WannaCry Ransomware

WannaCry is not a problem when your software and data are hosted on NIST 800-53 (FISMA/FedRAMP) or NIST 800-171 (FARS/DFARS) certified systems.

The WannaCry Ransomware cyber attack has stricken more than 300,000 computers, according to White House homeland security adviser Tom Bossert. While the rate of the attacks is decelerating, the risk is in no way over. The current threat has largely been halted thanks to a MalwareTechBlog, a UK cyber security researcher, and Darien Huss locating and activating a kill switch in the software.

Also known as WCrypt, WannaCrypt, WanaCrypt0rWana Decryptor or WCry, the malware applies a malicious piece of software that locks files on a computer and demands payments to unlock them. Before the ransomware is applied, the malware checked a URL online on a domain that hadn’t yet been registered. MalwareTechBlog registered the www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain and was able to activate the killswitch, a possible misstep by the malware’s author.

Lifeline Data Centers' hosting systems are designed and reviewed constantly to prevent these attacks from ever causing any harm. In a NIST 800-53 and NIST 800-171 certified operating environment, all systems would have already been patched to current and safe levels, the operating system components that this malware exploited would have been disabled at system setup time, and the TCP/IP network ports that the malware uses would be blocked as a matter of course.

If the computer has to access the Internet via a proxy, WannaCry is still executed! Ransomware attacks are becoming more commonplace of recent, and this particular malware was called unprecedented by Europol.  As of yesterday, if you turned on a system without the MS17-010 patch and TCP port 445 open, your systems were still at risk of the ransomware.

The attack exploits a vulnerability in Windows 8, Windows XP and Windows Server 2003, and in newer systems configured to maintain backwards compatibility. If you’re utilizing an up-to-date version of Windows 10, Windows 8.1, Windows 7. Windows Vista. Windows Server 2008. Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, or Windows Server 2016, as long as you’ve disabled SMBv1, you should be safe. Mac and Android operating systems were not affected.

How is WannaCry Spread?

WannaCry spread more quickly than any ransomware ever had before thanks to a recently leaked NSA Windows vulnerability, called Eternal Blue. In London, the malware infected its first Windows computer when a user opened an email, along with executing a compressed zip file, that infected their network. By Friday, Spanish mobile operator Telefónica was among the first large businesses infected. Before noon, hospitals across the United Kingdom began reporting issues. Renault, Deutsche Bahn, MegaFon, Sberbank and even FedEx fell victim to spreading and executing the ransomware.

Once executed, WannaCry installs a service called mssecsvc2.0 with display name Microsoft Security Center (2.0) Service. It then launches the executable and a worm to replicated through two methods. The first thread uses the GetAdaptersInfo function to obtain a list of IP ranges on the local network, then creates an array of every IP in those ranges to scan, connects to each IP via port 445, and creates a new thread to exploit the new system using MS17-010/EternalBlue/. For additional detail regarding WannaCry, Malwarewarebytes Labs has written an in-depth article.

In the case of WannaCry, none of these companies would have been affected if they were hosted in the secure and compliant environment that Lifeline Data Centers provides: RedRack.

Rich Banta

Rich Banta

Managing Member at Lifeline Data Centers
Rich is responsible for Compliance and Certifications, Data Center Operations, Information Technology, and Client Concierge Services. Rich has an extensive background in server and network management, large scale wide-area networks, storage, business continuity, and monitoring. Rich is a former CTO of a major health care system. Rich is hands-on every day in the data centers. He also holds many certifications, including: CISA – Certified Information Systems Auditor CRISC – Certified in Risk & Information Systems Management CDCE – Certified Data Center Expert CDCDP – Certified Data Center Design Professional
Rich Banta