DIARY OF THE WANNACRY ATTACK
CRIPPLED PCS AROUND MAY’S RANSOMWARE ATTACK CAN BE TRACED BACK TO THE WORLD, BUT ITS ORIGINS INVESTIGATES HOW ONE LAST AUGUST. BARRY COLLINS UNFOLDED OF THE WORLD’S BIGGEST CYBERATTACKS
“I’ve been shaved down the front because they were going to open me up. Nil by mouth since this morning. And then at half past one the surgeon turned up and said unfortunately we’ve been hacked and there’s nothing we can do, we can’t operate on you today.”
The angry heart patient who vented his anger at the media was far from the only victim of the cyberattack that took place on Friday 12 May. No fewer than 61 NHS trusts were hit by the WannaCry attack, forcing hospitals to cancel operations, turn away A&E patients and switch off all computer equipment.
It rapidly escalated into a national crisis, but it wasn’t only a national health service that was under attack – organisations across the globe were switching on computers to discover a ransom note demanding US$300 to decrypt their files.
In the end, the attack was largely halted by the remarkable actions of one man. But how did it start in the first place? How were the American security services involved? And how did one guy working from home bring it all to an end? Here’s the blow-by-blow account of one of the world’s biggest cyberattacks.
TUESDAY 14 MARCH 2017
Sysadmins everywhere heave a deep sigh, as Microsoft releases its monthly Patch Tuesday batch of updates. There are no fewer than 18 separate bulletins and patches to apply, seven of which carry the company’s highest state of alert: critical.
Amongst them is the innocuously titled bulletin MS17010, Security Update for Microsoft Windows SMB Server (4013389). “This security update resolves vulnerabilities in Microsoft Windows,” read Microsoft’s bulletin, in its typically deadpan style. “The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.”
The patch is wide-ranging, plugging holes in Windows Vista, 7, 8.1 and Windows 10,and every version of Windows Server since 2008. Microsoft publicly tips its hat to security researchers who discover vulnerabilities in its OSes, publishing acknowledgements along with its security bulletins. Almost every other bulletin in that bumper March pack is credited to some security researcher or other: Mateusz Jurczyk at Google, Haifei Li of Intel Security, Qiang Liu from McAfee. The discovery of vulnerability MS17-010 remains curiously unattributed. Who found the hole?
SATURDAY 8 APRIL 2017
The answer appears to be the US security services. In August 2016, a group known as TheShadowBrokers emerges, claiming to have stolen dozens of hacking tools that had been developed by the US National Security Agency (NSA) for its own hacking purposes. They include a bunch of exploits targeting Windows.
TheShadowBrokers initially make a ham-fisted effort to auction the hacking tools on the internet, attempting to sell the NSA-grade exploits to the highest bidder. But nobody’s biting. Buying exploits over the internet is one thing; buying tools that the NSA would desperately be attempting to trace is a whole new level of risk.
TheShadowBrokers’ behaviour becomes increasingly erratic. On 8 April, the group releases a bizarre diatribe addressed to Donald Trump, urging him to “bring America to the world”, to assert “white privilege” and offering its services to the administration. “TheShadowBrokers wishes we could be doing more, but revolutions/civil wars taking money, time, and people,” the message reads. “TheShadowBrokers has is having [sic] little of each as our auction was an apparent failure. Be considering this our form of protest.”
It then publishes a password for an encrypted cache of tools, contained within which is an exploit called EternalBlue that targets vulnerability MS17-010 – the one Microsoft patched in March’s security update, but which of course won’t yet have been applied to all vulnerable machines. Not to mention the sizeable minority of systems still running the unsupported Windows XP and Windows Server 2003, which Microsoft didn’t patch in the first place.
“Please do not attend A&E unless it’s an emergency”
Security firms start crawling over the released malware code and discover a specific implementation of an encryption algorithm that was only previously found in exploits created by the so-called Equation Group, an outfit that the Russian security firm Kaspersky Labs has linked to the NSA. Other security experts, such as Bruce Schneier, claim TheShadowBrokers are highly likely to be Russian. We have ourselves a ball game.
