The WannaCry attack of 2017
On Friday the 12th of May 2017 the WannaCry ransomware was initially identified in some hospitals throughout the United Kingdom. In just five days it exploded all over the world, infecting tens of thousands of devices in over 150 countries. In this article we will explain the details of the WannaCry attack, we will also demonstrate how ransomware represents one of the most diffused types of cyber attacks and we will explain how FlashStart can help you maintain your security against this type of attack.
1. The WannaCry attack: ultra-fast ransomware
1.1 What is a ransomware attack
The WannaCry attack was a ransomware type: in these attacks, a harmful software encrypts some data of a device and blocks the access making the device useless.
The data is then ‘kept hostage’ by the authors of the attack and a ransom is then requested to the device owner. If the owner decides not to pay up the access to the data remains blocked. Today it is very frequent that, together with the ransom request there is also the threat of making the data and documents public, destroying them completely or even putting them up for sale on the dark web to anybody who may be interested.
1.2 The 2017 attack
The WannaCry attack, its complete name being WannaCryptor, was started on Friday 12th May 2017 and was pointed at devices that were using the Windows system. Almost two months before, Microsoft distributed a patch for EternalBlue, a name that was given to a weakness in Windows of which a group called TSB – The Shadow Brokers – made public to the world.
Even with the Microsoft patch, many users found themselves unprepared for the attack explosion in as much as they had ignored the update or were even using older Windows versions, thus becoming very vulnerable subjects for this attack on a large scale. EternalBlue was not only exploited by WannaCry but also by another ransomware software called NotPetya.
WannaCry spread very quickly indeed. The initial ransom amount was $300 in Bitcoin but that soon went up to $600 in Bitcoin. As often happens in ransomware cases, the ransom was requested in electronic currency as any trace would be much more difficult in respect to bank transfers or other types of transactions.
It is estimated that the malware infected roughly 230.000 computers in 150 countries. After the initial very fast diffusion there was discovered a kill switch that slowed down the WannaCry attack but not stopping it completely.
>> FlashStart the Internet filter against malware, ransomware and other dangerous content ? Try it now
1.3 What aided the success of the WannaCry attack?
In respect to other types of ransomware attacks, WannaCry was a large scale attack that didn’t have a precise objective. It was first picked up by computer systems of British hospitals but the victims also included companies and organizations in varied sectors in many different countries, even ones that are traditionally considered enemies.
The attack didn’t hold back on anybody and hit in the same way Europe, Russia and the United States. Some notable victims include: The Russian Internal Ministry, the Russian train companies, the Indiana Shaheen Airlines, public security offices of regional China, Renault in France, Spanish telephone companies and the Bicocca University in Milan.
That which made the WannaCry attack so powerful was its structure. The malware in fact included a worm, a characteristic that allows the attack to cancel files, consume bandwidth and above all speedily spread without the need of a file host. In fact, the worm self-propagates and therefore, with the difference to a virus, doesn’t need any human action to start its harmful activity.
Not only, the malware exploited the EternalBlue patch mentioned above, an SMB system breach of Windows, the protocol that enables network nodes to communicate. This breach is still exploited today by some attacks in such that many Windows users don’t download and install the necessary security updates for their good program usage.
1.4 Who created the WannaCry attack?
In December 2017 the United States gave the official blame of the WannaCry attack to North Korea, in particular, to a known organization called the Lazarus Group. Even though, the NSA – the National Security Agency of America – could have had an inadvertent role in the attack itself.
>> FlashStart protects you from a vast gamma of threats and blocks access to harmful sites ? Try it now
2. The pervasiveness of today’s ransomware attacks
Ransomware attacks are amongst the most common cyber attacks in such that they allow the perpetrators to monetise and make a profit. According to the 2021 Internet Crime Report 2021 from the FBI IC3 – the FBI cyber complaints centre – in 2021 they received 3,729 complaints of identified ransomware attacks causing an estimated loss of 49.2 million dollars. Of these, 649 complaints regarded attacks on 16 governmental sectors infrastructures that are considered critical in America.
The FBI underlines how the tactics and techniques of ransomware continue to evolve, more proof of the growing technological sophistication of hackers and threats that are derived for companies and organizations all over the world. The three main ways in which attacks are perpetrated are:
» Phishing emails that aim to attract the receiver, sometimes with declared objectives and sometimes with attacks that train you in, to the attack trap.
» Protocol exploitation of desktop remotes, made ever more common by the work diffusion and remote learning.
» Vulnerable software exploitation, as in fact from the WannaCry attack example that is being analysed in this article with the EternalBlue exploitation.
>> Are you an appliance producer? It is possible to natively integrate FlashStart ? Contact us
3. How to protect yourself from ransomware?
The FBI 2021 Internet Crime Report listed four actions that all Internet users today can put into practice to better protect themselves from ransomware attacks. They are:
» Update operating systems and software: demonstrated by the WannaCry attack, this aspect is fundamental in guaranteeing the security of your devices. When the mother company realises that they have a system vulnerability they work on offering patches to resolve the problem for their users. Even if downloading and installing such updates takes time, these can make a big difference when it comes to attacks.
» Teach colleagues how to recognise phishing attacks through dedicated training and real phishing exercises to heighten the knowledge regarding links that are ever more received in email messages that could result in being suspect or even harmful.
» Monitor the desktop remote protocols and make these instruments secure by applying dedicated special measures.
» Conserve backup copies of data and documents on external supports, not connected to the Internet and therefore available in an offline mode.
Amongst measures that are aimed at improving the protection of networks and devices connected to them there is a content filter such as the one offered by FlashStart, a software that creates a checkpoint, therefore a control point, for all accesses to the Internet network and the requests of the users who wish to visit desired sites.
>> FlashStart is the webfilter that protects over 25 million users ? Try it now
4. FlashStart: the ultra-fast and constantly updated protection against cyber attacks
FlashStart offers an Internet filter solution that is ultra-fast, constantly updated and customizable.
4.1 FlashStart: ultra-fast protection
FlashStart has an Anycast stable global network with an uptime of 99.87, amongst the top 5 in the world. Through the Anycast network the same IP address corresponds to more hosts therefore the user request is sent to just one address based on cost and server location. This guarantees a very high prestation not only in response speed from the system – when the user types in a website that they want to visit they don’t even realise all the controls that are going on behind their request – but also in terms of system redundancy for protection and continual service.
4.2 FlashStart: artificial intelligence to guarantee an updated protection
The FlashStart protection, also, exploits a mixture of algorithms of Artificial Intelligence (AI) and Machine Learning (ML) that every day analyse up to 200 thousand new websites in 24 different languages and automatically catalogues them into 90 various groups based on their content. When they identify new threats the FlashStart Cloud system, where you find all of the blacklists containing sites whose access is not consented, is automatically updated. In this way the user can directly benefit from an updated protection without the need of downloading any kind of update which then requires you to restart your system.
4.3 FlashStart: granular customizable protection
Finally, the FlashStart protection is completely customizable and allows the network administrator to create various security profiles for single users or groups, importing even logic from Active Directory where present. Apart from dangerous content, blocked directly by the system, the administrator can in fact choose to block undesired or unsuitable content – such as porno, violence or online gambling – as well as that which creates distraction, including social networks, audio and streaming platforms and online shopping sites.
You can activate the FlashStart® Cloud protection on any sort of Router and Firewall to secure desktop and mobile devices and IoT devices on local networks.