fbpx

The Blog

Don’t Be Taken Hostage Part 2: The Ransomware Attack That Cast A Long Shadow

Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on facebook
Facebook

Share this post.

In this article, Sollensys Corp tells the story of the WannaCry ransomware attack and advises businesses on how to not become a statistic next time.

Don’t Become A Statistic.

The worst cyberattack in history began with a tweet, infected computers in 150 countries within hours and resulted in over $4 billion in damages worldwide.  The story of how it all came about is the kind of stuff that breaks box office records – complete with a coding genius who finds the magical kill switch and saves the U.S. from the worst of it. 

The tweet came from a group calling themselves the Shadow Brokers.  It referenced a source code repository with instructions for obtaining and decrypting a file of cyberwarfare exploits.  Exploits used by the Equation Group, a highly sophisticated hacking syndicate believed to be a part of the National Security Agency [NSA].

The first leak consisted of older exploits, exploits to authenticate the claims of NSA origin and to advertise an auction of more desirable zero-day exploits:  

“!!! Attention government sponsors of cyber warfare and those who profit from it !!!!

…We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.”

Shadow Brokers

In an attempt to engage targeted parties like the Five Eyes, the UN, Cisco, Microsoft, Google and FireEye, the Shadow Brokers threatened to release all exploits if the auction did not meet bidding requirements of 1 million Bitcoin.   At the time, 1 million Bitcoin would have equated to approximately half a billion U.S. dollars.

The auction only reached $937.  True to their word, the Shadow Brokers dumped close to 300 megabytes of material on Friday, April 17th 2017.  

It is by far the most powerful cache of exploits ever released. It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it. A number of these attacks appear to be 0-day exploits which have no patch and work completely from a remote network perspective.”

Matthew Hickey, co-founder of Hacker House

EternalBlue was included in this dump.  Eternal Blue exploits a flaw of Microsoft’s SMB file-sharing code whereby others could easily take control of another’s computer.  

Meanwhile, in North Korea, a hacker named Park Jin Hyok purportedly a member of the Reconnaissance General Bureau, North Korea’s CIA, was tinkering with a particularly nasty cryptoworm.  Hyok had not yet found a vulnerability pervasive enough to successfully deploy his worm.   EternalBlue gave him the perfect exploit.  

WannaCry Ransom Message

The cryptoworm that would become WannaCry ransomware was deployed on May 12th of 2017 and became the worst global cyberattack in history within only a day of the code injection.  WannaCry locks users out of their computers and demands a ransom be paid within 7 days or files will be deleted.

Fortunately, WannaCry was sinkholed fairly quickly by a British security expert, Marcus Hutchins.  Hutchens reverse engineered the ransomware and discovered a hidden, unpublished domain in the source code that acted as a kill switch to terminate the virus.  He registered the domain and stopped WannaCry in its tracks.  

WannaCry seemed poised to spread to the US health care system, and Corman feared the results would be far worse than they had been for the NHS. If this happens en masse, how many people die?  Our worst nightmare seemed to be coming true

Wired, Josh Corman of the Healthcare Cybersecurity Industry Taskforce

To the NSA’s credit, it did inform Microsoft about its EternalBlue exploitation tool soon after learning it was in the hands of the Shadow Brokers.  Microsoft released a patch one month prior to WannaCry being deployed; unfortunately, most people and especially large systems, like the United Kingdom’s National Health Service, were not yet compliant with the update.

So, who are the Shadow Brokers?  We still don’t know.  The poorly worded messages would lead us to believe a foreign bad actor, but the grammatical mistakes don’t follow a recognizable pattern for linguistic experts to pin down an origin.  There are also American cultural references that wouldn’t likely be understood by someone who hadn’t lived within the U.S.

What we do know is that 3 NSA contractors have been arrested in the past 6 years for taking classified files with at least 1 leaker still rumored to be in place.   From Wikileaks publishing  PRISM to the hijacking of the NSA toolbox to the Shadow Brokers, there’s one common theme that continues to play out – there’s always a leaker.  

Humans are the biggest liability for every organization.  According to the experts at PurpleSec, 98% of cyber attacks rely on social engineering.  Social engineering is influencing a person’s behavior to achieve a targeted outcome.  
These aren’t teenagers haphazardly trying to hack the pentagon in their grandmother’s basement.  These ransomware threat actors are becoming more sophisticated and better organized every day.  Ransomware cybercriminal specializations go beyond technical skill sets to assess the financial and reputational strength of potential targets. 

Humans are the biggest liability for every organization. According to the experts at PurpleSec, 98% of cyber attacks rely on social engineering.  Social engineering is influencing a person’s behavior to achieve a targeted outcome.  

These aren’t teenagers haphazardly trying to hack the Pentagon in their grandmother’s basement.  These ransomware threat actors are becoming more sophisticated and better organized every day.  Ransomware cybercriminal specializations go beyond technical skill sets to assess the financial and reputational strength of potential targets.

There will be another attack; to prevent becoming a statistic the next time, it’s imperative that businesses have a comprehensive cybersecurity plan that entails:

  1. Staying current on the threat landscape.  The threat landscape evolves daily.  What works today, may be exploitable tomorrow.
  1. Keeping operating systems and anti-malware updated.  It’s never convenient when prompted to stop what you are doing and update your system, but as this story illustrates, there are reasons updates are created.
  1. Having secure backups of data to minimize ransomware disruption.  It’s suggested that businesses adhere to the 3-2-1 Backup Rule to secure data – 3 copies of data on at least 2 different media with 1 kept offsite.  

This is the second part of a series; each article will dive further into ransomware while also providing insight into how best to protect your business from malware disruption.  

Join us next time for a deep dive into the Ransomware As A Service industry and the social engineering tactics threat actors employ. 

JOIN THE DISTRIBUTIVE DATA REVOLUTION

Cybersecurity is a growing threat ☠️ & Ransomware Attacks are impacting businesses worldwide… Learn how the Sollensys Blockchain Archive Server™ (BAS) eliminates ransomware disruptions and improves business continuity.

About Sollensys:

Sollensys Corp™ is a Distributive Data company, specializing in Blockchain solutions that help organizations recover quickly from Ransomware attacks.

Talk to a Specialist

We're ready to help.

Sollensys_Website-Logo

© Copyright 2020 – Sollensys Corp.