As the one-year anniversary of the most widely spread ransomware attack approaches, WannaCry is still active in the wild. Fortunately, so is the “kill switch” domain, rendering the attack mostly benign. During the WannaCry outbreak MalwareTech, a UK-based researcher, discovered that WannaCry attempted to contact an unregistered domain. When this domain was registered, any newly infected devices that made a successful connection to this domain would place the malware into a dormant state. This is known as sinkholing and has removed the teeth from WannaCry so far. However, it is not a perfect fix. Only newly infected devices are rendered harmless so long as they can reach the kill-switch domain as Boeing recently discovered. In March several dozen computers in Boeing’s Commercial Airline division were infected suddenly with the full Ransomware WannaCry attack.
As with many manufacturing companies, Boeing limits or disables internet access for many of their production computers, preventing access to the kill switch domain. Somehow an infected “active” WannaCry device was introduced into the network environment and quickly attacked any unpatched Windows systems on the connected network.
US-based security firm, Kryptos Logic has been monitoring the kill switch domain and reports that traffic remains very high. Machines carrying the virus will check this domain on every reboot to determine an action state. The only sure way to prevent an outbreak is to wipe-out a system and reinstall the Operating System and ensure all patches and security updates have been installed. End-of-Life/End-of-Support OSes should be upgraded to the most recent versions of Windows (10 and Server 2012-R2).
What are the lessons here that should have been learned from the WannaCry outbreak?
Of course, these lessons are not unique to WannaCry or Ransomware. They are not even new to the information security professional’s toolkit. They are basic security steps that can be implemented by almost any organization regardless of size or budget. It is surprising to read just how many systems were affected by WannaCry last year and even more shocking to realize how many systems remain affected and unpatched.
The next version of WannaCry could strike any day. The developers of WannaCry did everyone a favor by hardcoding their Command and Control (C2) domain into the attack. This is the reason the sinkholing solution worked. Unfortunately, it is quite apparent that the method for delivering this type of attack has not been defeated and potentially millions of systems remain vulnerable. By simply randomizing the C2 domain name in the code, the next WannaCry could easily defeat this sinkholing “solution.” By patching systems in a timely manner, implementing some least-privilege access control and educating employees regarding cyber-threats, system administrators improve their chances of minimizing the impact of the next WannaCry-type attack.
These Stories on Information Security
No Comments Yet
Let us know what you think