Alrighty, here's a story for those who were out all weekend and have no idea what in the world just happened (and as of a few hours ago is happening again, but we'll get to that in a sec)
Now I normally wouldn't even be following this story much beyond "yeah, this happened. Again." but there's a few particular bits and moments that very much interested me. So here I am. Also, my days and times may be slightly off. I've been following this story off and on all weekend.
Out story being on a Friday afternoon. I'm in the middle of calling professors across the country to push out new company-approved laptops and reading Reddit between calls. After a quick refresh of my home screen I see a new post with some title like "Ransomware sweeping across the globe" - thinking this was a sensationalist piece with little value (I mean, they mostly are) I skip it and find a new post on r/talesfromtechsupport. Ooh, goody!
Fast-forward a few hours. As I'm heading back from work I once again hop on Reddit and see what's going on. A few more pieces about this malware, so I figure "eh, why not?" and dig into one a bit. Again, looks pretty sensationalist and I wasn't interested in overblown facts in an article telling me everything I already knew. Closed, and found a few new posts on r/gaming and r/talesfromretail.
It wasn't until Saturday morning that I really noticed something was up. After reading Twitter and asking my Google Home what was going on in the world, I got some interesting news. Apparently the ransomware variant I had quickly checked up on and forgotten about had made a big splash. Bigger than usual. I decide to do a little more digging since I thought this particular variant was pretty par-for-the-course stuff.
So, here's the thing; I was right. This strain of malware was very standard and didn't really bear anything unusual. Uses "zero-day" exploit? Check. Infecting a ton of PCs? Check. Standard encryption and warning screen? Check. Asking for a variant amount of money based on factors present on the internal network? Check. AV evasion? Triple-check.
Except for one little thing that really bugged me. This malware contained a kill-switch in the form of a domain. Basically, this malware had a dropper (all of them do) that first checks to see if a domain gives a response. If it does, it shuts down immediately and nothing further happens. If it doesn't, it continues on and starts encrypting files. Again, this wouldn't have bugged me so much except for the fact that everything else was perfect. Everything. It would have been unbreakable and damn-near impossible to stop except for that one VERY BIG flaw.
A researcher by the name of MalwareTech discovered this domain and immediately bought it, not knowing what would happen. This is standard procedure for him in an attempt to track infections. This is the part of the story, I think, that made the whole thing really explode. Also, poor guy has now had to do a lot of diversion on his domain, Twitter, and e-mail accounts and has also been unintentionally doxed by the media. Ouch.
So this all raises a few questions. Clearly, the makers of this malware knew exactly what they were doing and how to do it. Were they being careless or was this simply a test? Either way, we're clear of it for now. It's only a matter of time before a new variant of this rolls around without the kill-switch, though..
Sunday morning rolls around with lots more fanfare but no more real news of this ransomware. It looks dead, and thank MT for it. Sunday afternoon, however, is a very different story. All of a sudden pings start coming up about a new variant that uses the same code and the same dropper minus the killswitch. Welp. Fuck.
So, here's the rundown on how this thing works. Prepare for hell on Monday if you're one of the poor souls without patches.
It uses an exploit developed by the NSA a month or so prior called ETERNALBLUE (this exploit just got a Metasploit module named MS17-010)
ETERNALBLUE is an exploit targeted at SMB1 and is effective on all Windows systems that use it, including Win 10 up to some security patches (again, a month or so ago)
Also, yeah, I was wrong about the exploits earlier not affecting Win 10. Looks like at least one did, but researchers were using machines that were too up-to-date because MS couldn't put out a security bulletin on the bug due to an NSA gag-order.
Once you've got the red warning screen, it's game over and your files are already gone. I hope you either have working backups or a lot of money.
Have a happy Monday!