May 12, 2017, will always be remembered by the corporate world, especially the healthcare industry as a date when a new cyber-extortion racket, the WannaCry malware was unleashed and no cybersecurity software was able to anticipate it. It took advantage of a flaw in Server Message Blocks (SMB) version 1.0 to penetrate an otherwise security-hardened PC, taking hostage of the files it stores using encryption. The result, many companies from 70 different countries globally had incidents of cyber-extortion. Healthcare facilities and hospitals with inadequate or no existing reliable backup systems were heavily affected, which resulted in a decision for many of them to just pay the ransom to decrypt their data.
These cases of ransomware infection, which WannaCry inaugurated, user data were encrypted and can only be unlocked by paying cybercriminals the ransom that they demanded. It was very severe, to a point that Microsoft even released an emergency patch #KB4012598 for the non-supported, yet still popular Windows version, XP alongside updates for the contemporary Windows 7, 8 and 10.
It didn’t take long until the cybersecurity industry was able to completely reverse-engineer the WannaCry ransomware and finally unlock its mystery. May 19 last year, a week after its first widespread release, a free and open source decryption tool has been created, to reverse the encryption done by WannaCry. It was publicly published in Github, named Wanakiwi. Any Windows computer with a confirmed WannaCry infection can use the Wanakiwi tool. Running it against an infected machine will decrypt the data into its original, usable state. The only caveat is the utility will only be successful with the decryption process if the infected computer is not yet rebooted. Rebooting a PC infected by WannaCry complicates the decryption process. Once the infected computer is restarted, the malware already penetrated deeply to the Windows OS, to a point that in order for the infection not to recur is to reformat it completely.
Not everyone lives a life happily ever after, unfortunately, the WannaCry episode of 2017 continues to aim for the former victims to this day not as a full-blown mass reinfection but as a socially engineered extortion scam. It has long been known that the weakest part of computer security is the vulnerability of human users to social engineering. This “fear factor” is being used now in order to solicit ransom from former victims and less informed firms, cybercriminals do it through fear mongering emails.
The threats of data being locked by encryption are still compelling, even if no actual infection has taken place since WannaCry malware no longer works effectively today due to the existence of Wanakiwi. According to Paul Ducklin of the Sophos NakedSecurity blog, cybercriminals continue to ask target victims to pay $650 USD worth of Bitcoins, or else their data will get encrypted. The threat that can never become a reality, but the damage is the same, as the poor victims are convinced to pay the extortion.
Cybercriminals use fatalistic words to persuade the target victims: “Our program also covers the local network, erasing data on all computers connected to the network and remote servers, all cloud-stored data, and freezing website operation. We have already deployed our program on your devices,” as quoted from one of their fear-mongering emails.
To further strike more fear, scammers tend to exaggerate what they can actually do against the user’s computing platform. As Ducklin further emphasized: “Just to be clear here: disk-wiping malware — think of it as ransomware with no decryption key, so you can’t buy your files back from the crooks even if you want to — most certainly exists. In this particular case, however, the whole thing is a fraud, right down to the existence of the malware in the first place.”
The scammers behind these extortion emails are just hoping to earn extra profits using the fear of losing data established last year by WannaCry. Ducklin continues to warn users to remain alert while not becoming paranoid with the extortion emails. “As a result, WannaCry could worm its way through your network automatically, potentially leaving you with hundreds or even thousands of scrambled computers in a single attack, even if only one user opened a booby-trapped attachment or downloaded a file from a poisoned website,” Ducklin concluded.
There is no WannaCry pandemic in the wild this 2018, but other ransomware variants do still exist. One such example is SamSam ransomware. As of this writing, the victims of the newer ransomware include Hancock Health Hospital, Adams Memorial Hospital, Allscripts, Municipality of Farmington (in New Mexico), Davidson County, and Department of Transportation (Colorado).
Organizations need to keep their computers and networks secure and there is no room to be complacent. User education is the key in order not to fall victim to a trojan and online fraud.