The Truth About WannaCry (Ransomware That Infected Britain’s NHS & Others)

WannaCry started infecting machines on May 12 2017, being downloaded onto a Windows computer and subsequently encrypting the files it requires to run.

Whilst this type of infection is not new, the sheer scale of WannaCry lead it to be headline news in many countries around the world, especially Britain where it lead the National Health Service (NHS) to suspend a number of services, including operations.

The infection wasn’t particularly sophisticated and certainly wasn’t some new super virus that will bring down the world’s computing infrastructure… however, it did highlight a more brazen approach by hackers to demand money up front for their crimes. In this case, the sum of $300-worth of bitcoin was demanded to decrypt the infected machines.

In this article, I will explain how this virus worked and what you can do to both protect your system and ensure you don’t get the infection on your own machine.

What Is WannaCry?

The origin of WannaCRY is still unknown.

However, as is the case with most of these infections, states such as Russia (I’m sorry to say because the Russian people are generally very cultured), China or such places as Nigeria, North Korea, Libya etc are often cited as potential sources.

It will take the likes of the FBI some time to determine the specific source of the infection, until then we’ll just have to speculate as to who wrote it and why.

It must be stated that the infection was indiscriminate in who it targeted. Russia was particularly badly hit, as was a large number of multinational companies, one of whom in France had to close their factories to remove the virus. I’ll explain how this happened in a second.

To give you a brief explanation, WannaCry is a “ransomware” virus. This is a type of “malware” (malicious software) application which – when installed – will block access to many core aspects of your system and prevent you from being able to access your files.

Computer viruses come in many forms. Malware is a particularly stubborn type because they often evade detection from antivirus applications – posing as legitimate tools that you may wish to download onto your system. Obviously, you discover their true intentions too late.

Malware can only be removed by actively removing the files that it uses to run (it’s just standard software which runs like all the other programs you have).

The problem with WannaCRY is that since it encrypts the user’s files, it can be very difficult to undo any of the damage that it causes. This is why backing up your data, especially with some sort of “cloud” data system is so strongly recommended.

Why Did It Spread So Far?

Whilst WannaCRY is obviously a terrible infection, the main reason I am writing about it is because of how widely it spread.

The following are some of the more high-profile victims:

  • NHS
    Hundreds of hospitals across UK suffered a massive outage in the wake of the infection with the administration being forced to delay or even cancel surgeries and X-rays of a large number of patients.
  • Telefonica
    The Spanish telephone giant said it was attacked.
  • Renault
    The French automobile giant was hit, forcing it to halt production at sites in France and its factory in Slovenia as part of measures to stop the spread of the virus
  • Deutsche Bahn
    The German train operator was hit as travellers tweeted pictures of hijacked departure boards showing the ransom demand instead of train times. The company, insisted train services were unaffected.
  • FedEx
    The US package delivery group acknowledged it had been hit.
  • Nissan
    The firm’s manufacturing plant in Sunderland (UK) was affected.
  • Hitachi
    … said that its email service was hit, and that some of its staff were unable to access attachments or send and receive messages.

The reason for the spread was how WannaCRY targeted its victims.

This particular infection was designed to target an exploit in Windows XP, Vista and 7 systems which had not been updated.

Specifically, a network infection vector called EternalBlue was released by a hacker group the month before. This was used by the CIA to hack into older Windows systems. This vulnerability was open on millions of systems still running older versions of XP, Vista or Windows 7. This is how the virus was able to infect such a large number of systems.

In terms of how the virus found its way into the networks that it did… the key lies in the way the virus is spread. Malware is not like typical virus infections – it has to be downloaded manually by the user. It cannot just install itself.

As such, viruses such as WannaCRY end up being sent to users via phishing emails (fake emails which purport to be from the likes of Paypal or a bank).

Clicking onto a fake email, or downloading an insecure link, would then lead the virus to be installed onto the system. It’s my guess that the infection was sent to a large email list, the recipients of which then downloaded the infection, causing the damage it did.

Current Status

As with many infections, remedies are often created and implemented.

In the case of WannaCRY, several things happened.

