Advertise with us

Home Op-Ed Attack reveals anatomy of malware

Attack reveals anatomy of malware

E-mail Print
AddThis Social Bookmark Button

Invaders seek ransoms for data restoration
by Peter Vogel


For what was surely one of the bigger security events of recent years, media outlets could hardly contain themselves when it came to reporting details of what has generally come to be known as the WannaCry attack.

No wonder. WannaCry (derived from the WannaCryptor name of the exploit code) struck, in very short order, around a quarter million computers across more than 150 countries.

Television and print media ran lead stories for several days after the first details emerged from Europe, where headlines focused on compromised computer systems in various United Kingdom hospitals. Also particularly heavily hit were computer systems across Russia.

It was this aspect of hospital systems being inaccessible that produced one key piece of misinformation, namely that the WannaCry attack code targeted computers with older versions of the Windows operating system.

While computers using the 2001-era vintage XP operating system were struck, we now know that more than 95% of the infected and compromised machines were running the newer, and still current, Windows 7 operating system.

Some reports claimed that the Windows 10 operating system was immune to the WannaCry attack. In part that is true. The SMB vulnerability that allowed WannaCry to spread does not exist on Windows 10 boxes, which would not spread the attack and are immune from attack by other boxes on the same network. However, a user of a Windows 10 box can corrupt his or her files by opening and enabling the macros for the phishing email that initially triggered the attacks.

Word of a potentially serious, fast-spreading attack on machines running Microsoft’s operating systems first emerged the morning of May 12. By 11 a.m. PDT, I’d already shown students in my computer classes various news reports from Europe and had sent out a general warning to my colleagues.

Shortly after, it became clear that this was a ransomware attack with a twist. It required just one person in a corporate network to open a specially crafted email containing the WannaCry malware and it would then spread to all other machines in the same network, assuming they did not contain the recently released patch to combat such peer-to-peer action.

Attacked machines had their user files encrypted and WannaCry would also look for files to encrypt on network folders and on any locally attached USB sticks.

In short, in typical ransomware fashion, Wannacry tried to wreak havoc and cause panic, and, in cases where there were no available backups, provoke users to pay a bitcoin ransom to supposedly receive a digital key that would restore the otherwise lost content.

Researchers quickly dissected key parts of the attack code and publicly posted the three Bitcoin wallets where ransom payments were being made. Over the several days my students and I followed these wallets we were able to see payments of $300 and $600 US-equivalent being made.

Victims of the attack were told they would have three days or so to pay the $300 amount, doubling each day until after seven days it would no longer be possible to remove the encryption from the frozen files.

Within a week the WannaCry issue had spread around the world. Because of time zone differences, giving technicians time to take protective measures, the impact became less as the attack attempts moved eastward.

One researcher found that it was in fact possible to recover from the encryption using data that remained in the memory of infected machines. However, this recovery depended on the machine having been left on after an attack. Unfortunately, a common instruction from network technicians had been to power off affected machines in an attempt to stave off spreading the malware to other machines.

As the seriousness of the attack became obvious, Microsoft took the unusual step of rolling out a patch for older versions of its operating system and sent notices to all its corporate contacts.

Numerous government agencies around the world still run XP. Many are paying for custom support for these legacy systems and received the relevant patch. What was unusual here is that the support was extended to those not paying for such custom support.

Of course the patch will not restore files that have been encrypted by the attack. There is also no guarantee that a ransom payment will restore your files.

As of press time, WannaCry had netted its perpetrators in excess of US$100,000. Relatively small potatoes, but almost surely a harbinger of worse attacks in the near future.

Follow me on Facebook ( and on Twitter (



Last Updated on Wednesday, 14 June 2017 09:52  

Dear reader,

Due to an unmanageable amount of spam and abusive messages, we are no longer able to offer the comment function on our website. We respect the principle of public debate and remain committed to it. Please send us a note at and visit us in the near future when we have finished building our new website — at which point the comment function will be restored.

Kind regards,

The B.C. Catholic






Salt and Light Webcast
  Courtesy of Salt & Light Television

Click image to watch Video
Medieval Gem - UBC acquires papal bull

Click image to watch Video
Paul Goo's Diaconate Ordination

Click image to watch Video
Thank You John Paul II



4885 Saint John Paul II Way Vancouver BC V5Z 0G3   Phone: 604 683 0281 Fax: 604 683 8117
© The B.C. Catholic

Informing Catholics in Canada since 1931