaster say the White House described it as one of the most damaging and costly attacks in history. You might have to check the totals, but it was global and definitely very costly. In fact, FedEx was hit by WannaCry, and they reported their European Express shipping company TNT had to process packages by hand after being hit by Nyetya. Between WannaCry and Nyetya, FedEx reported it would cost a shipping company somewhere around 300 million. Maersk, one of the largest shipping companies in the world, also said the company would see losses in the 300 million range. Merck, the pharmaceuticals company, likewise reported losses of up to 310 million. So, if attackers are looking to do major damage, it appears that they found a pretty effective method. Here’s Craig again on how this attack works.
Craig Williams: To top it off too, Nyetya was very, very cleverly deployed via what we call a supply chain attack. If you’re not familiar with the term, a supply chain attack is basically where you take advantage of a trusted supply chain, like maybe an applications update system, to actually deploy the malware. That’s the complete opposite of the technique WannaCry used, which is just spread loud and fast. Supply chain attacks are gonna spread and no one’s even gonna know what happened.
Mike Storm: Supply chain attacks are very insidious, they can spread and operate while appearing like normal network traffic, and according to Craig, they can even deploy but lie in wait for just the right moment.
Craig Williams: Nyetya was very interesting, because it used that supply chain vector, no one knew it was there. It was also super creepy because it was detonated shortly after the assassination of a Ukraine military Intel official. So, from our perspective, effectively what happened was these people implanted this bug through this software called M.E.Doc. M.E.Doc was a piece of tax software used in Ukraine, was only one of two approved tax software packages. I think Reuters published a number that 80% of all systems had it installed. I don’t know how accurate that is, but let’s just say it’s a lot. So, what happened was the attacker basically fished credentials or somehow got his hands on credentials, logged into M.E.Doc’s server, modified the engine X config, and pointed it at their server over at OVH, and then effectively at that point, the M.E.Doc’s update server was just a man-in-the-middle. Unintentionally, the victims are all going through M.E.Doc, straight to OVH and downloading a backdoor binary.
Mike Storm: The assassination that Craig mentioned was a car bombing in Kiev on June 27th of 2017. Maksym Shapoval, a Colonel of Ukraine’s Military Intelligence, was killed in the attack.
Craig Williams: I think it was staged too. From Tallis’ perspective, it was retaliation. Now, what was really interesting about Nyetya was the fact that it had been spreading inside of these networks completely undetectably for three months. You remember how quickly I said Nyetya spread, what also is the second, quote, “ransomware worm ever”, but unlike most worms, it actually used four different vectors. It was even smart enough to apply the vectors in order of least likely to be noticed. It actually very rarely used EternalBlue or EternalRomance, which were the two code execution vectors. More often than not, it would simply pull the credentials out of memory using a modified version of Mimikatz and then just spread over the windows servers, the domain servers. So, super clever, super, super interesting. They even went and modified the DoublePulsar backdoor that was part of the EternalBlue exploit. So, at this point, EternalBlue had been out for months. I think Microsoft patched it at the beginning of the year. So, everybody was scanning their systems for the DoublePulsar backdoor, which was stage two of EternalBlue. Well, these guys were smart enough to actually go in and modify the response codes, so that even if you scan the systems, it would still come back as not compromised. We’re talking layers upon layers of evasiveness and cleverness.
The people who wrote this, not only knew what they were doing from a development standpoint, but they knew what they were doing from a security standpoint and how people would look to detect this. So, incredibly evasive, incredibly fast. I guess the icing on the cake was the fact that it was actually basically a cyber weapon masquerading as crimeware. The reason people called it NotPetya was because it had a ransomware screen similar to Petya, but there were still several gotchas even on that, like using an email address as the primary point of contact. Ransomware has been out since 1986, people know how to get paid. You set up a site on tor, you have them get a key, you verify that and then give them back the key once they put the Bitcoins in the wallet. So, the very fact that they had an email as a primary point of contact, was a real interesting perspective. And then, as our team reverse engineered the binaries, we found out that they literally never saved off a key. So yeah, there is literally no way to recover any of the files, short of finding a problem with the encryption algorithm. So, that’s how we knew it was actually just Wiper malware masquerading as crimeware.