Firstly, a British spyware technician was able to locate a “killswitch”. This was a web domain which when registered prompted the software to stop spreading.

The point of the killswitch was to allow the creators to determine a “quarantine” zone to test the virus. They would just add the domain to their test machines to ensure they could control when the infection struck. By registering the domain in real life, the technician essentially made almost all the infections cease to spread.

Secondly, Microsoft released an update to Windows XP, Vista and 7 users. This is despite the fact that Microsoft had publicly announced its dropping of support for Windows XP several years ago. Shows the importance of keeping your system up to date.

As of the end of May 2017, the majority of large organizations who were affected have updated their systems. Many in the security community are working to determine the source and scope of the infection, and I believe there are a number of tools available to fix it.

How To Protect Your Systems

The big lesson from this was that you must keep your system up to date.

The only reason why WannaCRY was such a wide infection was because of how it exploited a backdoor that was open on millions of systems around the world.

For example, there were many NHS systems still running XP even though support for it had ended.

Apart from updating your system, there are a number of other considerations to look at:

  1. Ensure your system’s antivirus protection is adequate
  2. Download and install an adequate anti-malware tool
  3. NEVER download attachments from emails you don’t know
  4. NEVER download programs from websites you don’t know the origin of
  5. ALWAYS double check if in doubt

In terms of WannaCry itself – if you are running the latest version of Windows, preferably Windows 10, you should be okay. That doesn’t mean you shouldn’t remain vigilant, but the targets for WannaCRY were pretty specific.


The Stolen Digital Generation

Abstract

In the current political climate, no greater need for security has been evident with the rise of global terrorism and politically motivated violence. Increased security measures are not only costly, but are manpower exhaustive and often intrusive.

Furthermore, data, in the most basic sense, has been secure in datacenters with the advent of strong security procedures, access control systems and a myriad of technological advances. Over the last three decades, various forms of metal detection have been used, in some degree, to screen datacenter workers for potential hardware that may have left the center.

In some cases, it has shown progress in stopping some larger items from going undetected. The challenge for the industry though, has always been smaller hard to detect items like thumb drives and mini SD drives.

Recent advances in software algorithms and hardware detection levels have allowed newer, more novel approaches to help organizations secure even more potential threats. Additionally, testing has shown that new systems capable of facial recognition with both biometric recognition and iris scanning, adds another level of critical authorization and advanced screening.

In this discussion, we will highlight the issues many organizations face with older technology and the latest advancements in both object detection, as well as combined threat analysis with biometrics and iris advancements. This paper will explore current issues with both personal security and cyber security.

Introduction

George S Clason, Businessman and ‘The Richest Man In Babylon’ stated that “In those things toward which we exerted our best endeavors, we succeeded.”

With so many magnificent by-products of innovation, entrepreneurship, genius and bravery, that statement rings true in so many ways and is demonstrated through the technology we use in our daily lives.

In this the technological age, we as humans have achieved some truly amazing feats of advancement. In the short space of the past 130 years, we have come from the horse and cart to the automobile, from phonographs to iPods, we’ve mastered flight, space travel, communication, and of course the internet. We are truly enjoying the golden age of technology.

We have discovered that with every problem, there is a solution.

And with every solution, our instinctive curiosity and intuition causes us to improve and develop these solutions to make them better. That is how we have evolved as a civilized society.

As we come up with answers, we then discover new problems to solve. The wheel may certainly have been invented, but it went through, and still goes through, various stages of improvement to make it an optimal commodity. We are a Research and Development society.

We have created ways to do things through technology, and it has become a valuable part of our day to day lives. Some would argue that it is the ultimate level to Maslow’s hierarchy of needs

1. Cyber Security

The word Cyber Security was unheard of 30 odd years ago, but has now become an industry in itself as we struggle to maintain integrity and privacy. The issue of Data Theft has outweighed the fear of property theft in many cases, and this is what I’m here today to talk about.

McAfee estimates a loss to the global economy of between $400 and $575 billion dollars in cybercrime per year. These figures are based on known data only- it is likely much higher.

