Wana Decrypt0r (Wanacry Ransomware) - Computerphile

What steps have you taken to discover this? I ran it on my own machine, actually that's not entirely true. I ran it on a virtual machine so I installed a virtual XP machine unpatched from this current patch, it was not connected to the internet I downloaded W to cry XE and ran it and my parents encrypted it and the warning message appeared. This is not something people should try at home. No. I would advise against it. So there is nothing. There is nothing inherently scary. about the software in the sense that if it's not connected to the network it won't spread and if you don't have anything valuable on your machine you won't lose any files but on the other hand, I'm not running here on a university network because I don't want to be the first person to introduce anything to him, so you know, just in case, so, no, let's not open that door, so where do we start in this mess?

It's OK? First of all, what is it called? So I call it w a decrypter or w a crypter. It's been w a cry one a cry one a cry w a crypter w a decrypt one to decryptor 2 um, as far as I can tell, the source code has one. A Cryptor on it a lot of people shorten it to a cry um and there's this kind of wnc Y extension that you use for your encrypted files which are the ones that spell one cry so yeah okay so I don't know I'm calling it wac crypter, but I may not mention it by name again because we all know what we're talking about, it's

ransomware

, so

ransomware

is any troan, worm or virus that essentially encrypts your files and then tries to charge you money. reversing that process without giving them too much credit for obvious reasons, is a pretty smart way to commit a crime because if an antivirus is not immediately alert then the damage is already done and many times you won't get the key back unless you pay, so that you have to restore from a backup that a lot of people don't have or you have to accept that your files are gone or you have to pay, so it's not surprising that kind of The biggest thing in the news recently in terms of attacks has been ransomware because of the impact immediate that they have in standard users.

There are loads of other types of malware, you know, bank fraud malware, key loggers and things like botnet code, which are also a really big problem, but maybe to take advantage of less news because it doesn't attack the NHS. For those of you who don't live in England, you may not know that you don't know much about the NS V NHS, which is our taxpayer-funded healthcare system. Right service so we all pay taxes and then those taxes contribute to health Health service and we all get healthcare maybe we all need to calm down the rhetoric a bit, you know the NHS itself is not under attack, good for the media is if you If you can make your headline say attack on the Health Service then you will get a lot of correct results so that's the first thing that happened and in fact only a small subset of health care machines have actually been taken down by this. ransomware and a lot of this has been preventative so shut down a server just in case you get it until we can be sure but nothing on the same network has the AI ​​trojan worm so yeah it's a big deal. and it has infected many machines, but there are many other major ransomware out there, for example Crypto Wall had made millions of dollars for its developers, so this is not the only one, it is not the first and unfortunately it probably won.

It won't be the last, let's talk a little bit about what happened, so on Friday, several machines started getting infected with this. Now I don't think the exact nature of the initial infection is known at this time, it might be by the time this video appears. comes out fine, so maybe it's already outdated, but it probably sends emails correctly, which essentially makes it a troan, because it sends an email with a spearfishing attack or a spearfishing attack that says you should click in this. for some reason, and you trick a user into doing it now, you don't need to trick a lot of users to get a return on your investment in some sense, because once they get infected, it's a lot of money, this trojan or this worm is a bit. a bit unusual because it actually carries a self-replicating payload.

Most ransomware does not do this. With most ransomware, the idea is to basically send emails to as many people as possible. Some of them, a small subset of them, will be tricked into clicking on them. those who are lucky to pay the ransom, that is the logic. This uses an exploit that was first found by the NSA and took advantage of Windows, so this vulnerability has existed in Windows for quite some time. I mean, it exists in Windows XP which existed in 2001 and so on, and it seems to have disappeared at some point in Windows 10, so it was patched in March and we don't know if I think the vulnerability doesn't already exist in Windows 10, so which was patched in March of in Windows 7, yes, and for any operating system that Microsoft is actively patching, i.e.

