Since last Friday, over 200,000 victims in 150 countries have been hit by a massive, international ransomware cyberattack called WannaCry.
Ransomware is a type of malware that works by seizing control of and blocking access to a computer’s files, programs, and operations. Users are then informed that they must pay a certain amount in order to regain access to their files, with the threat of permanently losing all of their data if they choose not to pay. In the WannaCry attack, users were given three days to make the payment before the fee increased, and seven days before the files would be lost forever. View our previous blog post on ransomware for more information.
How did we get here?
- March 14th – Microsoft released a patch for vulnerabilities in its operating system, reportedly likely to have been tipped off by the NSA. (source)
- April 14 – The Shadow Brokers, a group of hackers that emerged in August 2016, released several hacking tools that reportedly originally belonged to the NSA. They also released a message citing various political motivations for leaking the information.
- May 12 – Computers around the world running older operating systems or that had not yet been updated with Microsoft’s March security patch were infected by the massive attack. Among those affected were hospitals, universities, and government agencies. A UK cybersecurity researcher discovered a kill switch in the attack code and inadvertently hindered the spread of the malware in the United States. However, the kill switch was unable to help systems that had already been affected, and it is likely that the hackers will send out more attacks without the kill switch included. (source)
- May 15 – The number of victims continues to be updated as employees return to their work computers on Monday morning. In addition, the kill switch has been turned off in the latest variant, undoing the previous slowing of the infection.
How WannaCry remedies are just another fraud vector
The massive scope and potential financial impact of the WannaCry attack has understandably caused a lot of panic, and companies and individuals alike have been rushing to protect their devices. However, this frenzy has opened up new damaging routes for fraud.
One of these attack routes is through mobile applications that have been found on third-party application stores. There are various mobile applications advertising that they can be used to protect users from the WannaCry ransomware. However, our analysts found that some of these apps contained adware meant to infect the devices they are downloaded onto. Rather than protecting users’ devices, they are causing them harm.
The adware found is classified as Adware.mobidash, which is a module that attackers used to include into Android games and apps and monetize them. This adware has the capability to load webpages with ads, show other messages in the status bar, and modify the DNS server. This is quite dangerous as the real risk lies in the fact that the end user’s device is performing unwanted activity without their authorization.
To hide this dangerous behavior, the adware doesn’t start to perform its malicious activity immediately; instead, it lies latent in the device before activating after a short period of time.
How to protect your business and your end users
- Deploy the MS17-010 update issued by Microsoft on March 14. This patches the vulnerabilities being exploited by WannaCry.
- Educate employees on how to spot and report phishing.
- Deploy a DMARC policy to reduce spearphishing emails that target employees, such as those emails used to deliver ransomware like WannaCry.
We have blogged a lot about digital trust, fake news, and all sorts of tricks that criminals use to get the attention of consumers to get them to click on a link. Yet we continue to be amazed by how sophisticated the manipulation of the human factor has become.
It will only be a matter of time until we see the WannaCry malware expand further to trick end users into installing a patch that allegedly prevents the new massive ransomware attack. However, this time it will not be a patch, but a new version or variant of a financially motivated malware.