Wannacryptor: chronicle of a disaster announced (and it will not be the last). Here's what happened ...

(To Ciro Metuarata)
05/06/17

In cyber-space is hardly reality is what it seems and a cyber attack, although it has risen to the honor of the chronicles for the planetary scope and the great damage caused, can hide much more than the strictly technological or criminal aspects and the case of WannaCryptor is no exception.

In general, if you encounter, more or less accidentally, in a security vulnerability of an information system, you can react in two very different ways. The "good guys" share what they have discovered with the manufacturing companies, developers, security companies or institutions. They can do it both for free and as a result of lawful compensation. The "bad guys", on the other hand, keep the vulnerability uncovered and exploit it to launch a cyber attack or put it on the black market so that others can take advantage of it. In this case the gains are not legitimate. With WannaCryptor both things happened and pandemonium broke loose: more than 200.000 computer infected all over the world, rendered unusable at the same time. WannaCryptor It has caused serious problems mainly because it has reaped many victims among the victims computer companies, in some cases used for the control of industrial processes. So, it was a real disaster, even if the signs that something like this happened there had been all right and we too, in our small way, had written it at the beginning of the year (v.articolo). After the media storm that followed, we try to understand what happened, because that of WannaCryptor it's only apparently a simple story of a successful cyber attack.

Almost a year ago, in August of the 2016, he broke into the panorama of the groups of hackers a new subject, which claimed to fight for a world finally free from globalization: "The Shadow Brokers". The group of hackers, popped out of nowhere, came on the scene attributing the paternity of a real "hit": being able to steal burning material belonging to another group of hackers, known as "Equation Group" and believed to be related to National Security Agency (NSA) of the United States. Soon after, information on stolen material began to circulate, namely computer vulnerabilities and tools hacking attributable to the agency of intelligence which, once analyzed, led the experts to consider it authentic. Not only that: a first release of material, a sort of "taste", showed that The Shadow Brokers they were serious. Subsequently, the group auctioned the entire package, however, having failed to achieve their financial goals after months of raises, the bad guys have turned into "good". The 8 April the group has provided free keys to access part of the "booty", which retaliation to the controversial US attack to sound of missiles Tomahawk (59) at the Syrian base of Shayrat (v.articolo). Shortly thereafter, the 14 April, The Shadow Brokers allowed free access to the entire package and what immediately emerged is that it contained a malware, DoublePulsar, which exploited a serious security vulnerability of both Microsoft Windows operating systems client is server, known as EternalBlue. In practice, it was the "gateway" to the computer, while DoublePulsar, once installed thanks to Eternal, was able to download others malware and to infect others independently computer Network. Microsoft, in fact, had already released the security update for its operating systems a month earlier. So a story with a happy ending? Quite the contrary. In April, the destinies of The Shadow Brokers e WannaCryptor have fatally crossed: the Microsoft update had not yet been installed by thousands of users and a few months ago was making talk of itself a new generation of ransomware particularly hateful: i crypto worm.

In general, i crypto worm they are able to replicate silently on the network, starting from a single computer infected, until, at a certain moment, they encrypt all the disks, even the removable ones. To receive the key to decrypt them you must pay a ransom but often the key is not actually provided. In this context, the 10 February recorded the wave of attacks of a crypto worm at that time still unknown and that caused serious problems. baptized WannaCryptor, the new malware was attributed to the group of hackers known as Lazarus Group. The next 27 March recorded a second wave of attacks. Then, as mentioned, in April The Shadow Brokers released the EternalBlue code and the 12 May WannaCryptor, evidently modified to exploit this last vulnerability, hit hard. It was panic: more than 200.000 computer blocked all over the world and a lot of compromised private, public and industrial activities. A few days later, on the screens of the computer the instructions appeared to pay the ransom, which seems to have actually done in a few. Surprisingly, it seems that those who launched the attack did not take the loot from the current account bitcoin, indicated for the payment of redemptions. The reason is not clear, however, immediately took a "manhunt" at the planetary level, but still has not led to concrete results. Some analysts are betting on the Chinese track but the attribution of a cyber attack is always difficult and thanks to the revelations of WikiLeaks (v.articolo) it is now clear that tools for the screening of investigations are available.

What remains of this intricate history in which we can recognize elements of technology, espionage, international politics, activism and criminality? Surely once again it should be clear that the operating systems we buy, sometimes at a high price, are not as secure as they promise. Furthermore, it emerges that we do not worry too much about what we choose to use (the options, in spite of what we want to imply, are many) and above all that we do not take care of their continuous updating or that we do not provide for their replacement when they are obsolete. On the other hand, however, some producers "churn out" the new versions of their operating systems at a pace that, obviously, many can not be economically allowed, whether they are individual private users or in the case of large public or private organizations. For example, Windows XP should now be a memory and should show off itself exclusively in an imaginary museum of computing, instead the story of WannaCryptor has shown that it is still used by hundreds of thousands of users all over the world. Last consideration, which is also the most disturbing: now it should be clear that there is a serious problem of proliferation of "cybernetic weapons". In fact, too often they escape the control of those who created them, which in most cases is linked in some way to a government and end up in the wrong hands. In short, the cyber-spazio more and more resembles the mythical Wild West but of sheriff and honest sheriffs, very few are seen in the village. Meanwhile, there are already signs that presage cyber even worse attacks than WannaCryptor, so save who can.

Sources:

http://www.wired.co.uk/article/nsa-hacking-tools-stolen-hackers

https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/

https://www.google.it/amp/s/www.wired.it/amp/180409/internet/web/2017/05/18/virus-adylkuzz-piu-furbo-di-wannacry/

https://www.symantec.com/security_response/writeup.jsp?docid=2017-051310-3522-99

https://www.google.it/amp/www.bbc.co.uk/news/amp/40085241

http://www.datamanager.it/2017/05/timori-fondati-eternalrocks-peggio-wannacry/

(photo: web)