Wanna Cry: Diary of a ransomware attack
HOW IT UNFOLDED
How it unfolded – and how one man stopped it
parts of the NHS, but its origins May’s ransomware attack crippled Collins investigates how can be traced back to last August. Barry unfolded one of the world’s biggest cyberattacks
“I’ve been shaved down the front because they were going to open me up. Nil by mouth since this morning. And then at half past one the surgeon turned up and said unfortunately we’ve been hacked and there’s nothing we can do, we can’t operate on you today.”
The angry heart patient who vented his anger at the BBC cameras was far from the only victim of the cyberattack that took place on Friday 12 May. No fewer than 61 NHS trusts were hit by the WannaCry attack, forcing hospitals to cancel operations, turn away A&E patients and switch off all computer equipment.
It rapidly escalated into a national crisis, but it wasn’t only Britain’s health service that was under attack – organisations across the globe were switching on computers to discover a ransom note demanding $300 to decrypt their files.
In the end, the attack was largely halted by the remarkable actions of one man. But how did it start in the first place? How were the American security services involved? And how did one guy working from home in Devon bring it all to an end? Here’s the blow-by-blow account of one of the world’s biggest cyberattacks.
Tuesday 14 March 2017
Sysadmins everywhere heave a deep sigh, as Microsoft releases its monthly Patch Tuesday batch of updates. There are no fewer than 18 separate bulletins and patches to apply, seven of which carry the company’s highest state of alert: critical.
Amongst them is the innocuously titled bulletin MS17-010, Security Update for Microsoft Windows SMB Server (4013389). “This security update resolves vulnerabilities in Microsoft Windows,” read Microsoft’s bulletin, in its typically deadpan style. “The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.”
The patch is wide-ranging, plugging holes in Windows Vista, 7, 8.1 and Windows 10, as well as every version of Windows Server since 2008.
Microsoft publicly tips its hat to security researchers who discover vulnerabilities in its OSes, publishing acknowledgements along with its security bulletins. Almost every other bulletin in that bumper March pack is credited to some security researcher or other: Mateusz Jurczyk at Google, Haifei Li of Intel Security, Qiang Liu from McAfee. The discovery of vulnerability MS17-010 remains curiously unattributed. Who found the hole?
Saturday 8 April 2017
The answer appears to be the US security services. In August 2016, a group known as TheShadowBrokers emerges, claiming to have stolen dozens of hacking tools that had been developed by the US National Security Agency (NSA) for its own hacking purposes. They include a bunch of exploits targeting Windows.
TheShadowBrokers initially make a ham-fisted effort to auction the hacking tools on the internet, attempting to sell the NSA-grade exploits to the highest bidder. But nobody’s biting. Buying exploits over the internet is one thing; buying tools that the NSA would desperately be attempting to trace is a whole new level of risk.
TheShadowBrokers’ behaviour becomes increasingly erratic. On 8 April, the group releases a bizarre diatribe addressed to Donald Trump, urging him to “bring America to the world”, to assert “white privilege” and offering its services to the administration. “TheShadowBrokers wishes we could be doing more, but revolutions/civil wars taking money, time, and people,” the message reads. “TheShadowBrokers has is having [sic] little of each as our auction was an apparent failure. Be considering this our form of protest.” It then publishes a password for an encrypted cache of tools, contained within which is an exploit called EternalBlue that targets vulnerability MS17-010 – the one Microsoft patched in March’s security update, but which of course won’t yet have been applied to all vulnerable machines. Not to mention the sizeable minority of systems still running the unsupported Windows XP and Windows Server 2003, which Microsoft didn’t patch in the first place.
Security firms start crawling over the released malware code and discover a specific implementation of an encryption algorithm that was only previously found in exploits created by the so-called Equation Group, an outfit that the Russian security firm Kaspersky Labs has linked to the NSA. Other security experts, such as Bruce Schneier, claim TheShadowBrokers
are highly likely to be Russian. We have ourselves a ball game.
Thursday 11 May 2017
Internet security companies get wind of a new ransomware attack. They’ve seen plenty before, of course, but this one’s a bit different. The exploit doesn’t seem to require any user intervention – it’s not goading people to click on attachments or run executables, but spreading all by itself over TCP port 445.
