Over the weekend, a WannaCry decryption tool was released by parties unknown. While the tool has saved some people, it’s not always effective.
According to The Hacker News, Adrien Guinet, a security researcher for Quarkslab, IT admins can make use of a flaw in the way WannaCry operates, thus allowing him to create a decryptor. The WannaCry ransomware generates a pair of keys on the victim’s computer – a public and private key for encryption/decryption – which rely on prime numbers. Although WannaCry erases the keys from the system, thus forcing the victim to pay $300 in Bitcoin to the cybercriminals, there’s a catch. Guinet says that the malware “does not erase the prime numbers from memory before freeing the associated memory.”
This is how the ransomware authors (aka “cyber-dirt bags”) are able to create the decryption tool. To be able to use the decryption tool, you need the encryption key stored in the local cache.
This is great, right?
This is where things get a bit fuzzy. Per our own ransomware guidance, the first step in any ransomware attack is to isolate the infected machine and confirm that the ransomware is present. If it is, the best course of action is to power off the machine and begin the recovery of clean files and applications from your most recent “clean” backup (or better yet, spin up a clean VM to recover your apps in minutes).
Unfortunately, this is the problem. By powering off the infected machine, you will flush the cache,including the encryption key.
Backups and DRaaS are a huge help here. If you can get the encryption tool working, restoring the data set from a secondary location (as painful as that may seem) and simply running the decryption tool from that location will prevent the proverbial snake biting its own tail, assuming the infection hasn’t spread further.
Stop Kicking the Can
Patching and decryption tools are important tools, but they don’t help you get on your front foot.
Companies of all stripes need a more comprehensive data protection plan that address the blocking-and-tacking security best practices which include regular patching, AV protection, and offsite backup. But, that’s not good enough. You should also train your users on how to recognize phishing attacks since most ransomware attacks are still spread that way (WannaCry withstanding). Finally, you need a Plan B that empowers you to quickly recover your files and running systems when you’re infected. This is the sweet spot of DRaaS.
Over the weekend, The Economist published a great article entitled: “WannaCry should make people treat cyber-crime seriously.” This quote struck a chord with me:
“Despite the flurry of headlines, WannaCry is not the worst malware infection the world has seen. Other worms—Conficker, MyDoom, ILOVEYOU—caused billions of dollars of damage in the 2000s. But Bruce Schneier, a noted independent security expert, points out that people seem to have a fundamental disregard for security. They frequently prefer to risk the long-term costs of ignoring it rather than pay actual cash for it in the present.”
No one cybersecurity company has THE answer. Instead, modern businesses must rely on a best-of-breed multi-prong approach. So, if you’re looking for long-term guidance, looking for ways to address the problem here-and-now and reduce the protracted downtime associated with most ransomware attacks, let’s talk. Soon.
Aaron Jordan, Infrascale Sales Engineer
Aaron Jordan is a Sales Engineer and Sr. Technical Support Manager at Infrascale maniacally focused on help our customers eradicate downtime, data loss and ransomware.