Wanna Decryptor: what is the NSA 'atom bomb of ransomware' behind the NHS attack?

The Wanna Decryptor ransomware, also known as wncry, is said to have been responsible for the recent NHS cyber attack

NHS Digital recently confirmed that the recent NHS cyberattack used the Wanna Decryptor ransomware to infect the systems of at least 16 UK trusts. Ransomware Trojans are a type of malware designed to extort money from victims by holding files or entire computers to ransom. The ransomware typically demands payment to undo changes that the Trojan virus has made to the victim’s computer, which range from encrypting data stored on the victim’s disk to blocking normal access. 

Wanna Decryptor Wanna Decryptor is a so-called encryption-based ransomware also known as WannaCry or WCRY, Travis Farral, director of security strategy for Anomali told WIRED. It encrypts users files using AES and RSA encryption ciphers meaning the hackers can directly decrypt system files using a unique decryption key. READ NEXT Could hackers really take over a hotel? 

In previous Wanna Decryptor attacks, victims have been sent ransom notes with “instructions” in the form of !Please Read Me!.txt files, linking to ways of contacting the hackers. Wanna Decryptor changes the computer's wallpaper with messages asking the victim to download the decryptor from Dropbox before demanding hundreds in bitcoin to work.

Put more simply, once inside the system Wanna Decryptor creates encrypted copies of specific file types before deleting the originals, leaving the victims with the encrypted copies, which can't be accessed without a decryption key. 

Wanna Decryptor additionally increases the ransom amount, and threatens loss of data, at a predetermined time, creating a sense of urgency and greatly improving the chances victims will pay the ransom. 

 Emoji, WhatsApp and a little bit of flattery. It is unclear how the Wanna Decryptor ransomware infected the NHS systems, but it can spread through phishing emails or after visiting a website containing a malicious program. According to Avast, Wanna Decryptor, or WanaCrypt0r 2.0, is most likely spreading on so many computers by using an exploit the Equation Group, which is a group that is widely suspected of being tied to the NSA.

NSA Shadowbrokers For several months, the Shadow Brokers hacking group, which obtained files from the NSA, has been releasing parts of the agency's hacking tools.

As well as the ransomware being seen in the UK, it has also reportedly appeared in Spain and other countries around the world. CCN-CERT, the Spanish computer emergency response organisation, issued an alert saying it had seen a "massive attack of ransomware" from WannaCry – a version of Wanna Decryptor. "The ransomware, a version of WannaCry, infects the machine by encrypting all its files and, using a remote command execution vulnerability through SMB, is distributed to other Windows machines on the same network," a translated version of the statement said. 

The vulnerability (MS17-010) is linked to Microsoft machines and can affect Windows Vista, 7, 8, 10 and versions of the Windows Server software. Microsoft initially announced the vulnerability on March 14 and recommended users patch their devices. Microsoft fixed MS17-010 in its March release but it is likely organisations affected did not patch their devices before the spread of the malware. As reported by Ars Technica and other organisations the MS17-010, also known as “EternalBlue,” was linked to the Shadowbrokers group.

How bad is Wanna Decryptor?

Rohyt Belani, CEO of PhishMe told WIRED Wanna Decryptor is "the atom bomb of ransomware," describing it as a dramatic shift from the typical impact of ransomware in previous attacks.

How did Wanna Decryptor spread?

While the cause of infection has not yet been confirmed, Belani said almost all attacks have been delivered via phishing email. "This is the second time in two weeks we’ve seen nefarious activities propagating in a worm-like fashion, which may be a sign of things to come," Belani warned. PhishMe co-founder and CTO Aaron Higbee added he believes ransomware "actors" are in a retooling stage. These attacks confirm that theory and as malware authors change their tactics, responders will need to be vigilant to follow suit," Belani continued. Malwarebytes has a detailed technical analysis of how the Wanna Decryptor worm spreads.

How to protect yourself?

Avast said it detects all known versions of WanaCrypt0r 2.0, as do other anti-virus software. The safest way to protect yourself is to avoid clicking links from unknown sources. Security experts have strongly recommended all Windows users fully update their system with the latest available patches.

"It is critical you install all available OS updates to prevent getting exploited by the MS17-010 vulnerability," added Malwarebytes. Any systems running a Windows version that did not receive a patch for this vulnerability should be removed from all networks.

Additionally, any systems affected by this attack will have DOUBLEPULSAR installed and this will need to be removed. Certain anti-virus software, including Malwarebytes, are protected from this backdoor but script is also available that can remotely detect and remove it.

• RANSOMWARE
• CYBERATTACKS
• SECURITY
• HAC