“Our internet facing sensors registered an uptick in port 445 connections on Thursday May 11th, one day before the major outbreak noted on Friday,” a spokesperson for Kaspersky told PC Pro. “This means it’s possible the worm was released on Thursday, possibly even late Wednesday evening.”
Friday 12 May 2017
As people start switching on their PCs in offices across Europe, it quickly becomes apparent that something huge is occurring.
Early morning reports emerge from Spain of an attack on the mobile operator Telefonica, while in the UK, initial reports suggest that the NHS has been the target of a “hack”, with problems being reported at several hospitals and doctors’ surgeries.
The BBC quotes a doctor from Newham in East London who reports that “from 2pm there were problems and the computers were shutting on and off. Staff now can’t turn the computers on at all.” Meanwhile, a Yorkshire nurse texts the BBC, writing: “We were told to disconnect all computers, which we did, we’ve also been told our door entry and heating systems may also not work. Kettle still working, so we’ll be OK!”
Surprisingly, the news reports are the first place security firm Symantec hears of the attack, too. “We first became aware of it through the media,” said Dick O’Brien, a senior information developer from Symantec’s threat research team. “Initially, we didn’t get a flood of customer queries because our products were fairly effective at blocking WannaCry.” Indeed, the company had first spotted a variant of the ransomware back in April when TheShadowBrokers’ exploits were leaked, and so was on guard for a repeat attack.
The same can’t be said of the NHS. Hospitals in Blackburn, Nottingham, Cumbria and Hertfordshire all begin reporting problems, with screenshots of the ransom pop-up starting to spread across Twitter. “Ooops, your files have been encrypted!” reads a clumsily worded message, demanding $300 worth of bitcoins be sent to a specified address within three days, or else “your files will be deleted”. A Hollywood-style countdown clock on the left-hand side of the screen rams home how long victims have got to save their files.
Before long, hospitals are starting to turn patients away. “We’re aware of an IT issue affecting NHS computer systems,” tweets the Mid-Essex Clinical Commissioning Group at 3.43pm. “Please do not attend A&E unless it’s an emergency.” The message spreads across other trusts as quickly as the ransomware.
Meanwhile, heart patients are being interviewed by TV crews outside hospitals, having had their operations cancelled; newborn babies at the Royal London Hospital aren’t being tagged because the PC connected to the printer has been crippled; matrons are reportedly running around wards in Yorkshire yelling at staff to switch off their PCs.
The memo clearly hasn’t reached GCHQ, whose social media mavens tweet out a twee message in support of National Limerick Day. “It’s a good job we’re better at keeping Britain safe than writing limericks…” Unlike the ransomware, the post is swiftly deleted.
By mid-afternoon, the NHS issues a statement on its website claiming 16 NHS organisations had reported that they were being affected by the ransomware, but by now it’s clear this isn’t an attack directed at the NHS alone. Reports are emerging of similar attacks in businesses worldwide: car-maker Renault in France, the US delivery firm FedEx and the Spanish power firm Iberdrola are among countless other victims.
“It was a few hours later, when the reports came in from organisations that were heavily affected through reports in the media, that we realised the scale of the problem,” Symantec’s Dick O’Brien told us. “After that, it was a case of all hands on deck to try and analyse the ransomware and ensure our protections were as good as possible. So, it was late Friday evening that the scale of the problem became apparent, and there was an awful lot of effort to reverse engineer the malware and also on the communications side, to inform our customers what’s going on and if they were protected and what they could do to protect themselves.”
Whilst Symantec’s security analysts are scouring the malware code, a lesser known security expert is one step ahead of them. Marcus Hutchins is at home in North Devon, enjoying a week off work from Los Angelesbased cybersecurity firm Kryptos Logic, when he starts reading reports of a ransomware attack. “I woke up at around 10am and checked onto [sic] the UK cyber threat sharing platform where I had been following the spread of the Emotet banking malware,” Hutchins writes in a post on his blog ( malwaretech.com). “There were a few of your usual posts about various organisations being hit with ransomware, but nothing significant…yet. I ended up going out to lunch with a friend.”
He returns home at around 2.30pm to find the malware forum besieged with posts about the NHS attack. “I picked a hell of a f***ing week to take off work,” he tweets shortly after.