In mid May computers of national railways in Germany, mobile operators in Spain and Hungary and hospitals in the United Kingdom were infected by the WannaCryptor ransomware, leaving them with the message “Ooops, your files have been encrypted!” on their screens. The ransomware encrypted their files and demanded payment of $300 in bitcoin to get them back. In Slovakia only a hospital in Nitra reported infected computers.
We spoke with Ondrej Kubovič, security evangelist at the Slovak security software company ESET about the ransomware WannaCryptor, also known under the name WannaCry, and the best ways to keep yourself protected from cyberthreats.
The Slovak Spectator (TSS): What exactly happened when the ransomware WannaCryptor attacked computers on May 12?
Ondrej Kubovič (OK): Actually two things happened there. First the EternalBlue exploit was leaked sometime in February from America’s National Security Agency (NSA). It is believed that it was used for espionage. This tool abused vulnerability in the Windows operating systems, meaning it found and “opened a door” into many computers. It primarily did not do anything wrong to computers; it was just a tool to enter them. But then hackers developed several malicious codes that were able to use this exploit and infect computers via this “open door”. WannaCryptor was only one of them.
TSS: Did Microsoft react to what happened in any way?
OK: Yes, very promptly. It issued a security patch closing this “open door” already two months before the attack of WannaCryptor. Those using Microsoft-supported operating systems of Windows, like Windows 10, received the patch via automatic updates, if they have them switched on. Microsoft even issued patches for its operating systems that it no longer supports, like Windows XP or Windows 8. But people using these unsupported systems had to install the patch on their own and in many cases that was not done. This is why there were so many vulnerable computers.
TSS: How many computers were infected?
OK: Based on data published by Europol, WannaCryptor infected over 200,000 computers in 150 countries around the world, which is not an extremely high number. What earned it such extensive coverage was that it infected computers in sensitive institutions like mobile operators in Spain and Hungary or health-care related organisations in the UK. It is estimated that the hackers who were behind the attack received some $120,000, which is not a huge amount of money. From this point of view, this was rather faulty implementation. But there are also speculations that WannaCryptor was leaked on the web when it was only in its testing phase.
TSS: How did WannaCryptor infect computers?
OK: Compared to other, more common, ransomwares, WannaCryptor is a worm. This means that it found the vulnerable computers to infect on its own. Computer users did not need to do anything for their computers to become infected. It is more common that ransomware spreads via emails with attachments containing a malicious code. In such cases people can protect their computers by using cautious behaviour and not opening suspicious emails. But we have to say that ransomware operators learn and improve their “product”, and sometimes it is very difficult to identify such emails. They can now even mimic a letter from your boss, for example, with an enclosed invoice in which payment is asked.
TSS: Did people get the decryptor when they paid the ransom, which was $300 in bitcoins?
OK: We do not really know, as there are no official data about this. But what we know from what was published is that even those who paid the ransom did not get the decryptor. But some decryptors have already been developed.
TSS: Is it known who developed WannaCryptor?
OK: No. There are some indicators that it may be the work of a group known as Lazarus from North Korea, as part of this malicious code is the same as has been previously used by this group. But we can never say exactly who is behind which particular malware, as these hacker groups exchange their codes.
The hacker groups also already provide ransomware as a service. This means that you can simply buy ransomware, ready to use, on the internet. What you only need to do is to spread it. Malware creation has already developed into a kind of “ordinary business”. From what we see, it even seems that the people behind these malicious codes work in specific times, resembling the eight hour workday.
TSS: When did ESET realise that something was happening?
OK: We were monitoring the situation from the very beginning even when the problem with EternalBlue occurred. We developed a network detection for it and implemented it into our security products that have Firewalls already in April. Thus, computers using our products were protected from being infected by any malicious codes abusing this vulnerability. But what our detections saw first was a wave of malware mining virtual currencies. Such programs “only” used the performance capacity of affected computers, so it is not as dangerous as ransomware. Such a code could potentially just slow your computer down. WannaCryptor attacked later. Actually, for us WannaCryptor was rather an interesting incident, as our clients did not report any problems.
TSS: Did WannaCryptor also infect computers in Slovakia?
OK: As people in Slovakia don’t announce this, we only have information from media. So the only case that we know about is the hospital in Nitra whose computers were infected. But I have to say that Slovaks are quite conscious in terms of cybersecurity and use antiviruses on a large scale.
TSS: Did security software companies like ESET cooperate in any way when WannaCryptor attacked?
OK: In general companies active in cybersecurity cooperate on resolving such threats. On the level of marketing and sales there is big competition among us and we fight for each client, but on the level of security and research we are a cooperating community. We meet at various forums and conferences and share our knowledge and findings. But of course we very carefully protect our technologies and products.
TSS: Do solutions of individual security software companies differ?
OK: Yes. Their approach, for example, differs in their area of focus. To say it simply, some may focus on preventing malware from entering computers. Like for WannaCryptor, they blocked the EternalBlue exploit. Others focus on the behaviour of malicious codes. For example, in the case of WannaCryptor they may have detected that it is going to encrypt data in computers and acted at this point. But usually security solutions that clients can buy – including ours – combine several approaches in order to increase the level of protection.
TSS: Is there any general advice of what people should do if their computers are infected by ransomware?
OK: There are some basic rules, but it is specific for each case. Before WannaCry we recommended switching off the infected computer as soon as possible. This might have improved the possibility that the malware would not encrypt all the data. But for Wanna-Cryptor this was not good advice because it is possible to get the decrypting key from the computer’s memory which would get cleaned during a restart. In the WannaCryptor case, probably the best advice would be to hibernate the infected computer and call a cybersecurity expert.
But people should keep their encrypted data. It happens that after some time hackers publish the decryption key based on which it is possible to make a decryptor and decrypt the data.
Last year, one of our analysts saw that operators behind TeslaCrypt ransomware were fading out their activities. He pretended to be a harmed user and asked them for the master key. Surprisingly the group made it public and apologized for their activities. Afterwards we created a free decrypting tool. So far 126,000 people have downloaded this tool from our website.
TSS: What lesson should people take from WannaCryptor?
OK: We keep repeating a trio of mantras. The first one is to keep your operating system, web browsers and other programs you use updated as their creators develop patches for newly discovered vulnerabilities. The second one is to back up. If you have your data backed up, after ransomware encrypts your data, you just need to reinstall the computer software and copy the data to it from the backup. The only damage is the time you spend on this. The third one is to use a really good antivirus program. It is ideal when it protects your computer on various levels. I also always add a fourth one – use common sense and do not click on everything in your emails or on the web. Clicking on an advertisement offering the latest iPhone for a fraction of the standard price sounds too good to be true and it usually is.
