on Windows XP. That could be one of the reasons for the relatively lower number of infected Windows XP running PCs. Developers build these protocols using advanced mathematics, which makes it impossible to break and duplicate currencies. These protocols also mask the identities of cryptocurrency users.
HOW IS IT PROPAGATED? Malwarebytes is an American Internet security company specialized in anti-malware software. According to them,“ The initial component that gets dropped on systems appears to be a worm that contains and runs the ransomware, spreading itself using the‘ EternalBlue’ SMB vulnerability”. In general, executable( ready-torun) programs are often identified as binary files.‘ WinMain()’ is the C( C; the programming language) entry point function of any windows application. The‘ WinMain()’ of this executable first tries to connect to a non-existing website. It doesn’ t actually do anything apart from trying to connect to the given website. If the connection succeeds, the binary will stop running. Actually, this is sort of kill switch or an anti-sandbox technique.( A sandbox is a popular security mechanism that is used to separate running programs. Sandboxes are often used to execute untested or untrusted programs or code.) Whichever it is, it backfired on the authors of the worm.
Security researcher Marcus Hutchins, accidentally discovered the domain name when inspecting the malware’ s code and registered that particular web address( www. iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea. com) with Internet services for a paltry $ 10.69, thus preventing the spreading of the ransomware. The interesting thing here is, it had been speculated that this was added to the code as a mechanism to prevent it from being running on quarantined machines used by antivirus researchers. He also observed that some sandbox environments will respond to all queries with traffic in order to trick the software into thinking that it is still connected to the Internet. In this case, the software attempts to contact an address which does not exist. Since in a sandbox environment it responds to queries and mimics being connected to the non-existing address, the ransomware can detect that it is, in fact, running in a sandbox, and do nothing if so. This is a clever trick used by attackers to mislead sandbox mechanisms.
CYBER-ATTACK AND RANSOM COLLECTING WannaCry began affecting computers worldwide from the 12th of May 2017. It is assumed that the initial infection in Asia happened at 7:44 am UTC via the exposed vulnerable SMB port. When executed, the malware first checks for the existence of the killswitch domain address. If it is not found, then it starts encrypting the computer’ s data. It is basically replacing the existing files with their AES( Advanced Encryption Standard) and RSA( Rivest-Shamir- Adleman) encrypted versions. Thereafter, it attempts not only to affect computers on the same network but also to exploit the SMB vulnerability to spread out to random computers on the Internet. The payload of the ransomware changes the desktop wallpaper and displays a message informing the user that files have been encrypted and demands a payment of around $ 300 in Bitcoin within 3 days, or $ 600 within seven days. To collect the ransom, three hardcoded Bitcoin wallets( addresses) were used. According to Wikipedia article about WannaCry; as of 14th June 2017, at 00:18 ET, a total of 327 payments totaling $ 130,634.77 or 51.62 XBT had been transferred.( XBT: Bitcoin currency. 1 XBT is worth approximately $ 2500 at the time of the attacks)
RESPONSES FROM EXPERTS After finding out and turning the kill switch on, it severely slowed the spread of the initial infection and bought some time that was well used to deploy the required defensive mechanisms throughout the world. Researchers discovered that Windows encryption APIs used by the WannaCry may not completely clear the prime numbers used to generate the payload’ s private keys from the personal computer’ s memory. It eventually paved the path to retrieve the required key if they had not been overwritten or cleared from the residing memory locations.‘ WannaKey’ is an automated tool developed by a French researcher which make use of the above behavior to find out the private key on a Windows XP system.
After releasing the patch for the Windows XP versions and for the Windows Server 2003, the head of Microsoft Cyber Defense Operations Center, Adrienne Hall, said that“ Due to the elevated risk of destructive cyber-attacks at this time, we made the decision to take this action, because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt”. Moreover, experts advise against paying the ransom due to zero reports of people getting their data back, even after paying the ransom. Also, the high revenues and higher publicity could also have encouraged new types of campaigns like the recent Petya attack, which is a cyber-attack began in Ukraine on June 27th and spread to affect many of the world’ s largest companies. Upon infection, it encrypts its victims’ computer files and demands a ransom payment to unscramble them – but is in fact purely of a destructive nature. Even though Petya was made to look like a ransomware, expert’ s idea is that it is not. They suspect that the motive behind the Petya attack was to target Ukrainian organizations and was made by the criminal masterminds of Russia( or some suspects the Russian government).
IMPACT OF WANNACRY According to‘ Europol’, this ransomware attack was unprecedented in scale. A report by the Kaspersky Lab states that the four most affected countries are Russia, Ukraine, India, and Taiwan. It also affected many NHS( National Health Service- UK) hospitals in England and Scotland. During the NHS attack, up to 70000 devices including, MRI scanners, blood-storage refrigerators, and theatre equipment – may have been affected.‘ Nissan Motor Manufacturing UK’ in England, halted production at several sites in an attempt to
42 University of Peradeniya Gauge Magazine