THURSDAY 11 MAY 2017
Internet security companies get wind of a new ransomware attack. They’ve seen plenty before, of course, but this one’s a bit different. The exploit doesn’t seem to require any user intervention – it’s not goading people to click on attachments or run executables, but spreading all by itself over TCP port 445.
“Our internet facing sensors registered an uptick in port 445 connections on Thursday May 11th, one day before the major outbreak noted on Friday,” a spokesperson for Kaspersky told PC&TA. “This means it’s possible the worm was released on Thursday, possibly even late Wednesday evening.”
FRIDAY 12 MAY 2017
As people start switching on their PCs in offices around the world, it quickly becomes apparent that something huge is occurring.
Early morning reports emerge from Spain of an attack on the mobile operator Telefonica, while in the UK, initial reports suggest that the NHS has been the target of a “hack”, with problems being reported at several hospitals and doctors’ surgeries.
The BBC quotes a doctor from Newham in East London who reports that “from 2pm there were problems and the computers were shutting on and off. Staff now can’t turn the computers on at all.” Meanwhile, a nurse texts the BBC, writing: “We were told to disconnect all computers, which we did, we’ve also been told our door entry and heating systems may also not work. Kettle still working, so we’ll be OK!”
Surprisingly, the news reports are the first place security firm Symantec hears of the attack, too. “We first became aware of it through the media,” said Dick O’Brien, a senior information developer from Symantec’s threat research team. “Initially, we didn’t get a flood of customer queries because our products were fairly effective at blocking WannaCry.” Indeed, the company had first spotted a variant of the ransomware back in April when TheShadowBrokers’ exploits were leaked, and so was on guard for a repeat attack.
The same can’t be said of the NHS. Hospitals in Blackburn, Nottingham, Cumbria and Hertfordshire all begin reporting problems, with screenshots of the ransom pop-up starting to spread across Twitter. “Ooops, your files have been encrypted!” reads a clumsily worded message, demanding $300 worth of bitcoins be sent to a specified address within three days, or else “your files will be deleted”. A Hollywood-style countdown clock on the left-hand side of the screen rams home how long victims have got to save their files.
Before long, hospitals are starting to turn patients away. “We’re aware of an IT issue affecting NHS computer systems,” tweets the Mid-Essex Clinical Commissioning Group at 3.43pm. “Please do not attend A&E unless it’s an emergency.” The message spreads across other trusts as quickly as the ransomware.
Meanwhile, heart patients are being interviewed by TV crews outside hospitals, having had their operations cancelled; newborn babies at the Royal London Hospital aren’t being tagged because the PC connected to the printer has been crippled; matrons are reportedly running around wards in Yorkshire yelling at staff to switch off their PCs.
The memo clearly hasn’t reached GCHQ, whose social media mavens tweet out a twee message in support of National Limerick Day. “It’s a good job we’re better at keeping Britain safe than writing limericks…” Unlike the ransomware, the post is swiftly deleted.
By mid-afternoon, the NHS issues a statement on its website claiming 16 NHS organisations had reported that they were being affected by the ransomware, but by now it’s clear this isn’t an attack directed at the NHS alone. Reports are emerging of similar attacks in businesses worldwide: car-maker Renault in France, the US delivery firm FedEx and the Spanish power firm Iberdrola are among countless other victims.
“It was a few hours later, when the reports came in from organisations that were heavily affected through reports in the media, that we realised the scale of the problem,” Symantec’s Dick O’Brien told us. “After that, it was a case of all hands on deck to try and analyse the ransomware and ensure our protections were as good as possible. So, it was late Friday evening that the scale of the problem became apparent, and there was an awful lot of effort to reverse engineer the malware and also on the communications side, to inform our customers what’s going on and if they were protected and what they could do to protect themselves.”
Whilst Symantec’s security analysts are scouring the malware code, a lesser known security expert is • one step ahead of them.
Marcus Hutchins is at home in North Devon, enjoying a week off work from Los Angeles-based cybersecurity firm Kryptos Logic, when he starts reading reports of a ransomware attack. “I woke up at around 10am and checked onto [sic] the UK cyber threat sharing platform where I had been following the spread of the Emotet banking malware,” Hutchins writes in a post on his blog (malwaretech.com). “There were a few of your usual posts about various organisations being hit with ransomware, but nothing significant…yet. I ended up going out to lunch with a friend.” He returns home at around 2.30pm to find the malware forum besieged with posts about the NHS attack. “I picked a hell of a f***ing week to take off work,” he tweets shortly after.
