Why Companies Continue to be Victimized by WannaCry
The latest cyber incident at the Taiwan Semiconductor Manufacturing Company (TSMC), the world’s biggest contract manufacturer of chips for companies including Apple, is a reminder to companies of the dangers of unpatched Windows operating systems.
TSMC Chief Executive Officer C. C. Wei said in a press conferencethat a variant of the 2017 WannaCry ransomware caused the shut down of several of the company’s manufacturing plants in Taiwan in the first weekend of August this year.
Wei said the WannaCry infection happened when an unnamed supplier connected a computer laden with WannaCry to TSMC’s internal network. The malware then spread swiftly to the company’s internal network and hit the manufacturing plants in Tainan, Hsinchu and Taichung – plants that produce chips for Apple.
TSMC, in a statement, said that it contained the problem and found a solution. The company said that the cyber incident could result in delays to product shipments and reduce the company’s third quarter revenue by 3%.
What Is WannaCry?
WannaCry is a malicious software (malware) that was first seen in the wild on May 12, 2017. It’s estimated that more than 300,000 computers in 150 countries were infected by this malware during this date alone.
Windows operating systems that are affected by this malware are the following: Microsoft Windows XP, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7, Windows 8.1, Windows RT 8.1, Windows Server 2012 and R2, Windows 10 and Windows Server 2016.
This malware encrypts computer files, posts a ransom note on the infected computer screen that payment should be made in a form of the cryptocurrency Bitcoin for the decryption key to be released.
Can files be recovered after paying the ransom? The answer is no. It’s not possible to recover the decryption key after paying the ransom as whoever wrote the WannaCry code omitted a link between Bitcoin payment and the unique ID. Because of this omission, the attackers themselves don’t know who paid the ransom and who didn’t.
To date, it’s not known how the first WannaCry infection happened. Although unconfirmed, it’s believed that the first WannaCry infection happened via a spam email.
What is established though is that this malware uses the spy tool called “EternalBlue”. This spy tool is believed to be created by the US National Security Agency (NSA). Anyone can now use EternalBlue as the group known as “Shadow Brokers” leaked to the public the EternalBlue code on April 14, 2017.
This spy tool exploits the vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol – a protocol that allows computers using Windows operating systems to communicate with each other and with other devices. Through SMB protocol, files and printers can be shared. This protocol also allows attackers to remotely execute any code they want. In the case of WannaCry attack, they execute the WannaCry malware.
WannaCry spreads swiftly to other computers as this malware replicates itself within the computer network without the need for any user involvement.
According to McAfee Labs, WannaCry doesn’t just spread to other computers in the same network, it also spreads to other computers via the internet when the said computers allow NetBIOS packets from outside networks. “This could be one reason for the widespread infection seen in this outbreak,” McAfee Labs said. “This explains why many folks are unsure about the Initial vector of the malware.”
According to Microsoft, the security vulnerability that EternalBlue exploits was fixed in its March 14, 2017 security update, a month before Shadow Brokers leaked to the public the EternalBlue code. Applying Microsoft’s March 14, 2017 security update, therefore, could have prevented the WannaCry attack.
At the height of the WannaCry attack in May 2017, the research community stopped the massive spread of this malware via a “kill switch”. The author or authors of the WannaCry code purposely created a kill switch via this URL: www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com.
“If the domain [URL] is active, the malware simply quits without doing anything else,” McAfee Labs said. “For this purpose, the research community has sink holed this domain to prevent further malware infections.”
In the case of the TSMC cyber incident, WannaCry’s kill switch wasn’t applicable as the TSMC supplier’s computer laden with WannaCry and TSMC’s internal network weren’t connected to the internet.
According to Kryptos Logic, WannaCry is still very much active with approximately 100 million connection attempts from 2.7 million unique IPs on the kill switch over the period of March 2018. In March this year, Boeingannounced that WannaCry infected a “limited” number of its machines.
WannaCry Cyberattack Prevention
Here are some of the preventive measures against WannaCry:
Ensure that your organization hasn’t blocked access to this URL:
www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com as this URL has been sink holed and is being used by WannaCry malware as a kill switch.
Block legacy protocols such as SMB protocol.
Be vigilant in opening email attachments especially if these come from unknown or untrusted sources.
Your organization’s main defense against WannaCry is by installing the latest security update from Microsoft, in particular, the March 14, 2017 security update.
A survey conducted by ServiceNowfound that almost half of the 467 financial services institutions around the globe suffered a data breach in the last 2 years, and majority had been breached via a security vulnerability for which a security update, also known as patch, was already available.
The said survey and the latest cyber incident at TSMC highlight an overwhelming need for organizations to install the latest security update or patch before cyberattackers strike.