Sites Inria

Version française

Cybersecurity

Aline Brillu - 2/06/2017

WannaCry, and afterwards?

Friday 12 May saw the start of a cyberattack of global proportions that disrupted thousands of businesses across the world. This unprecedented wave has been closely examined by Inria's two High Security Computing Laboratories (LHS). Jean-Louis Lanet, head of the LHS in Rennes and member of the TAMIS team and Frédéric Beck, research engineer with the Experimentation and Research department at Inria Nancy and technical manager of the Lorraine LHS, provide us with their insight.

Can you tell us about the WannaCry ransomware?

Jean-Louis Lanet

Jean-Louis Lanet: The WannaCry malware is very classic ransomware that consists in “taking hostage” access to an operating system, a browser or your hard drive until a ransom is paid. Ransomware is not a recent phenomenon at all, since the first of its kind - the AIDS Trojan - dates from 1989, however the phenomenon exploded with advances in encryption and the development of alternative currencies such as Bitcoins. Today, it is very easy and very profitable to launch an attack of this type, and the probability of being caught in the act is close to zero.

Frédéric Beck: The WannaCry attack is not a particularly sophisticated one. It is a formula that relies on three components: The first is Eternal Blue, a tool "stolen" from the NSA that exploits a breach in an old Windows protocol used for file sharing. The second component is the "back door" Double Pulsar which, as its name suggests, operates like a back door. Finally, there is the malware itself, which uses Eternal Blue in order to gain entry to your system and Double Pulsar to remain there for as long as it needs...it isn't that complicated!

There seem to have been a lot of victims of WannaCry... How many up to now?

F.B.: We are talking about 200,000 machines infected in 150 countries. It is therefore a large-scale attack, which earned it this unprecedented media coverage. As for the spoils, they appear quite modest in comparison, amounting to around $100,000 in total, at a rate of 0.14 Bitcoins ($300) per ransom paid.

J.-L.L: What is most worrying about this affair is the ease with which the malware was propagated when basic precautions - up-to-date operating systems and software, a reliable security solution and regular back-ups - will have sufficed to keep it at bay. The extent of the damage says a lot about the current level of awareness...

We have seen that very large organisations were affected, can this type of attack put nations' security at risk?

F.B.: Fortunately, this ransomware is not terribly advanced, and it could have caused much more damage. On the other hand, there is more to fear from targeted attacks, or imitators of the Mirai botnet which was in the news last October by using 150,000 connected objects to carry out violent denial-of-service attacks. By bringing down Dyn, a powerful American domain name resolution service provider, it succeeded in blocking access to Dyn's customers, including Twitter, Spotify, Paypal...Botnets are threats that must be taken very seriously due to their huge destructive potential (distributed denial-of-service, propagation of ransomware, information theft...), and those like Mirai in particular, as they exploit connected objects - the weak linkspar excellencedue to the lack of vigilance of most of their users.

In Nancy and Rennes, the two Inria High Security Computing Laboratories are focusing directly on issues relating to cybersecurity. Can you tell us about their activities?

J.-L.L: Our two laboratories, created in 2008 in Nancy and 2014 in Rennes, are complementary. In Rennes we focus, as a priority, on virology - moreover, the TAMIS team includes a PhD student whose thesis is devoted to ransomware. With this in mind, we have developed a ransomware analysis infrastructure that includes, in particular, deliberately vulnerable computer workstations operating like honeypots. The idea is to allow them to get infected in order to be able to analyse, a posteriori, the modus operandi of the attacks.  Moreover, these honeypots witnessed the passage of WannaCry...and that of many of its descendants, because it is important to realise that we see new malware arriving every day!

F.B.: In Nancy, priority is given more to research work on securing networks and exchanges, but also the analysis of malicious codes. One of the LHS's missions is to observe Internet "background noise" in order to try to detect - as early as possible - unusual activities by taking an interest in the weak signals that reach us via probes we have placed pretty much everywhere on the Internet. We also have a honeypots system and, like our colleagues in Rennes, we have been able to closely follow the WannaCry propagation wave. Today we are mainly working in "post mortem" mode, but in the near future would like to move closer to real-time analysis, given that ideally we would like to be capable of detecting attacks before they happen. Moreover, we are preparing to launch a project on this subject with several university partners.

Talking of which, what is your strategy with regard to partnerships? Are you in contact with the authorities in charge of cyberdefence?

J.-L.L:  As far as we are concerned, the partnership aspect is essential! Indeed, the Rennes LHS was set up as part of the cyberdefence agreement aiming, in particular, to make the Brittany region the cyber excellence cluster. As such, the structure is supported by four actors: Inria, the French higher education and research institute CentraleSupelec, the regional council Région Bretagne and the Direction Générale de l'Armement (French Defence Equipment and Support Agency) with whom we are in constant contact, in particular as soon as a major crisis arises. Far from being limited to fundamental research, we are also working with a company that designs antiviruses as part of an industry transfer approach.

F.B.: For our part, we are in direct contact with the National Cybersecurity Agency of France (ANSII) - which manages national cyberdefence strategy on behalf of the French prime minister - as well as with the CERT Renater, the computer emergency and response team of the National Telecommunications Network for Technology, Teaching and Research. Like our colleagues in Rennes, we are also extremely involved in industry transfer with the creation of two Inria start-ups originating from the Lorraine LHS, Lybero.net and Cyber-Detect. Moreover, a few days ago, the latter was the first to model the Adylkuzz malware, which uses the same security breach as WannaCry but in a more discrete way in order to "mine" cryptocurrency. I would like to take the opportunity of this interview to remind everyone of the importance of good computer hygiene: it is vital to keep your operating system and your antiviruses up-to-date!   

Top