Researchers are now doubting that the recent ransomware attack was spread by software known as a “Worm” rather than by phishing emails containing malicious attachments as was originally thought. A worm is a computer program that has the ability to copy itself from machine to machine by exploiting security weaknesses in host computers.
Investigations have so far revealed a three-stage attack, starting with remote code execution with the malware obtaining advanced user privileges. From there, the files containing the malware were unpacked and executed. Once computers were hijacked, files and documents were encrypted and the ransom notes displayed.
Analysis seems to confirm that Friday’s attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers. It used a variant of the Shadow Brokers’ APT EternalBlue Exploit (CC-1353) and used strong encryption on files such as documents, images, and videos. It also went after servers, trying to encrypt SQL server databases and Microsoft Exchange data files.
Three key factors enables this attack to spread rapidly:
1.The inclusion of code that caused the threat to spread across networks as a worm quickly without needing further user action after the initial infection had taken place.
2.It exploited a vulnerability that many organizations had not patched against. Patching operating systems is the first line of a security strategy, yet many still struggle to achieve regular updates across their environments.
3.Organizations are still running Windows XP although Microsoft had discontinued support for Windows XP some years ago and consequently had not issued a “patch”. A patch for Windows XP has now been provided by Microsoft. Microsoft does support legacy versions of Windows, but at extra cost.
The worm generated random IP addresses, as the following code snippet shows. Once the IP addresses were defined, the worm sent malicious SMB packets to the remote host, spreading itself. From there, files on the hijacked computers were encrypted and ransom notes appeared on victims screens