Windows 7. I no longer believe that Windows V, there are many copies of Windows, rightly or wrongly, but We still have this vulnerability. This is a vulnerability in the SMB protocol which is usually used to share files over networks, very common because imagine that large organizations like to share files from a central server with all their smaller machines instead of everyone storing all files all the time. So what happens when this worm lands is that this worm will either start with an email probably or someone will deliver it via USB which seems less likely but it's probably an email it just needs one person on the network to click it and they get the ransomware and then it starts scanning port 445 for other unpatched installations, so this is a targeted exploit that will be able to execute this same code on the target machine and then it will spread etc., and it is That's why it spreads so much.

Quickly, the NSA discovered this execution capability quite a while ago, five or six years ago, we think we don't know exactly because they don't tell us and instead of telling Microsoft about this exploit, they decided to sit down with the uh with the idea. that they could then use it in their own exploit, so their exploit kit became Eternal Blue, um, that's the codename for this particular exploit and in a sense, it wasn't heard from again for a while. time, it was probably used by government agencies to carry out their C terrorism tasks and so on until they were hacked by another group called The Shadow brokers who decided to try to sell some of these tools and then released them on the Internet, so Microsoft patched this vulnerability in March. and then in April, Shadow Brokers released Eternal Blue's code on the web.

It was only a matter of time before someone put this into a piece of self-replicating ransomware, because the faster you do it, the more people are still unpatched. that you do it right and then you damage and shoehorn the key difference between this ransomware and the previous ransomware we have seen is the fact that it can properly self-propagate. Sometimes these things are built into self-replicating programs, but in this, um, this eternal blue exploit essentially means that your machine, if it's not patched, you don't have to click Yes, another machine will load the payload and run it without doing questions and you could do it if you run a server that has volume shadow copies and things like that and back it up and restore it you might ask for a yes or no answer later in the process but a little bit late, you know, after that a lot of things have already been encrypted, so most trojans.

If you're very careful about running email attachments, you'll never receive them because you'll just see, oh, it's a troan or I just don't want to go to that website, It seems malicious, so you don't do it. I don't get them even if you don't have an antivirus, but if you don't have this update you can still get it even though you haven't done anything other than maybe being a little lazy with the updates at some point over the weekend, obviously a lot of researchers were looking into this, no um, so I was looking into it and running it purely out of interest, you know?

Don't know. I'm not writing any tool to get rid of it or anything clever. but there are a lot of researchers, so what they will do is run this in a virtual machine or in some kind of special sample box where it is isolated, figure out what it does and try to figure out how they could stop it try to solve it. how they could take the role of a command and control server, for example, and just tell it to stop or something, now a researcher, uh, malware technology, whose blog is really interesting and we'll link to it at the bottom. he basically hit the kill switch for this because they were watching what he did and he pulled it out, checked for the existence of this unregistered internet address, so he basically said he did a DNS lookup and said who is who has this address from Internet. and no one had it, so his first response was good, if we register that internet address, we get communication from all the facilities of this and we can track how many people have this.

It is interesting from a research point of view. look at how it spreads, but in fact, what really happened within the code was that if this web address existed, it just stopped running, the hypothesis is that it's doing some sort of Volkswagen emission situation, uh, where it realizes that it's running in some kind of lab environment and it closes um, but basically as soon as they registered this web address, all future installations of W crypta uh W decrypto closed immediately upon startup, which was obviously very good news , so without realizing it they saved a lot of people, um a lot. of time and effort and maybe money, that is not the end of this story.

I mean, presumably people have seen that, yeah, so there have been multiple versions of this with modified settings and different um where probably REM. I think they essentially just tried it. hex edit the kill switch and run it again correctly and um and yeah, that's not unexpected. Maare Tech said this was going to happen, it is very expected because the code is not difficult to change to avoid the whole kill switch obviously. Their attempt to circumvent some of the researchers' abilities has failed and they have inadvertently reduced the impact of the virus or worm, so they will simply launch it again and send another large number of emails now, hopefully, the people now know it.

