WannaCry Ransomware: A Brief Q&A with a CyberArk Labs Researcher

Share and earn Cybytes
Facebook Twitter LinkedIn Email

In May, we offered a 30 minute webcast focused on deconstructing the WannaCry ransomware attack. Led by CyberArk Labs Researcher Shaked Reiner, the webcast delved into specifics of the attack, as well as proven methods organizations can implement to prevent WannaCry’s ability to spread through networks and encrypt system data. We’ve compiled some of the questions attendees asked Shaked during the session, and the highlights are shared here:

Q: Can you describe the propagation technique used by WannaCry?

A: The WannaCry ransomware’s technique is based upon code originally developed by the NSA and leaked by the hacker group known as Shadow Brokers. It uses a variant of the Shadow Brokers’ leaked exploit and utilizes strong encryption on files such as documents, images and videos. The ransomware was able to spread at an unprecedented rate via a sophisticated, built-in “worm” capability. Additionally, it specifically targets the MS17-010 SMB vulnerability in Microsoft systems that many people had left unpatched, and therefore, exposed.

Q: Which account does WannaCry use to install itself, and if the user does not have administrative privileges, shouldn’t it disallow WannaCry to install itself?

A: This specific strain of ransomware is special in that aspect. Administrative privileges are not required to execute the initial infection. However, in order to propagate throughout the organization’s network, it needs to escalate privileges through the Microsoft vulnerability described above. After successfully exploiting this vulnerability, the ransomware has access to the highest tier of privileged credentials, enabling it run code in SYSTEM user context. WannaCry is then able to operate in an offline environment, encrypting the user’s files with an RSA-2048 key pair. After the encryption process, the ransomware demands $300-$600 in Bitcoin to decrypt the files.

Q: Why can’t Bitcoin payments be tracked?

A:  Bitcoin is often described as an anonymous currency because it is possible to send and receive Bitcoins without sharing any personally identifying information. It works by leveraging digital wallets untethered to a central management or processing system. This allows each digital wallet to operate independently, and it makes tracking and identification of the wallet holder incredibly difficult.

Q: How is it possible to detect and block such an attack?

A: Our CyberArk Labs team conducts ransomware testing daily to help organizations better prepare for such attacks. Based upon tests of more than 600,000 ransomware samples (including WannaCry), the team has found that the combination of enforcing least privilege on endpoints and application greylisting control is 100 percent effective in preventing ransomware in general, and WannaCry specifically, from encrypting files.

CyberArk Endpoint Privilege Manager helps organizations remove common barriers to enforcing least privilege, such as user productivity loss and increased burden on IT teams. It also allows organizations to block and contain attacks at the endpoint, reducing the risk of information being stolen or encrypted and held for ransom. A combination of privilege security and application control reduces the risk of malware infection. Unknown applications can run in a restricted mode to contain threats while maintaining productivity, and behavioral analysis identifies and blocks credential theft attempts. These critical prevention and protection technologies are deployed as a single agent to strengthen existing endpoint security.

Q: How difficult is it to create malware such as WannaCry?

A. It’s important to separate the two components of this malware to answer this question. In the case of WannaCry, the ransomware component itself was very ordinary – there are a few open-source ransomwares widely available on the internet and one does not need advanced programming knowledge to figure out how to compile one. What makes WannaCry unique and viral in nature is the highly sophisticated worm component that allows it to spread as quickly as possible to as many machines as possible. It’s likely two malware authors were involved in the creation of WannaCry, as the infection component is so advanced, while the ransomware itself is not overly sophisticated.

Q: Are there any additional tools from the NSA leak that could lead to another attack of this magnitude and scale?

A: Yes. The Shadow Brokers group offer a monthly subscription program that promises more data will be released from the NSA leak. It’s important to note that the previous leak did not contain any exploits’ source code, so WannaCry was constructed by fully reverse-engineering the software that was released. This indicates that the attacker responsible for the WannaCry worm component was extremely sophisticated, as noted previously. The NSA leak most certainly contained more tools that savvy hackers may leverage to wreak additional, future havoc and harm.

To learn more about the WannaCry attack, we invite you to read our Labs Team’s full analysis, as well as five ways to mitigate ransomware risk.

The post WannaCry Ransomware: A Brief Q&A with a CyberArk Labs Researcher appeared first on CyberArk.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About CyberArk
CyberArk is the only security company that proactively stops the most advanced cyber threats – those that exploit insider privileges to attack the heart of the enterprise. The company has pioneered a new category of targeted security solutions to lock down privileged accounts and protect against cyber threats before attacks can escalate and do irreparable business damage. CyberArk is trusted by the world’s leading companies – including more than 40 of the Fortune 100 – to protect their highest value information assets, infrastructure and applications, while ensuring tight regulatory compliance and audit requirements.
Promoted Content
Advanced cyber attacks involve compromised privileged accounts. Cyber attackers target them because they represent the keys to the IT kingdom. Effective enterprise security includes proactively protecting privileged accounts. Industry experts have identified practices that increase an organization’s vulnerability to a cyber attack. How many of these are common at your organization?

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?