Brief study of Wannacry and the massive attack that took place on May 12, 2017, where the Spanish telecommunications company Telefónica was one of the first victims of this ransomware. The timeline of the events, the vulnerabilities of the company, the costs left by the attack and the possible prevention measures are reviewed.
Author: Sergio Renteria Nuñez
2. Ransomware
Attack
● Ransomware is a type of malware that targets computer systems. Its
operation varies depending on the type.There are 3 main types or families
of Ransomware: Crypto, Locker, and Leakware/Doxware.The Crypto family
encrypts a group of files on the station; the Locker type, blocks access to
the computer; whereas, the Leakware/Doxware family blocks access to the
operating system and files, threatening the user with the publication of
confidential information.The common denominator that the 3 families
have is that the device and the information is inaccessible and to recover it,
a ransom must be paid, typically in cryptocurrencies such as Bitcoin.
● According to cybersecurityventures.com: "Global Ransomware Damage
Costs PredictedTo Exceed $265 Billion By 2031.
Fastest growing type of cybercrime is expected to attack a business,
consumer, or device every 2 seconds by 2031".
3. What
happened in
Telefónica?
● Founded in 1924,Telefónica, S. A. is a Spanish multinational telecommunications
corporation based on Madrid. It offers telephone, internet and television products and
services. It is currently the fourth largest company in Europe and the thirteenth
worldwide. In addition, it is listed on the Spanish stock market under the acronymTEF
of the IBEX 35 stock index.
● According to Microsoft, the NSA was looking for vulnerabilities inWindows products
during 2011. By 2012 they found a bug in the SMBv1 protocol ofWindows systems and
developed the Eternal Blue exploit, which was stolen in 2016.This fact caused the NSA
to notify Microsoft of the vulnerability in February 2017, so on March 14, 2017, the
company published the security bulletin MS17-010 with CVE-2017-0145. Later, in April
2017, a group of hackers called Shadow Brokers leaked Eternal Blue which served as the
basis for the worldwide ransomware attack calledWannacry.
TheWannacry cyberattack started on May 12, 2017, with Spanish companies being the
first victims, and specificallyTelefónica.The CDO of the organization reported via his
blog that using a phishing campaign someone fromTelefónica downloaded a dropper
through a link, thereby infecting his computer.The infected computer scanned the LAN
for computers vulnerable to Eternal Blue in order to infect them and continue
spreading. Likewise, the objective ofWannacry was to encrypt the files and not steal
data.To decrypt the information, it requested a ransom of 300 dollars in Bitcoin.
4. Timeline
2011: NSA was looking for vulnerabilities inWindows products
during this year, according to Microsoft.
2012: NSA found a bug in several versions ofWindows and
developed the Eternal Blue exploit.
2016:The Eternal Blue exploit was stolen from NSA by Shadow
Brokers, a hacking group.
2017: NSA notifies Microsoft about the vulnerability in February. On
March 14th, the company published the security bulletin
MS17-010 with CVE-2017-0145.
2017: In April, Shadow Brokers leaked Eternal Blue.
Wannacry attack started on May 12th.That day, aTelefónica
employee clicked on a link in a phishing email and
downloaded a dropper, thus infecting his computer and later
other computers with the ransomware.
2017:Wannacry encrypted the files of hundreds of computers and
to decrypt them they asked for 300 dollars in Bitcoin for each
computer, which was rejected.Telefónica disconnected the equipment from a
part of the LAN. Finally, the CDO announced viaTwitter that they had been
affected by the malware.
Wannacry ransomware
attacksTelefónica
1
2
3
4
5
6
5. Vulnerabilities
Lack of user
computer security
education and a strict
vulnerability
management policy.
Phishing
Lack of education in basic
computer security and in
this type of attack in
particular.
Vulnerability and Patch
Management Program
Delay in the discovery of
vulnerabilities and in the
application of their
respective patches.
Systems
Lack of upgrade in
operating systems.
6. Costs Prevention
• Nearly $260,000 from repairing approximately
650 computers at an average cost of $400 each.
• AlthoughWannacry did not affect its clients,
there was an economic impact due to the
disconnection of the personnel during the 48
hours it took to solve the incident.
• Costs derived from overtime for security checks
and investment in implementing additional
security measures.
• Reputational damage and reduced trust of
customers and partners.
• Education, by levels, in cybersecurity for all
company workers.
• Early detection.
• Follow a strict vulnerability and patch
management plan.
• Keep operating system and all software updated
and configured.
• Perform regular backups and keep them isolated
from the network segment.
• An intelligent SOC with machine learning in order
to detect anomalous behavior.