This exists and people are aggressively updating their systems and it will have less impact, but some people will surely suffer from it again. I think China is getting hit pretty hard today, it's passing through China right now, so it tends to hit the networks and spread. until people realize what's going on and put a stop to it not everyone has this right I don't have it right you don't have it no one is noticing it as far as we know they have it um and that's because These SMB ports are blocked internally through our firewall as they come in, they are blocked, so an infected NHS machine cannot point to a university or a computer because the ports are blocked, many of the networks would have been compromised and the networks When a machine inside the network has been compromised and spreads through the internal parts of a network, most ransomware is aosion in the sense that it pretends to be something else and appears on your computer usually through an email attachment.

This is both aosion. in that sense because that's probably what happened here, but it's also a worm in the sense that it can spread using this exploit, so this eternal blue exploit already exists and the NSA has known about it for some time. It's already been patched, but a lot of people aren't installing updates as vigorously as they should and also Microsoft doesn't routinely release updates for Windows XP, so anyone running Windows XP and also now Windows Vista and so on won't have had that update because that It is not what is happening now in a kind of unusual movement.

Microsoft has pushed an upgrade to XP due to the severity of this. But that's unusual. If you are running XP, the first thing you should do is shut down your machine. because you don't have to run XP, but you're not going to get many updates because that's not what Microsoft is doing. This is a bit like having a car that no one makes parts for anymore. It's exactly like that, in fact, it's a good analogy. I think that's why people are blaming Microsoft for this, there's a lot of blame to go around. Microsoft shares some of the blame, but somehow what happened is we all drive around in 40's Fords and then when we have an accident, I'm complaining that the airbag didn't deploy right, there wasn't a bag. air in the 1940s, so it's true, unless you take it to the garage and have one installed, you know, it's that kind of principle, so yeah,Microsoft wrote an OS with this bug, all OS's are buggy, all software is buggy, they patched it quickly and found it, they patched it in March, it's not on Windows 10 anyway, um, and they've aggressively released patches for previous operating systems. try to fight it so that at least they have tried to take all possible steps to resolve this.

The problem is that large organizations like the NHS have legacy software, say drivers for scanners and MRI machines etc. maybe they bought 10 or 20 years ago and they are still running XP because the software is not compatible with modern versions of Windows, that's all a political problem for which I don't know, I don't know, I don't have all the answers. So the CIA leaks from a few months ago showed that the CIA also has a sort of, let's say, back catalog of exploits that they keep in check so that the NSA and the CIA reveal some problems that they find, but if they find a bug , A normal security researcher will disclose it privately to the company to release a patch and then publish it later, partly for media purposes and partly because it encourages people to install the updates that the NSA and other government agencies They do not do it.

They operate this policy all the time because they consider some of these exploits to be useful in combating terrorism and other criminal activities, which may or may not be the case, but what happened in this case is that they allowed themselves to be hacked by another. group that has had no ethical concerns by just publishing everything correctly, so this actually clearly goes back to our talk on end-to-end encryption because I said that what they are doing by introducing a backdoor is introducing a point of failure very big. that's exactly what happened here, the NSA didn't tell anyone about it because they felt they could use it privately for the benefit of their country and that may have been the case but it's no longer the case because someone hacked them and the public.

It's a big deal when that kind of thing happens, so there are already people, I mean, Microsoft on their blog has already mentioned this, um, and Ross Anderson mentions it on his blog and we'll link to both at the bottom that you know . Can't they just clean their hands of this completely? They may say, "Well, you know, we're doing this to combat terrorism," but in some ways this is also their fault because it was their exploit that was used. Today's headlines say it's a wake-up call, well actually people like Ross Anderson and other security experts have been saying this for years, this isn't the first time we've noticed that old machines are vulnerable to attacks, so Yes, maybe it is a wake-up call, but people need to be alert.

Aggressively install the latest operating systems and update. As far as I know, you can't turn off updates in Windows 10 and that seems like a good idea to me because people will turn them off. Oh, I don't want it to restart now. I'll turn it off and restart it later and that's when they get hit by buying a piece of emergency ransomware that's sold in the future by the robot chauffeur that will actually take him to work while he's sitting around packing up some code. And then we have the technical problems and the business problems of how to produce software updates that match.