Ventura County Computers masthead

WannaCry Virus Update

There have been quite a few misunderstandings regarding the WannaCry virus/worm that was unleashed on May 12, 2017. First of all, it isn't one package written by one, or even a single team, of hackers. It is definitely the work of two separate groups. The actual cryptovirus is an amateurish, copy-cat program. Signs of inexperience abound. Normally, each client who pays the ransom pays to a different bitcoin account so the hacker knows who paid. Not WannaCry. They use three bitcoin addresses, which researchers have said have earned them less than $100,000 after 4 days. At $300 per infected computer, they are way under market. Although researchers can determine how many bitcoins are in each of the three addresses, the transactions themselves are untraceable, even by the hackers themselves. That's why hackers like to use bitcoin. For the amount of damage they caused, the payback was anemic.

If the virus was so impotent, why was it so successful? It was married to a NSA worm that uses an SMB vulnerability in Windows operating systems to propagate from one computer to any others it can find on a network. So, once the WannaCry virus found one workstation, the worm tunneled through the network looking for any other vulnerable computers. Microsoft had distributed a patch in March that fixed the SMB hole in all current versions of Windows (Windows 7, Windows 8.1 and all servers since 2008 -- apparently Windows 10 came with the fix). Once the virus hit Microsoft added patches for Windows XP, Vista, 8 and Windows Server 2003. For those who don't keep up with the intricacies of Windows 8, Windows 8 is no longer supported. Users are required to upgrade to 8.1 to maintain security updates.

We were extremely lucky that a researcher put a copy of the virus in a sandbox (a completely isolated computer network) to see how it worked. He noticed that the virus was trying to ping a domain at -- which didn't exist. So, he registered it on a whim, and suddenly WannaCry shut down all over the world. The ping was designed to fool researchers. When a virus is isolated in a sandbox, the sandbox will reply to all external requests to trick the virus to think it is "in the wild." If the virus receives no response, it continues encrypting and looking for more computers on the network. In a sandbox, it shuts down to make unraveling it much harder. By registering the domain, the researcher accidentally triggered the kill switch.

On Monday the same group attempted to unleash a second version, but it still had a kill switch on a different domain, so another researcher registered that domain and restricted most of the damage to Asia. It was killed before the workday started further west.

We are lucky that the first group to marry the SMB worm with a cryptovirus was as clueless as these guys appear to be. The NSA worm was what made the infection so effective. Had that been married to a well-done cryptovirus without a kill switch, we would still be swimming upstream trying to get our fingers in the dike.

It won't be long before a competent group sends out a well-constructed virus with the SMB worm. Fortunately, we have WannaCry as a wake-up call. Hopefully, everyone will have added the security patches by then and it won't do much damage. Unfortunately, some institutions are slow learners, so expect some nasty surprises.

Updated May 16, 2017