Following last Friday’s worldwide outbreak of the WannaCry ransomware, which has now infected over 165,000 computers, Microsoft quickly released security updates for several operating systems the company no longer officially supports.
In a blog post, Microsoft principal security group manager Phillip Misner stated that while currently supported Microsoft operating systems were protected from the attack in a security update released in March, the company was now “taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.”
PhishMe CTO Aaron Higbee told eSecurity Planet by email that it’s crucial for organizations to patch systems and applications as quickly as possible.
“It’s no surprise that hospitals and healthcare facilities were impacted heavily by this attack,” Higbee said. “Many healthcare facilities are running specialized diagnostic equipment embedded with Windows XP, and the medical device service contracts prevent the hospitals’ IT staff from updating the equipment for fear of voiding the support contract, creating large windows of vulnerability in between updates.”
What’s more, a recent Flexera report found that 9.8 percent of U.S. PC users had unpatched Windows operating systems in Q1 2017, up from 6.5 percent in Q1 2016. “Frankly, if you wait two months to apply a critical Microsoft patch, you’re doing something wrong,” Kasper Lindgaard, senior director of Secunia Research at Flexera, said in a statement.
Kill Switch
British security researcher Marcus Hutchins, a.k.a. MalwareTech, greatly limited the damage of the attack on Friday by accidentally triggering what may have been the malware’s kill switch.
“Upon running [a] sample in my analysis environment I instantly noticed it queried an unregistered domain, which I promptly registered,” Hutchins wrote in a blog post.
For information on removing and preventing ransomware, see our comprehensive article “How to Stop Ransomware.”
According to Hutchins, the malware attempts to connect to the domain in question, and if the connection isn’t successful, it ransoms the infected system — but if the connection is successful, the malware simply exits. Once he registered the domain, the malware stopped infecting new systems.
Still, Hutchins said the domain may not have actually been intended as a kill switch, rather a “badly thought out anti-analysis.”
“I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox [and] the malware exits to prevent further analysis,” he said.
New Variants Spreading
Because Hutchins’ having registered the domain only stops this version, he noted, there’s nothing stopping the attackers from removing the domain check and relaunching the malware, “so it’s incredibly important that any unpatched systems are patched as quickly as possible.”
And?AlienVault researcher Chris Doman told eSecurity Planet that new variants are already spreading with a modified kill-switch domain. “Someone, likely different to the original attackers, made a very small change to the malware so it connects to a slightly different domain. That allowed it to continue propagating again,” he said.
“Thankfully, some researchers are already registering the new domains as they identify them,” Doman added. “The cat-and-mouse will likely continue until [someone] makes a larger change to the malware, removing the kill-switch functionality. At that point, it will be harder to stop new variants.”
In fact, Cyphort researchers recently uncovered a new sample that uses a .test domain, which can’t be registered.
“It seems that the cyber criminals found a smarter way to evade sandbox detection by checking on a site that researchers cannot sinkhole,” Cyphort’s Mounir Hahad wrote in a blog post. “This technique allows the malware to spread again unchallenged.”
Disaster Recovery
To protect yourself from any future iterations of this or other ransomware, daily offsite backup is crucial, said Trapx co-founder Moshe Ben-Simon. “More important is a robust, tested disaster recovery process that ensures core IT systems can be brought back up in a few hours,” he said.
“Most hospitals have backup in place to support compliance, of course, but cannot restore key applications and recover operations fast enough in the face of a ransomware attack,” Ben-Simon added. “When an environment faces a true disaster, even a well-planned disaster recovery strategy will typically take days until full operations are restored. Do the work to make sure this take only a few hours.”
More broadly, Rich Barger, director of cyber research at Splunk, said the event should serve as a global wakeup call.
“Ransomware is arguably the number one method of cyber attack in 2017, and this attack demonstrates the paramount need for critical enterprises to have a ransomware playbook in place for when they are attacked,” Barger said. “Protecting critical infrastructure from cyber attack is a responsibility that cannot be taken lightly.”