With the help of a fellow researcher, he downloads a sample of the malware and quickly spots something curious in the code: “I instantly noticed it queried an unregistered domain, which I promptly registered.”
Registering the domain isn’t a random punt. Part of Hutchins’ job is to take down malware control server domains – he’d registered several thousand of them in the past year alone. But he doesn’t immediately realise how significant registering that particular domain will be. Instead, his immediate focus is making sure the “sinkhole server” he’s pointed the domain at doesn’t collapse under the weight of traffic. “At this point we still didn’t know much about what the domain I registered was for, just that anyone infected with this malware would connect to the domain we now own, allowing us to track the spread of the infection,” he writes.
At around 6.20pm a colleague messages Hutchins to tell him he’s evaluated the malware code and that it doesn’t periodically change the control server domain, like some malware does. But then they panic. “After about five minutes the employee came back with the news that the registration of the domain had triggered the ransomware meaning we’d encrypted everyone’s files,” he writes.
It soon transpires that’s not the case – quite the opposite in fact. They’d actually found the kill switch. “You probably can’t picture a grown man jumping around with the excitement of having just been ransomwared, but this was me,” Hutchins writes.
How – temporarily, at least – did registering the domain put a stop to the ransomware? The ransomware writers know that as soon as their code is released, experts such as Hutchins will be picking through the code, attempting to reverse engineer it. Malware analysis is normally conducted on sandboxed machines that aren’t connected to the internet to prevent spreading the malware further. As Hutchins explains: “In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox, rather than the real IP address the URL points to.” In other words, the sandbox is attempting to fool the malware into thinking its running on a live machine.
“I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox [and] the malware exits to prevent further analysis,” writes Hutchins. “However, because WannaCrypt used a single hardcoded domain, my registration of it caused all infections globally to believe they were inside a sandbox and exit… thus we initially, unintentionally prevented the spread and further ransoming of computers infected with this malware.”
SATURDAY 13 • MAY 2017
The government is in full damage-limitation mode. We’re in the midst of a general election campaign – this attack doesn’t follow the “strong and stable” narrative. The prime minister appears in front of TV cameras, stating “this was not targeted at the NHS, it’s an international attack” – possibly the first time a British prime minister has been drawn to comment on a specific cyberattack. Defence ministers are wheeled out to refute claims the government’s not spending enough on cybersecurity; Home Secretary Amber Rudd is talking to people who understand the necessary hashtags…
In the meantime, Microsoft does something truly extraordinary: it provides a patch for Windows XP, Server 2003 and the original Windows 8, operating systems that are no longer officially supported. “Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful,” writes Phillip Misner, principal security group manager at the Microsoft Security Response Center. “This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.” It later updates the Microsoft Malicious Software Removal Tool to rid infected machines of the ransomware.
SUNDAY 14 MAY 2017
Having been widely lauded as the “accidental hero” of the ransomware attack, Marcus Hutchins is beginning to suffer the consequences of his 15 minutes of fame. “I woke up to someone ringing me to say my pic is on the front page of the Daily Mail,” he tweets.
Tabloid journalists aren’t the only ones who are giving Hutchins a hard time. The malware writers want to take his sinkhole servers down to get the ransomware up and running again by the time office workers return to switch on their PCs on Monday morning. “Looks like someone in China attempted to steal the domain,” Hutchins tweets late on Sunday, linking to an email from a Chinese domain registrar that has applied for a transfer. Others are flooding the domain with denial-of-service attacks. Consequently, the sinkhole server is having to be monitored around the clock. “Thanks to @2sec4u who stayed up all night monitoring our sinkholes so
“The group is strongly suspected to operate from North Korea”
that I could get some sleep after 48h of being awake,” an exhausted Hutchins tweets.
MONDAY 15 MAY 2017
The morning media headlines are dominated by fears of a further meltdown as people return to work and switch on their PCs, but the dreaded resurgence doesn’t happen.