One of the more interesting things about it is, think about how it worked, so I mentioned it followed an assassination attempt, so three hours after the assassination attempt, this malware was detonated, and keep in mind it had been spreading for months. So, it’s in, according to Reuters, 80% of all systems associated with Ukraine, and even if it was a US company, if they had a system in Ukraine where they had to pay taxes, they’re gonna have one of those machines in their network. So, for three months that machine has been silently spreading in their network hitting every box it could, getting into everything, and then three hours after that car bombing, they pushed the button, the malware detonates, and all of the systems suddenly completely are wiped. The even creepier part of this is think about the access that they were giving up, this wasn’t just a piece of Wiper malware, this was a full-featured backdoor. This thing allowed them to upload and download files, modify files, turn on key loggers, do anything they wanted, literally anything, and they chose to throw that away to send a political message, presumably.
Mike Storm: So, was the purpose of Nyetya to shift focus off of the car bombing? Or are the two related? The timing is definitely hard to deny, especially considering the bombing happened just before Ukraine’s Constitution Day, which is a celebration of the country’s independence from the Soviet Union. The CIA, though it declined to comment publicly, was quoted as having high confidence that the car bombing and the ransomware attack were both perpetrated by the Russian military. This isn’t the end, as I mentioned, events that have happened since WannaCry and Nyetya, show that hackers are keen to modify these attacks and use them for their own purposes. Just four months after the Nyetya event, a new ransomware variant called Bad Rabbit hit Ukraine, Russia and Eastern Europe, infected thousands of networks and caused hundreds of thousands of dollars in damages. Bad Rabbit wasn’t a worm, but it shared a large portion of code and even the same ransomware lock screen from Nyetya or NotPetya.
In October last year, a new variant of WannaCry hit a North Carolina healthcare provider’s network. First Health, the provider, said in a statement that the ransomware hit four thousand endpoints in about a hundred locations in it’s network. Just a few weeks ago, Cisco released it’s 2018 annual Cyber Security Report, and it cites a recent supply chain attack, which is what made Nyetya so sophisticated and successful as we heard Craig describe. In this attack, hackers compromised download servers for the popular Windows maintenance software called Ccleaner. Users looking to download the software, unknowingly also downloaded and installed a trojan backdoor, but the software had a legitimate certificate through a legitimate software provider, which gave the user confidence. According to the report, these type of supply chain attacks are going to increase both in velocity and complexity and they have the potential to hit on a massive scale, but it doesn’t take a huge cybersecurity budget or advanced red team abilities to mitigate some of these attacks.
Most of the time IT teams just need to keep up with the fundamentals. Patching, segmenting their networks, keeping policies in check, having a strict incident response policy in place and of course backups. Just weeks ago at RSA, the largest security conference in the world, Microsoft vice-president Brad Smith specifically citing the WannaCry event, announced a cybersecurity tech accord. Thirty two other companies, Cisco included, signed a pact of sorts that commits to sharing threat intelligence and to oppose state-sponsored cyber attacks against civilians. Information sharing is a powerful tool, whether you’re a journalist or a Sysadmin or a security researcher, sharing helps expose the magnitude of the problem.
Craig Williams: By getting that word out and helping people realize that security cannot be an afterthought, they help people carry that message into the boardroom. So, it’s no longer just an IT guy conversation, it’s an executive conversation that security must be taken seriously, that data must be kept secret, and you have to have the proper defenses in place or you could be the next victim.
Mike Storm: Many thanks to Craig for sharing his insight info on this episode. Root Access is produced by Mike Storm, Owen Lystrup and Lynn Cox. Thanks also to our sound engineer Bill Birch and Mix Master, Composer extraordinaire, Joel Davis. Make sure to subscribe to this podcast on iTunes, Stitcher and Google Play. We’ll be back for season three soon, until then, stay paranoid friends. Root Access is sponsored by Cisco Umbrella. For more information, visit www.cisco.com/security