File photo dated 06/08/13 of a person using a laptop. One in five British businesses has been hacked by cyber criminals in the past year, research has suggested. PRESS ASSOCIATION Photo. Issue date: Tuesday April 18, 2017. See PA story CITY Cyber. Photo credit should read: Dominic Lipinski/PA Wire
© PA

Sam Jones in London

Jump to comments section

The first infection struck at around 8:24am London time on Friday.

Somewhere in Europe, an unwitting computer user opened an email and an attachment to that email, a compressed zip file, allowing WannaCry into their system.

Before it began to scramble the contents of that machine’s hard drive, and then later those of at least 200,000 others at hospitals, oil companies, banks and other organisations around the world, WannaCry had a small piece of housekeeping to perform.

A command in WannaCry’s code told it, each time it infected a new machine, to try to communicate with an obscure web address: a long string of characters seemingly created by someone running their fingers across a keyboard. The domain was inactive, the communication failed, and so WannaCry’s code told it to carry on.

This initial step would later prove to be the attack’s Achilles heel, but for the first few hours, it would go unnoticed and WannaCry would be left to propagate unhindered.

Phase two of that first WannaCry infection was to find out what file-sharing arrangements the computer had, and begin exploiting them.

To do so, it deployed its secret weapon — or rather, a weapon that had once been someone else’s secret: a repurposed cyber spying tool known as EternalBlue, stolen from the US National Security Agency and leaked online.

———————

Cyber attack map

1. On Friday morning Spanish mobile operator Telefónica was among the first large organisations to report infection by WannaCry

2. By late morning, hospitals and clinics across the UK began reporting problems to the national cyber incident response centre

3. In Europe, French carmaker Renault was hit; in Germany, Deutsche Bahn became another high-profile victim

4. In Russia, the ministry of the interior, mobile phone provider MegaFon, and Sberbank became infected.

5. Although WannaCry’s spread had already been checked, the US was not entirely spared, with FedEx being the highest-profile victim

———————

With EternalBlue, WannaCry, unlike almost every other form of ransomware — a malicious software that encrypts victims’ data and demands payment to release it — has become one of the most destructive cyber attacks ever seen.

EternalBlue exploits a security loophole in Windows operating systems that allows a malicious code to spread through structures set up to share files — such as dropboxes and shared drives for documents or databases — without permission from users.

“The widespread use of filesharing between organisations is to some extent a dream come true for a cyber criminal,” says Darren Thomson, chief technology officer of Symantec, the anti-virus and web security company. “If you can exploit a filesharing vulnerability, then you can get to tens or even hundreds of thousands of users.”

By mid-morning, WannaCry had used EternalBlue to do just that, and tunnel through such file-sharing networks from its “patient zero” machine across the world.

Spain’s Telefónica, the mobile phone operating giant, was among the first to announce publicly it had a problem. By mid-morning, employees across the company were finding themselves locked out of their work terminals. Telefónica subsidiaries in South America were affected too.

In Britain, the impact of WannaCry was far more serious. At about 11am, the first hospitals in the UK began to report a ransomware attack to the national cyber incident response centre. By lunchtime, emergency services were being pulled and hospital facilities across the country were brought down.

The list of infected organisations would swell dramatically in the next few hours: Chinese petrol stations operated by the state oil company had payment systems cut off; German railways lost control of their passenger information system; and FedEx’s logistical operations were disrupted.

Cleaning up the mess and trying to work out the scale of the threat and how it spread is no easy task. “We’re still digging but the people with the best data — the victims — are basically burnt to the ground and have more high-priority items at this point than figuring that out,” said a senior US cyber researcher.

Security analysts stress it could have been worse but for the actions of an anonymous British security researcher. After lunch on Friday, a 22-year-old cyber analyst, who writes online under the pseudonym MalwareTech, returned to his desk and spotted something crucial in WannaCry’s code — the first stage of its infection process. The obscure web address the ransomware was querying, he noticed, was unregistered and inactive. So he bought it for $11 and activated it.

It turned out to be a form of “kill switch” baked into WannaCry by its creators. Activating the address told the ransomware, upon each new infection, not to proceed any further. Once he had control of it, WannaCry was stopped in its tracks.

————————

FT View: The WannaCry attack is a wake-up call
What is WannaCry and how can it be stopped?
Microsoft slams US ‘stockpiling’ of cyber weapons

————————

The respite, analysts warn, may yet prove short lived. WannaCry’s creators could yet rejig the code and start again.

For law enforcement, meanwhile, the hunt is on to identify who those creators might be. The task is unenviable.

“Many factors will help narrow down the search, such as the compile times, the languages the original code was written in, but direct attribution will not be possible until a person or people responsible are found,” said James Chappell, chief technology officer of Digital Shadows, a cyber intelligence firm.

A key goal, British security officials said, will be to locate the command and control servers for WannaCry. But the hackers have not made that easy. WannaCry communicates with them through TOR, a deep web network designed by the US Navy to anonymise users and makes them almost impossible to track.

“If I was a betting man, I would say this was most likely an organised criminal group,” said John Bambenek, manager of threat systems at Fidelis. “They are going to be found. They’ve just put themselves on the top of everybody’s dinner plate.”

Video: WannaCry attack risks remain

Letter in response to this article:

Perhaps it’s time to ask if we really need bitcoin / From Guy Wroble, Denver, CO, US

Copyright The Financial Times Limited 2024. All rights reserved.
Reuse this content (opens in new window) CommentsJump to comments section

Follow the topics in this article

Comments