An IBM study found the average consolidated total cost of a data breach is $3.8 million, representing a 23% increase from 2013.
• The average cost per record breach is $154,
• for healthcare organizations $363, and
• 47% of data breaches are malicious!
• A further study found that 36% of data breaches were from employee misuse or negligence, while 25 percent were intentional attacks from an insider.

Think about that for a moment.

Let us then ask ourselves the following questions:
• How does data leave the data center, and
• what can we do to minimize these breaches?

2. Physical hacks

Many Data Centres have firewalls and other network security measures to minimize risk, and for the most part these are effective. Cyber Security experts though, claim that the five simplest ways to hack into a data center are by;

1. crawling through void spaces in the data center walls,

2. lock-picking the door,

3. “tailgating” into the building, (tailing other employees)

4. posing as contractors or service repairman, and

5. jimmying open improperly installed doors or windows.

You’re effectively leaving the front door open for thieves!

With emerging trends such as Big Data, bring-your-own-device (BYOD) mobility and global online collaboration sparking an explosion of data, the data center will only become more important to your organization and will continue to be the target of not only breaches, but advanced malware and other cyber-attacks.

Additionally, compromised targets can unwittingly become attackers themselves. At the bidding of cybercriminals who can control comprised systems remotely, the data centers are commandeered as potent weapons in attacks against fresh targets

The emphasis on Data Centre Security is paramount, and whilst hacking and cyber-attacks require their own defence mechanism, today I’m here to address the physical breaches, and how to best counter them within an organization.

3. Front line defence

For those familiar with SAS 70 compliance and audits, the ‘Data Center Physical Security Best Practices Checklist’ below contains a data center physical security best practices program that is quite comprehensive and no doubt costly, time consuming, and resource heavy.

Data Center Physical Security Best Practices Checklist

• Built and Constructed for Ensuring Physical Protection

The exterior perimeter walls, doors, and windows should be constructed of materials that provide Underwriters Laboratories Inc. (UL) rated ballistic protection.

• Protection of the Physical Grounds

The data center should have in place physical elements that serve as battering rams and physical protection barriers that protect the facility from intruders.

• Bullet Resistant Glass

Certain areas within the data center, such as the lobby area and other entrance mechanisms, should be protected by bullet proof or bullet resistant glass.

• Maintenance of Vegetation Flowers

Plants, trees and other forms of vegetation should be appropriately maintained for purposes of not allowing these elements to conceal or hide an intruder.

• Security Systems and 24×7 Backup Power

The data center’s security systems should be functioning at all times, complete with

uninterruptible power supply (UPS) for ensuring its continuous operation.

• Cages, Cabinets and Vaults

These physical structures which house equipment must be properly installed with no loose or moving components, ultimately ensuring their overall strength and rigidity.

• Man Trap

All data centers should have a man trap that allows for secure access to the data center “floor”.

• Electronic Access Control Systems (ACS)

Access to all entry points into and within the data center should be protected by electronic access control mechanisms which allow only authorized individuals to enter the facility. Included within the framework of electronic access control should also be biometric safeguards, such as palm readers, iris recognition, and fingerprint readers.

• Provisioning Process

Any individual requesting access to the data center should be enrolled in a structured and documented provisioning process for ensuring the integrity of the person entering the facility.

• Off-boarding Process

Personnel working for the data center or clients utilizing the facility services must be

immediately removed from systems that have allowed access to the facility itself. This includes all electronic access control mechanism along with removal of all systems, databases, Web portals, or any other type of sign-in mechanism that requires authentication and authorization activities.

• Visitors

All visitors must be properly identified with a current, valid form of identification and must be given a temporary facility badge allowing access to certain areas within the data center. This process must be documented in a ticketing system also.

• Alarms

All exterior doors and sensitive areas within the facility must be hard wired with alarms.

• Cameras

The facility should have a mixture of security cameras in place throughout all critical areas, both inside and out, of the data center. This should include the following cameras: Fixed and pan, tilt, and zoom (PTZ) cameras.

• “Threat Conditions Policy”

Consistent with the rating scale of the Department of Homeland Security, the facility should have a “threat conditions policy” in place whereby employees and customers are made aware of changes in the threat.