Instead, attention turns to working out who’s responsible for the attack, with several likely suspects – the Russians, North Korea, bored teenagers – already being fingered in the mainstream media. However, others take a more forensic approach. Google researcher Neel Mehta posts a cryptic tweet: 9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598 ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4 #WannaCryptAttribution
He is, according to Kaspersky Lab’s Global Research and Analyst team, highlighting a similarity between two different malware samples with shared code. The first is an early variant of the WannaCry ransomware, the second is a sample of malware code written by the Lazarus Group.
The Lazarus Group is one of the most notorious active hacker groups, made famous by its 2014 hack on Sony Pictures that leaked confidential emails from the studio revealing details of stars’ salaries and unreleased films. The group is strongly suspected to operate from North Korea, but is it possible that another group has just stolen its code, perhaps to pin the attack on the rogue state? “In theory anything is possible,” writes Kaspersky’s experts, but they dismiss the chances of such a “false flag” as “improbable”.
Symantec’s Dick O’Brien is prepared to go further, asserting the company is “100% certain” Lazarus was behind the attack. “The reason we say that is because the early attacks we saw involved an awful lot of tools that Lazarus have used in the past,” he told us. “There was initially a few links and we’ve built it up and built it up to the extent that there’s very little doubt that Lazarus are behind it.”
Others are less certain. Professor Alan Woodward from the Department of Computer Science at the University of Surrey says mistakes such as the kill switch that Hutchins flicked are unlikely to have been made by an experienced hacking collective. “Assuming these are not deliberate mistakes, which seems unlikely, the way in which the May WannaCry code was assembled appears inconsistent with the quality of the exploits that have been previously associated with the Lazarus Group,” he wrote on his blog.
“It may have been some group of script kiddies who tried to cobble together the WannaCry payload with the EternalBlue worm and ended up with something far more virulent than they ever imagined.”
Inevitably, we’ve seen several variants of the WannaCry ransomware released since that first devastating batch, some with a new killswitch domain hardcoded into the malware, others removing the kill switch altogether, but none appear to have had anywhere near the impact that the 12 May attack did.
The motivation for this first attack is still something of a mystery. It certainly doesn’t appear to be financial gain. “The money that went into the bitcoin wallets used has still not been moved out,” explained Symantec’s Dick O’Brien, speaking to us towards the end of May. “It’s unclear what they were trying to do. Whether they were trying to make some money and it got out of hand, or whether they were just intent on creating havoc.”
While the attackers remain at large, one person who’s had his life turned upside down by the episode is the man who prevented the attack from becoming far worse: Marcus Hutchins. He’s been practically forced to leave his home, after the tabloid press printed photos of his house. “I knew 5 minutes of fame would be horrible but honestly I misjudge [sic] just how horrible,” he tweeted. “The tabloids are super invasive.”
“For the record, I don’t fear for my safety,” he added in another tweet. “I’m just unhappy with trying to help clear up Friday’s mess with the doorbell [sic] going constantly.”
And spurious allegations that Hutchins was seeking personal gain from the attack were quickly destroyed when he was awarded a US$10,000 prize for discovering the kill switch by an ethical hacking group, and he promptly donated the lot to charity.
Ransomware writers might also be counting the cost of the WannaCry attack. Not only are companies around the world now beefing up their defences against such attacks, but the entire business model of the crime has been undermined by the fact that paying the WannaCry ransom didn’t unlock victims’ files, because – unusually – there was no means of linking payments to infected computers.
“The business model has been established for some time and somebody has come along and done something quite different that’s had a big impact,” said Symantec’s O’Brien. “They’re not the first group who have let down the people who paid the ransom, we’ve seen it happen a lot in the past.” But they’re certainly the highest profile. Ransomware won’t go away, but it might be a less effective means of extortion from now on.
On 12 May, NHS hospitals were confronted with a clumsy ransom note asking for US$300 in bitcoins within three days
From his house Marcus Hutchins stymied the malware by quickly registering the key domain
ABOVE & LEFT WannaCry caused hospitals to cancel operations and turn away A&E patients – even newborn babies weren’t tagged due to the PC failures
It wasn’t just the NHS that fell victim to the malware – many firms around the world were also affected, including Renault and FedEx