What is the 'WCry' or 'WanaCrypt0r' ransomware?

When first reports began to emerge on Friday 12 May that IT systems at the East and North Hertfordshire NHS had gone down in a suspected ransomware attack, it didn't come as too much of a surprise: the NHS is a regular target for ransomware, it seems, not least because of the number of Windows XP PCs that are still run by lackadaisical and, frankly, negligently run NHS Trusts.

As reports emerged from hospitals and GP surgeries across the UK - mostly from insiders rather than official admissions from the organisations themselves - it became clear that this was no ordinary ransomware attack.

And it wasn't just the NHS under attack, but organisations across the world, with the ransomware propagated not by phishing, but the exploitation of a Microsoft Windows security flaw exposed by the Shadow Brokers in February. Microsoft patched the flaw a month later.

So what is WCry, also known as WanaCrypt0r, the ransomware believed to be behind the global attacks?

The original WCry 1.0 ransomware never did make a big splash - Sophos's database indicates a low prevalence of the malware that it dubs "Troj/Ransom-EKL" which it also lists as Hydracrypt.

This ransomware could encrypt more than 160 different file types and, after encrypting the victim's files, the malware would display a ransom note demanding that the victim make a payment in bitcoin to recover the affected files. It was typically circulated via file attachments sent in phishing emails.

"[From] what we have seen so far this ransomware appears to be less sophisticated than Cryptolocker, CTB-Locker or Cryptowall, but it's certainly not less dangerous," according to security firm ReaQta in an advisory written when the ransomware first emerged last year.

Hydracrypt also threatens to sell encrypted documents on the so-called ‘dark web', although this is likely an empty threat. "What's interesting, other than the fact that the malware appears to be written in MFC, is that a big section of it is clearly obfuscated with what appears to be something similar to MoVfuscator," adds ReaQta in its analysis. 

In February 2016, EmsiSoft released a decryptor for Hydracrypt, enabling users to largely recover from an outbreak. It may also be possible to remove it by rebooting in safe mode, shutting down processes related to the ransomware in Windows Task Manager, then running System Restore to rollback the operating system.

And WanaCrypt0r 2.0 might not be a tougher nut to crack, despite the hysteria surrounding its sudden spread. 

Reports suggest that it was initially spread via phishing, but took off as a result of a worm component that took advantage of the security flaw in Microsoft's SMB networking protocol.

This security flaw - as far as we can ascertain - had been used for years by the US National Security Agency (NSA), but was released earlier this year when the Shadow Brokers group released their entire trove of NSA-linked hacking tools that, they claimed, they scraped from a server being used by the NSA as part of its covert online operations.

WanaCrypt0r 2.0 demands a ransom of around $300 - in bitcoin, obviously - and like WanaCrypt0r 1.0 uses AES 128-bit encryption. The malware gives victims three days to pay-up before raising the ransom, and seven days before, it claims, files will be rendered unrecoverable.

WanaCrypt0r 1.0 and its variants did not spread far and wide, and it was not, as a result, widely analysed. The same is true of WanaCrypt0r 2.0, which is one of a number of variants of the WanaCrypt0r ransomware. 

However, none of the variants so far seen have been much more sophisticated than the original, according to ReaQta CEO Alberto Pelliccione. It is therefore possible that it may be equally easy to recover from a WanaCrypt0r 2.0 outbreak as it was from the original.

"We are currently investigating. WanaCrypt0r is not new and there were variants around before today, but this one is the first that appears to have been weaponised," Pelliccione told Computing.

"Except for the exploit, so far we haven't found anything particularly new or exciting about the binary apart from, of course, the weaponisation that has given it an added kick, enabling it to be widely spread very fast.

"However, we have performed a comparative analysis on our malware samples yet."

He added, though, that there may be some complications. 

"While stopping it is easy and doesn't require rebooting in safe mode, the recovery archives will most likely be compromised, especially if the user clicked 'Yes' on the UAC dialog.

"During the encryption process, the user is asked for permission to modify the system. That box, in particular, is the one used to delete the shadow copies. If the user clicked 'no' then there's a chance that recovery is possible using a system restoration point," said Pelliccione. 

Hence, it "might be possible" to recover from a WanaCrypt0r 2.0 outbreak if "the user declined the permissions request during the infection process". 

He continued: "A more accurate answer will come after it's clear how the encryption is handled, because that's normally where you understand if the ransomware has been 'well' implemented or not."

Security software firm Kaspersky, meanwhile, is working on a decryption tool that may help victims recover their system and files. 

Computing will update the story as soon as we have more information about WanaCrypt0r 2.0. 

 

Computing's Big Data and IoT Summit 2017 and the Big Data and IoT Summit Awards are coming on 17 May 2017. 

Find out what construction giant Amey, Lloyds Banking Group, Financial Times and other big names are doing in big data and the Internet of Things. 

Attendance to the Summit is free to qualifying senior IT professionals and IT leaders, but places are strictly limited, so apply now. 

AND on the same day, Computing is also proud to present the Big Data and IoT Summit Awards, too. See the finalists - and secure a table for your team at the Awards - now