WannaCry / Ransomware

I will try to explain in “a simple way” what happened (and will happen again) with WannaCry / Ransomware / incidents of the last weeks. This is a text for non-technical people or laymen, may be the affected and victims.

About the author
Daniel Cialdella Converti has been working as a DBA for a big company based in Switzerland and UK, on Linux and Windows, MySQL, Oracle, SQL Server and Informix. He has been servicing countries in E.U. on two principal paths, maintaining what they have and moving the company to the latest technologies and products.


All electronic equipment (telephones, tablets, laptops, PCs, Webcams etc.) consist of hardware part(s) and software that controls the physical components.
For instance, a phone is a physical device, but when switched on, it runs an Operating System or a Firmware that allows us to interact with it, interpreting the touches on the screen, buttons and reacts by executing the user’s commands.
For those who are using Windows, Windows is the operating system whereas for Apple products, OSX is the operating system. Android is for those using Android phones and to add on this list is Linux. Therefore, all of us use an operating system, with or without our knowledge.
The benefits of using an operating system are that it can be programmed or changed, upgraded to improve its functions or fix errors. If this does not exist, the useful life of a computer would be reduced. In addition, in case of a detected problem, we must replace the physical equipment with a new one.
For example, when someone says, “I have updated my phone”, it means that the phone manufacturer sent another O.S. update, and he/she accepted to upgrade/replace the existing phone software.
In addition to the O.S upgrades, there are application programs which run on the operating systems. For example, programs to read and send emails, internet browsers, Facebook clients, WhatsApp, Google maps, etc. All these are some of the useful tools which are supported by your operating system to make your lie easier. Besides the O.S, they too require updates.
Therefore, the companies which develop these programs send updates or new versions, exactly the same as the O.S. Manufacturers do. This is done in a bid to patch, update, replace or fix errors, sometimes the updates are an addition of more features.
Having said that, let us now understand the” ugly and sad” part about these system upgrades.
All operating systems and all application programs were developed by humans (yes, Codera is made up of experienced software professionals who may appear as “semigods”. However, they are still humans) who had oversights or did not contemplate on certain critical situations of use when creating these software.
Many times, we have experienced a program closing by itself, show an error or directly hangs the phone and we are forced to restart it. Sometimes it is a program or other times it could be the operating system.

Those who have been using Windows for years will remember the phrase, “restart Windows every two or three days”. This action was necessary to clean up the device’s memory.
Nothing is perfect, and just as certain batteries exploded because of manufacturing defects, programs aren’t the exception, they too fail if something in particular occurs (certain conditions or combinations of actions).
This is not new. As a matter of fact, for many years, companies build sites where you can report any errors to them and they will try to fix it. In some cases, they even pay the informants for their mistakes.
In the case of the proprietary companies i.e. Microsoft, Apple and many others, , they usually try to cover or hide the errors since they charged for a product that has failures, each one represents an error or a problem for its brand, an increase of repair cost, a fall of their image etc.
As these companies earn money through the sale of their products, it is better for them that their devices do not have so many defects. There is a cost associated with fixing those problems that in the end reduce their profits in millions. In addition to selling the right to use a program, they are still the owners and cannot evade taking a share of the blame when a program or a physical component fails.
In the GPL / Linux Open world, bugs are better well received because they help to improve the product we are all using. We are looking for better quality products. Here, there is no cost of use or license. Thus, each error is fixed because its central feature is to be a good APP, and maintain the quality of each program.

Now to an Even Darker Part

As has been reported by Edward Snowden, Chelsea Manning, Richard Stallman, Julian Assange, Wikileaks, Anonymous and many other professionals / technology sites, the U.S. Government (and certainly others) has also purchased and internally developed programs to “Use” the errors arising from O.S. and programs in their benefit. Instead of reporting it to Microsoft, Apple and other companies, they keep the knowledge of “if I do this and this, I can have access to the remote Windows computer”. This is called “exploiting the vulnerability” of a component, or may be intrusion too.
There is a market of programs that take advantage of the mistakes made by other programs. There exist big (and bad) companies that sell these intrusion programs in millions of Euros. Also, groups of dark hackers in the world and even the governments are key players in this market. This insecurity is a big business because it allows to have control over other teams WITHOUT YOUR PERMISSION, hang them or destroy/disable their equipment.
There is evidence that the NSA and other government offices around the world have purchased such programs from law firms, whether legally or not. They have succeeded in developing the so-called “cybernetic weapons”.

For example, suppose one country in the Middle East uses Windows on their computers and wants to make enriched Uranium.
The United States does not like this idea and decides to send them a virus / trojan / malware program to infect their PCs. The detrimental effect on those computers with Windows as their O.S. could be that they restart every hour, or their date/time setting is changed permanently or a blue screen appears with a “hungup” message.
That has happened before and is called cyber-attack. Search the term,”Stuxnet” on the internet and see the extent of damage caused by this malicious computer worm on Iran’s nuclear program.
At the same time, there may be groups of hackers paid by China, Russia, Germany, UK or “freelancers” who are mandated to develop a program to sabotage certain others teams’ industrial systems (or all of them) or everybody so as to make money, lower stock market shares etc. The economical or technological damage is for some players while the benefit for others.
I think there are three motivations for this type of action, political/govern motivations, personal/economic or simply to seek fame/recognition for a while.
For economic reasons, sometimes “the dark forces” pay more and faster than “the good ones”. There is no data collected by the cybercriminals of WannaCry. However, it is much more than what they earned receiving payments in Bitcoins than they would have by sending the errors to Microsoft for their settlement.
If these ” bad players” are not being supported by governments, then any danger they pose is often called cyber terrorism. This is like placing a bomb in a mall to generate fear among shoppers.
If the governments support them and the action is pretty the same, it is called National Security.
Nationalist, religious, or moral beliefs can make all these groups to be seen as either good or bad. I will choose not to express my opinion on this matter.

