By Fernando Cuervo, Detect Monitoring Service Leader, Easy Solutions
Since May 12th, over 200,000 victims in 150 countries have been hit by a massive, international ransomware cyber attack called WannaCry.
Ransomware is a type of malware that works by seizing control of and blocking access to a computer’s files, programs, and operations.
Users are then informed that they must pay a certain amount in order to regain access to their files, with the threat of permanently losing all of their data if they choose not to pay.
In the WannaCry attack, users were given three days to make the payment before the fee increased, and seven days before the files would be lost forever. (http://blog.easysol.net/ffiec-issues-ransomware-alert/)
How did we get here?
March 14th – Microsoft released a patch for vulnerabilities in its operating system, reportedly likely to have been tipped off by the NSA. (https://www.nytimes.com/2017/05/14/world/europe/cyberattacks-hack-computers-monday.html)
April 14 – The Shadow Brokers, a group of hackers that emerged in August 2016, released several hacking tools that reportedly originally belonged to the NSA. They also released a message citing various political motivations for leaking the information.
May 12 – Computers around the world running older operating systems or that had not yet been updated with Microsoft’s March security patch were infected by the massive attack. Among those affected were hospitals, universities, and government agencies.
A UK cybersecurity researcher discovered a kill switch in the attack code and inadvertently hindered the spread of the malware in the United States. However, the kill switch was unable to help systems that had already been affected, and it is likely that the hackers will send out more attacks without the kill switch included. (https://arstechnica.com/information-technology/2017/05/wanna-decryptor-kill-switch-analysis/)
May 15 – The number of victims continues to be updated as employees return to their work computers on Monday morning.
In addition, the kill switch has been turned off in the latest variant, making the previous slowing of the infection
How WannaCry remedies are only another fraud vector
The massive scope and potential financial impact of the WannaCry attack have understandably caused a lot of panics, and companies and individuals alike have been rushing to protect their devices.
However, this frenzy has opened up new damaging routes for fraud.
One of these attack routes is through mobile applications that have been found on third-party application stores.
There are various mobile applications advertising that they can be used to protect users from the WannaCry ransomware.
However, our analysts found that some of these apps contained adware meant to infect the devices they are downloaded onto.
The adware found is classified as Adware.mobidash, which is a module that attackers used to include into Android games and apps and monetize them.
This adware has the capability to load webpages with ads, show other messages in the status bar, or modify the DNS server.
The latter is quite dangerous as the real risk lies in the fact that the end user’s device is performing the unwanted activity without their authorization.
To hide this dangerous behavior, the adware doesn’t start to perform its malicious activity immediately, but after a short period of time.
How to protect your business and your end-users:
- Deploy the MS17-010 update issued by Microsoft on March 14. This patches the vulnerabilities being exploited by WannaCry.
- Educate employees on how to spot and report phishing.
- Deploy a DMARC policy to reduce spearphishing emails that target employees, such as those emails used to deliver ransomware like WannaCry.
We have blogged a lot about digital trust, fake news and all sort of tricks that criminals use to get the attention of consumers to have them click on a link.
Yet this is one area that continues to amaze us: how sophisticated the manipulation of the human factor has become.
It will only be a matter of time until we see the WannaCry malware expand further to trick end-users to install a patch that allegedly prevents the new massive ransomware attack.
However, this time it will not be a patch, but a new version or variant of a financially motivated malware.
About the Author
Fernando Cuervo, Detect Monitoring Service Leader, Easy Solutions
Fernando Cuervo is an Easy Solutions engineer in charge of Detect Monitoring Service (DMS). He ensures his team is continually protecting brands from cyber fraud through the latest threat intelligence technology.
He has extensive experience in fraud detection and deactivation, network design and data transmission.
Before coming to Easy Solutions, Fernando was a Project Coordinator at RED. He speaks Spanish and English.