• Badge and Equipment Checks

Periodic checks should be done on employees and customers regarding badge access and equipment ownership.

• Local Law Enforcement Agencies

Management should have documented contact information for all local law enforcement officials in the case of an emergency.

• Paper Shredding

A third-party contractor should be utilized for shredding documents on-site, then removing them from the facility, all in a documented fashion, complete with sign-off each time shredding is done.

• Data Center Security Staff

As you can see, this is a comprehensive list of measures that no doubt add to the effectiveness of security, but ultimately ‘Data security starts with physical security.’

4. Layers of Security

The Anixta White Paper suggests a Four Layer approach to Data Center security.

First Layer: Perimeter Security

Second Layer: Facility Controls

Third Layer: Computer Room Controls

Fourth Layer: Cabinet Controls

Not all organisations have the resources to be able to take this approach, and as you can see from the following example, some companies have spent a fortune securing their data.

Example: A top-secret financial data center on the East Coast, an 8-acre facility is a model of a serious approach to physical security with perimeter safeguards such as hydraulic bollards to stop speeding cars and a drainage pond that functions as a moat.

That is the millennial version of a castle with a protected outer layer.

It is the Inner Layers though, that are the most crucial in securing Data.

This is where Entry Control Points (ECPs) can be secured with technological security rather than Human Resources in a cost effective, discreet Threat Detection System (Ronin) that will detect even the smallest of devices such as USBs from entering or leaving a building.

Access control systems act as the primary keys to the castle and should use methods that cannot be shared, such as biometric access. Coupling a key card with biometrics requires the user to match the access card and the biometric such as fingerprint or retinal recognition.

Sharing access is strictly forbidden.

Physical security is broken into two pieces: the physical elements such as cameras, access control systems and locks; and the operational processes such as visitor and contractor policies and general awareness training. If both elements are not addressed, neither will be 100 percent effective.

The most important aspect though, is to be diligent against the biggest threat: People!

Unless you are pro-active in your approach, you will always be a target for theft.

Don’t make the assumption that it will never happen to you.

As stated in the opening sentence “We have discovered that with every problem there is a solution.” As far as reducing the ‘front door’ risk, the focus must be on implementing technologies to assist human resources in detecting security breaches that either introduce, or remove devices such as USBs etc. that intend on stealing data. A small, hidden device may or may not show up on a metal detector, and can definitely be strategically hidden to avoid such measures (internally).

In developing security systems that have;
• pinpoint accuracy of detection,
• simultaneous detection of location, size, & orientation,
• requires minimal manpower to operate and, more importantly,
• is discreet, unobtrusive, and can be hidden

5. Real Time Threat Detection Systems – The Keys To The Castle!

To this point, we have covered the protection and security of data and suggested solutions in maintaining data integrity. But a growing and ever present threat to humanity is the rise of terrorism, violence, and attacks on people and property. Airports, venues, military installations, schools, and government installations to name a few, have all increased security measures in an attempt to minimise harm but opportunistic criminals will always find ways to exploit defences and conduct attacks. Physical security, that is to say security personnel, are a deterrent but can still be overcome by force at close range. Weapons are also easy to conceal, and can avoid detection via personal searches or visual inspection. Knives, guns, pistols etc. are primarily used at close range and require the user to be in close quart range. Explosives on the other hand, can be detonated at distance, keeping the perpetrator out of range.

It is therefore necessary to be able to screen people in large volumes from a distance, and fortunately the technology for this is now available with products that are able to do the following:
• Reduce human error-
• No Dedicated Monitoring
• Inconspicuous
• Simple Training
• Large Traffic Throughput
• One System/Multiple Gates
• Updates Via Cloud

Conclusion

This paper has discussed key issues surrounding both cyber and personal security. As threats continue to increase, so must the capacity to outwit and defeat those who would seek to do harm.

It has highlighted deficiencies in the above-mentioned areas of security and presented possible scenarios for applicable solutions for each.

It is in no way exhaustive, but indicates the main security threats to organisations and people today.