Origin of the incident of 12 May

A few months ago (who knows when), a group of hackers was able to obtain a copy of all the viruses / trojans / malware programs from the NSA (its cyber-armament repositories). The parallel action would be to enter a complex investigation of the contagious diseases, and to steal the samples of all the viruses they have in storage (in many cases without a vaccine).
Those who had these viruses kept them for investigation, prepare a vaccine or for a biological attack, preparing a bacteriological attacks to others.
That group of hackers offered to make public all the viruses they had found, and requested a ransom to sell/deliver them on the internet, charging Bitcoins in return. They began to release parts of what they had found.
And at one point of time, they made public all the information of the viruses they had stolen from the NSA.

Perhaps, they themselves or other hacking groups, obtained those viruses, mixed them withother diseases, and sent them worldwide through many emails, generally as email attachments, “photo links / pdfs or links to infected websites. It seems that they managed to reach Telefónica in Spain and Latin America, British health systems, banks and businesses of all kinds. And like biological viruses, these computer viruses infected hundreds of thousands of PCs in the world, be it in small companies, homes, universities and development teams, they were all affected.
In this case, they added a component to ask for money from the infected PC owners or organizations. The virus infected computers with Windows O.S, encrypted certain files (blocks access to the victims’ data), and asks for money from its owner to decrypt it. This type of malicious software is called a RansomWare (The same scenario is featured in a series called MrRobot). A premonition that we all saw and couldn’t stop it.

The Attack

Under certain conditions, all the infected computers (maybe months ago) were “activated” and began to spread the virus to their neighbors. The epidemic was triggered and several companies sent their employees to the streets, without their equipment, to prevent the spread of the virus to other equipment at home, like a quarantine measure.
The program also encrypts the files and presents a screen to request a “rescue” of about 300 US $. For the acquaintances that accepted their offer and sent the money, they were sent passwords to de-encrypt all their files.
However, the total number of infected P.C’s will never be known because it has proved almost impossible to estimate the number.
Many people have reinstalled Windows, recovered files, paid for the vaccine, and there is no report which comprehensively accounts the findings of this incident.
This happened to Windows computers as an operating system, but it can also happen to Apple, Linux products, and worst of all is that it could happen again.
Thanks to the ethical hackers and security companies who understood what was happening, tried solutions and also informed Microsoft. They could stop the virus and prepare vaccines for it.
Global security researchers and consultants have verified that in this case, several components of the virus were in the armament, stolen from the NSA but with a mix of other programs that were used to encrypt files and request for money. A direct relation was verified between the NSA and WannaCry.

Who is Responsible?

For political, religious, human, or social reasons, the NSA can be accused of building, paying, and storage of a virus sample for their benefit, without notifying Microsoft (in this case) of the vulnerabilities. They obtained a benefit to attacks others.
We can also hold Microsoft to account for its proprietary policies and obscurantism in how to manage its security, its proprietary products and for “allowing” errors to be made without fixing their products. Or, these errors were not fixed immediately which created a loophole.
We can as well accuse the group of “bad” hackers who stole the bacteriological / computer equipment from the NSA. This is a robbery on the premises of a government entity that is dedicated to “Security”.
Moreover, the people and companies who used Windows O.S and trusted their security and patch systems also share a 2% of the blame. Surely, they have heard hundreds of times the problems/vulnerabilities associated with an Operating System, how could they trust that nothing would happen to them? May be they did not create backups, they did not install an antivirus (something that would not have served them in this case), they did not keep their products updated, etc. Okay, their actions could be insignificant but they are responsible too.

Can This Happen Again?

Yes, definitely. It can happen again today. So, the question is when. Can it happen to Apple products? Yes, perfectly.
And using Linux? Yes, it could happen. It’s not a perfect world, and no O.S. is ever immune from attacks.
Statistics confirm that 70% of computers have Windows, 25% for Apple and 5% for Linux distributions. Personally, those numbers represent the percentages that the attack could happen again.
Groups that are looking for an economic gain or governments seeking a strategic/economic benefit can return to something similar.
I think until today, Government agencies are looking for new “tools” to gain access to other computers, mobile phones, IoT, Servers etc. It is a never ending story.
Is This The End of Technology As We Know It?
I guess no. We still have to promote the cooperative work, leave proprietary software and trust more in EFF/GPL, build better defenses, and be prepared for a “worst wave” in the future.
Security managers not only have to understand the world but also to seek ways on how to solve future issues more efficiently instead of kicking the balls off the court.

October 26, 2017

0 responses on "WannaCry / Ransomware"

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013