WannaCrypt outbreak contained as hunt for masterminds kicks in

A feared second wave of WannaCrypt ransomware attacks has failed to materialize, but 16 UK National Health Service Trusts are still grappling with last week's infection.

WannaCrypt spread like wildfire last Friday, infecting computers and disrupting operations at 47 NHS Trusts, US firms including FedEx, Spain's Telefonica, Russia's interior ministry and thousands of Chinese institutions. Victims were told they could uninfect their machines by paying the equivalent of US$300 in digital currency BitCoin. The NHS's online arm said it had "received no reports of patient data being compromised."

In a recently updated statement, the UK's National Cyber Security Centre (NCSC) said that the situation had stabilized.

Since the global coordinated ransomware attack on thousands of private and public sector organizations across dozens of countries on Friday, there have been no sustained new attacks of that kind. But it is important to understand that the way these attacks work means that compromises of machines and networks that have already occurred may not yet have been detected, and that existing infections from the malware can spread within networks.

The NCSC is working closely with the National Crime Agency on the UK end of a criminal investigation, and with international partners in other governments and the commercial sector to combat the threat. The European Cybercrime Centre, EC3, at Europol said that the "recent [WannaCrypt] attack is at an unprecedented level and will require a complex international investigation to identify the culprits."

UK Health Secretary Jeremy Hunt and Home Secretary Amber Rudd are attending a meeting of COBRA, the Cabinet's rarely convened crisis response committee. Ahead of the meeting, Hunt told reporters that the level of criminality associated with the outbreak was at the "lower end" of what the government had expected.

Indications are that the attack is the work of profit-motivated cybercriminals rather than a nation state-sponsored hacking crew.

Follow the money

Three Bitcoin wallets associated with WannaCrypt have received almost $55,000 in transfers since the beginning of the outbreak, a pitifully small sum considering the scope of damage. It is understood the decryption keys are issued manually, too, meaning it's unlikely you'll get a key from the malware's masterminds. Essentially, don't pay the ransom.

"We have confirmation that some of the 200+ ‪WannaCry‬pt victims who have paid the ransom have gotten their files back. Still, not recommended," said Mikko Hypponnen, chief research officer at security firm F-Secure, in a Twitter update.

Funds have not been extracted from the relevant Bitcoin wallets as of the time of writing on Monday afternoon UK time.

Criminals behind WannaCrypt piggybacked on publicly dumped Equation Group exploits – originally stolen from the NSA before they were leaked in April – as the distribution vehicle for the WannaCrypt ransomware.

The initial infection method of WannaCryptis unclear, and the focus of much technical scrutiny that has thus far found no evidence of phishing as a vector. Once the ransomware gets into a network, it spreads quickly onto any unpatched Windows computers. The worm-like spreading capabilities strongly differentiate the ransomware from earlier file-encrypting strains of malware such as CryptoLocker and Locky, which predominantly spread using booby-trapped emails.

"We believe the criminals behind WannaCry didn't intend such a widespread attack, nor did they possess the expertise to properly enable or protect the malware from reverse engineering," according to threat intelligence firm Recorded Future.

The worm that the as-yet unidentified authors of WannaCrypt created can be modified to drop almost anything. After the initial attack, various unknown miscreants have been trying to rejig the ransomware worm, so far without success.

Ryan Kalember, SVP of cybersecurity strategy at Proofpoint, explained: "As of yesterday [Sunday], two additional variants of WannaCry ransomware had appeared. These appear to be 'patched' versions of the original malware, rather than recompiled versions developed by the original authors.

"The first variant, WannaCry 2.0(a), pointed its 'kill switch' to a different internet domain – which was also promptly registered and effectively sinkholed, stopping its spread. The second variant, WannaCry 2.0(b), had the 'kill switch' functionality removed, thus enabling it to propagate – but the ransomware payload fails to properly deploy, causing no direct impact to targeted systems."

Microsoft took the highly unusual step of releasing a patch to defend unsupported systems – including Windows XP – against the WannaCrypt and other nasties that attempt to abuse the MS17-010 patch it made available for supported systems back in March.

The NHS's online arm said that Windows XP use within the health service had fallen to 4.7 per cent, with this figure continuing to decrease, and explained why it continued to use obsolete systems:

"Some expensive hardware (such as MRI scanners) cannot be updated immediately, and in such instances organizations will take steps to mitigate any risk, such as by isolating the device from the main network," it said.

Background information on ransomware in general – and how to combat it – can be found on the nomoreransom.org site‬, a resource put together by Europol, Dutch Police and IT industry partners. ®

Now read our analysis of the WannaCrypt worm.