Perhaps more than anything else, this ransomware onslaught is a resounding reminder of the importance of security basics, especially when it comes to Microsoft product patching. Those who applied critical Microsoft Windows patches released in March were protected against this attack. Another basic protection is the possession of current, offline backups of data. For ransomware attacks like this one, having a viable backup will enable a successful incident response, leaving attackers high and dry and unable to collect money for their evil doings.
WannaCry, WanaCrypt or Wcry for short, is ransomware that works like other malware of its type, with a few intricacies that highlight the sophistication of its operators.
First, the malware uses exploits that were supposedly leaked by a group that calls itself Shadow Brokers. The result of leaking exploits very often gives rise to malicious actors who use them for their nefarious purposes, which is what happened in this case.
Second, the malware uses strong, asymmetric encryption, employing the RSA 2048-bit cipher to encrypt files. This method is considered relatively slow when compared to symmetric encryption, but it is very strong and virtually impossible to break.
Third, the malware’s architecture is modular, a feature known to be used in legitimate software, but also in complex malware projects such as banking Trojans. Most ransomware is not modular, but rather simplistic, and carries out its tasks without any modularity. This means that the authors behind Wcry are more likely to be a group of people, more than just one developer, and even possibly one of the organized cybercrime gangs that distribute malware such as Dridex and Locky.
Bottom line, we are not dealing with amateurs. This widespread attack is of high severity, and although the vulnerability should have been patched a while back, many organizations have been hit and the count keeps rising.
The Wcry outbreak started showing up on May 12, 2017, but it relies on a number of elements that have been around for a while. It even offered a sneak preview a week ago when it showed up in Trojan.Win32.CryptoFF attacks in Peru.