The original of this text was written by Ken Dwight, aka The Virus Doctor. I am an alumnus of his Virus Remediation Training and make this text available for my customers with his kind permission. Thanks Ken.
As with malware in general, encrypting ransomware is continually changing. Most of these changes are evolutionary and somewhat predictable. As such, they don’t call for any significant changes in the methodology to be used in dealing with them.That was it.
Some recent developments in specific families and strains of encrypting ransomware are
significant enough to justify an update to the IT Support technician’s strategies and tactics for handling them effectively.
There are primarily two families of such ransomware that warrant this attention. Multiple names have been assigned to these families, but this discussion will use the names that are most frequently found in credible press coverage of these outbreaks.
WannaCry was released into the wild on May 12, 2017. According to most reports, it infected at least 200,000 computers, in more than 150 countries. This ransomware spawned its own Wikipedia entry, at
https://en.wikipedia.org/wiki/WannaCry_ransomware_attack.
The more recent attack, erroneously known as Petya, but more accurately referred to as
NotPetya, first struck on June 27, 2017. There are no estimates of the total number of computers infected by this malware, or the number of countries represented. But it clearly targeted businesses and organizations in Ukraine, with some 80% of the infections found there. This ransomware also has its own Wikipedia entry, at
https://en.wikipedia.org/wiki/2017_cyberattacks_on_Ukraine.
These two families of ransomware have several characteristics in common. Probably the most notable is the widespread coverage both received in the general press. While malware generally goes unreported in the non-trade press, these attacks were the exception to that rule. Fueling the press coverage was the revelation that both of these attacks were based on exploits developed by, and subsequently stolen from, the U. S. National Security Agency (NSA).
Interestingly enough, I have not seen any of these infections first-hand, nor have I received reports from any graduates of my Virus Remediation Training workshops that they have encountered computers encrypted by either of these families of ransomware. Considering the fact that hundreds of IT Support Techs fall into this category, in most of the United States + 7 foreign countries, I can only speculate that the actual infection rate is much less widespread than the press coverage would lead one to believe.
Another common denominator between these two infections was the fact that the vulnerability in Windows that was used for both of these attacks had been patched by Microsoft in their March, 2017 Windows Updates; any computer with that update applied would not have been infected by either of these pieces of malware.
Two NSA exploits were used in both of these attack scenarios; they are named EternalBlue and DoublePulsar. A free EternalBlue vulnerability scanner is available for download from http://omerez.com/eternal-blues-worldwide-statistics/. As of mid-July, 2017 more than 10 million IPs have been scanned; the majority of hosts scanned (53.82%) still have SMBv1 enabled, and 1 out of 9 hosts in a network is vulnerable to EternalBlue.
The WannaCry malware included a “Kill switch” which was discovered by a malware researcher and activated to disable the infection from spreading any further. No such kill switch has been found for NotPetya, but a “Vaccine” has been developed to protect against it. More details from Bleeping Computer at https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/.
Another important difference between these two families of malware involves the type of
encryption they perform on the victim’s hard drive. WannaCry, like most encrypting
ransomware, encrypts each individual file. It also changes the filename to end with an extension of .wcry.
On the other hand, NotPetya encrypts the entire hard drive and replaces the Master Boot Record with its own version. While the encryption is taking place, the malware displays a screen that looks like a chkdsk operation is being performed; when the whole-disk encryption is complete, it forces a reboot.
Upon the reboot, the modified MBR causes the ransom note to be displayed, with instructions to pay $300 USD in Bitcoin; after 72 hours, the ransom increases to $600 USD. Because of the modified MBR, at this point it is not possible to boot into a normal Windows environment.
As of this writing there is no means to pay the ransom; even if the ransom is paid, there appears to be no way to decrypt the hard drive or restore it to normal operation. Consequently, there is no reason to even consider paying the ransom.
Back to WannaCry, there have been some reports of successful decryption after paying the ransom. But here again, I have no first-hand (or even second-hand) reports from victims of this family of ransomware.
Those are the most recent, high-profile developments in the field of encrypting ransomware. But it’s a pretty safe bet they won’t be the last. This category of malware continues to evolve and become more sophisticated and more insidious. It has crossed the threshold of being a billion-dollar industry; that success will attract more and more criminals who are lured by the promise of easy money. Our prospects for future employment remain secure!
All my customers are advised to weekly initiate a check for Windows Updates. If they followed that advice their computers were protected and they don't need to care about these two overly "hyped up" virus outbreaks.
Stay safe.
