Attacks/Breaches
5/18/2017
11:30 AM
Gary Warner
Gary Warner
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

WannaCry: Ransomware Catastrophe or Failure?

Using Bitcoin payments as a measure, the WannaCry attack is not nearly as profitable as the headlines suggest. But you should still patch your Windows systems and educate users.

Wannacry (or WannaCrypt) is being called the "worst cyberattack in history" or at least the "biggest ransomware offensive in history," but those headlines just don’t line up with reality.

Despite public reports that as many as 300,000 computers in 150 countries have been infected with the malware, the normally observable pattern of delivery, destruction, and payment associated with a ransomware attack are largely missing. Phishing emails have been the primary delivery method for almost all other ransomware attacks to date. With this attack, the delivery method is still under debate but the main spreading mechanism is through Server Message Block (SMB) which is a protocol used by Windows computers to share files between each other. By invoking a flaw in SMB, a single infected computer can infect every other vulnerable machine on the same network. But is the attack size being touted in the media accurate? And is this really about ransomware?  After some very frightening initial headlines, the story just doesn't hold up to deeper inspection.

This is partly because the malware was disabled by a 22-year-old British malware researcher. Malware authors try to detect researchers by checking to see if the malware is running in a simulated network environment. One test is for the malware to ask the computer it is running on: "Can you reach this non-existent website?" If it can, then the malware can be certain it is running in a simulated network, where researchers are routing every Internet request to monitoring stations they control. (For those who do malware analysis – think ApateDNS redirecting everything to iNetSim.)

Figure 1 - WannaCry code calling non-existent domain 
Source: PhishMe
Figure 1 - WannaCry code calling non-existent domain
Source: PhishMe

By registering the "non-existent" Internet address that malware was using for its test, now every Internet user can resolve the address, which made the malware believe that everyone was in a simulated network, so they should not be infected because they were likely researchers.

The researcher, who guards his anonymity fiercely because he routinely ruins the lives of criminals, shares his intelligence here and blogged about his discovery here

The high count of "infected" computers are actually the number of computers that are asked to try to reach the formerly non-existent domain. However, analysis of the code shows that if that domain is reached, the malware simply terminates itself and offers no further risk to the computer that tried to infect itself. Perhaps these would be better counted as malware attempts rather than malware infections.

Payments Don't Add Up
The over-reporting of the malware is further confirmed by looking at the payment method. As far as researchers know, there are only three primary bitcoin addresses:

  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

After reviewing hundreds of screen shots and talking to dozens of other researchers, no one has seen another bitcoin for malware since this round of the attack began on May 12th.

By pasting the addresses above at https://blockchain.info/ you can get a screen shot that will tell you how many payments and how many bitcoins have been made to each of the addresses. For example:

https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
(As of MAY 17, 2017 12:50 PM Eastern – 109  transactions totaling 16.75 bitcoins)

https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
(As of MAY 17, [email protected]: 50 PM ET- 95 transactions totaling 16 Bitcoins)

https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
(As of MAY 17, 2017 12:50 PM ET- 84 transactions totaling 11.17 bitcoins)

That’s only 288 payments totaling 43.92 bitcoins.

Bitcoin is currently trading at a near all-time high of $1,830 USDollars per BitCoin, which is about $80,000.  But if there were 300,000 victims … that wouldn’t make any sense. Certainly more than 1/10th of 1% of the victims would have paid the ransom! IBM claimed last year that 70% of companies admitted to paying ransom to get their files back.

So, $80,000 seems a bit shy of a ransomware catastrophe. Heck, Hollywood Presbyterian yielded 40 bitcoins just in a single ransomware instance in 2016. Want to discuss a ransomware catastrophe? Let's talk about Locky! Let's talk about Cerber! Let's talk about CryptoLocker! Remember that in Q1 2016 the FBI told CNN that ransomware had collected $209 million in ransom fees just that quarter.

WannaCry isn't even close. Sure, a handful of companies that didn't patch their Windows systems got hit hard, but organizations that were broadly impacted were, in many cases, using outdated, unsupported computers that were not patched.

Where are the ‘Mixers?’
The other interesting thing is that the criminals who steal money via Bitcoin normally immediately begin the process of laundering their Bitcoin by using online services called “mixers,” or by gambling with the money in Bitcoin casinos that also act as mixers. Bitcoin tracking services, such as Elliptic, a company that helps law enforcement de-anonymize Bitcoin, confirm that they can find no evidence of the Bitcoin received from ransomware victims being spent or cashed out.  It is likely that the criminals are too frightened to touch their ill-gotten gains knowing that there has never been closer scrutiny on a Bitcoin Wallet than there is right now.

Or is it possible that there is no financial criminal planning to make money from this attack? Could this be merely an attempt to discredit the U.S. intelligence agency, the NSA? Part of the drama about the attack is that, according to Russian security firm Kaspersky Lab, and confirmed by others, the ransomware spreads via an SMB exploit originally created by the NSA under the code name "EternalBlue" and leaked to the world by "Shadow Brokers" back on April 14th, a month after Microsoft patched the underlying vulnerability, known as MS17-010. Because Windows XP has gone through "end of life," security patches were no longer being created for XP, which is part of why XP systems have been said to be infected at a far greater rate than other Windows operating system versions. Microsoft has now issued an Emergency Patch for XP.

A Warning Shot
Whenever the entire world freaks about security, we have an opportunity as security practitioners. When every CEO, CSO, CISO, CIO and CRO on the planet is thinking about a cyberattack, there will certainly be questions asked such as, “Would this have impacted us?” or “Do you need anything to be safer?” This is not the time to go buy a new shiny toy to put on your shelf, but it is time to review your security practices.

In this situation, a March 14th 2017 patch would have saved your organization from a May 12th cyberattack. What is your timeline for implementing an urgent cybersecurity patch globally within your organization?  If it is less than two months, use this as an opportunity to improve that timeline.

In this situation, Windows XP within your network could have a devastating impact. Use this as a time to fight. Whatever reason someone has given to you that defended, "why we still must have XP" – fight them on it. Use this as an opportunity to insist that obsolete software be migrated away. If it’s a budgetary constraint, demand the budget. If it’s considered an irreplaceable piece of legacy special-purpose hardware, demand a replacement anyway, or a thorough penetration test to prove that your Windows XP is truly network-isolated from everything.

Remember that most of the ransomware that is actually being paid out is still being delivered by phishing email. Make sure that your employees know what to do when they see a suspicious email. If you don’t have a way to convert your employees from "the weak spot on the chain" to empowered "security sensors" feeding internal attack intelligence to your response teams then review your internal practices.

Related Content:

Gary Warner is one of PhishMe's elite cybercrime researchers, where his current research areas are malware analysis, social networks of cyber criminals, hate groups, and terrorists. Involved in cybersecurity since 1989, he began his career helping large organizations connect ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.