WannaCry: One month on
Why was WannaCry and EternalBlue to effective? Ondrej Kubovič, ESET Security Awareness Specialist, explains why.
The WannaCry ransomware has been in the headlines since its initial attack at the beginning of May 2017. The virus targeted computers running an out-of-date version of Microsoft’s Windows operating system, encrypting data on the computers and demanding payment.
The digital attack infected more than 230,000 computers, spread across over 150 countries. It even hit large companies including NHS, Telefonica, FedEx, and many other companies worldwide.
Part of the WannaCry outbreak was the exploit EternalBlue, which targets a vulnerability in Microsoft’s implementation of the Server Message Block protocol. The vulnerability allows remote attackers to execute arbitrary code on the targeted computers, by accessing the operating system via specific versions of Microsoft Windows that accepts ‘specially crafted packets’.
Ondrej Kubovič, ESET Security Awareness Specialist, discusses the role of the exploit EternalBlue in relation to WannaCry and the negative effects it has had.
“The reason for crashing XP machines were more in the exploit EternalBlue itself.
“It interfered with kernel and in cases where it didn’t go according to preplanned scenario it could have caused blue screen of death (BSOD).
“One possible explanation for this could be also connected to the fact, that the NSA code had two branches – one targeting Win XP, the other Win 7.
“If the authors of the worm didn’t have control over what OS runs on the next target, they could simply choose the scenario with higher probability, namely Win 7 (higher market share).
“Kernels of these systems vary and the exploit might therefore cause failure and lead to BSOD.
“If the updates are disabled patching machines is a responsibility of the user, admin or owner of the system, not the system itself.
“People can have various reasons why they don’t patch the systems.
“Some might have poor understanding of OS security and updates, others could have willingly or unwittingly turned off update services – be it for the sake of saving bandwidth, space or inability to set updates properly – others run illegal OS and don’t want to contact the developer (in this case Microsoft) for updates.
“Critical systems often have updates turned off or download them, but run for long time without reboot, which is required to apply the updates.
“Microsoft also announced, that it will offer no support (thus updates) to Windows 7 or 8.1 running on newer processors.
“The whole EternalBlue/WannaCryptor campaign demonstrated the importance of updates for OS as well as for any other software out there.
“Installing the latest possible updates, using only the minimum necessary software and disabling all unnecessary services (ports, remote control etc.) decreases the attack surface.
“Installing a security solution to such a system could also help improve the security, but not to a level achievable with newer OS.
“Therefore we highly recommend all users who still running an outdated and unsupported system, to switch to newer OS.
“If the outdated and unsupported OS cannot be replaced the best way to go is to keep it air-gapped – disconnected from the internet.”