Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:40 PM
Eric P. Schlesinger
Eric P. Schlesinger
News Analysis-Security Now

WannaCry Was Just the Beginning

Petya proves that WannaCry is just the beginning of a new, far more serious type of cyberattack.

Ransomware isn’t a new topic for 2017. The recent outbreak of WannaCry across the globe has reinforced many of the predictions that were boldly projected by many security experts as 2016 came to a close. With an uptick of cyberattacks, ranging from botnets implanted on Internet connected devices, cybercrime-as-a-service and variants on ransomware too numerous to count, it is easier than ever to envision what the next evolution of ransomware could be as cyber criminals take what they just learned from the WannaCry attack and change its attack vector.

Here are a few predictions about what we could see in the second half of 2017:

More sophisticated ransomware
WannaCry is the first impactful ransomware that seemingly spread like a traditional malware worm through an organization’s network from within, without solely having to rely on a user to open an email or malicious attachment. This is a stark contrast to traditional ransomware where the sole purpose is to encrypt files only on the hard drive of the single machine where the infection originated, and any of the shared folders that are presented as network drives from a file server.

WannaCry certainly leveraged this replication feature, relying on a lack of urgency in many organizations to fail to upgrade from legacy Microsoft operating systems such as Windows XP or simply not deploying the relevant patch released in March to protect the supported operating systems. This "whistling through the graveyard" approach not only allowed the ransomware in but enabled it to produce an infinite number of copies of itself, propagating the infection from one end of a network to the other.

As ransomware becomes more sophisticated, it is not a stretch to think that it will begin to be able to move laterally within a network or leave hidden payloads that are undetectable with current malware and threat detection techniques, just waiting to activate and begin to spread again.

More platform-independent ransomware
WannaCry continues to expose the fact that ransomware is mostly a problem that exists for users of the Windows operating system. This should come as no surprise as Windows is the most widely used operating system in the world usually holding a commanding 90% of the desktop operating system market share.

The time is rapidly approaching where ransomware variants will become more platform independent, making the investment for cyber criminals to create ransomware that could impact the other major desktop operating systems such as Linux or Mac OS X more attractive.

As organizations begin to invest in the deployment of more heterogeneous environments, it is guaranteed that the attack vector will increase for these platforms as the enterprise desktop landscape evolves. Multi-platform ransomware will proliferate as a catch-all threat that will target non-Windows victims. Couple this with the false belief that a Linux or Mac OS X operating system is inherently more protected from malicious activity such as viruses and malware and a perfect storm is brewing.

More targeted ransomware
WannaCry, like most traditional ransomware, scanned and encrypted almost all non-system and non-executable related files that it found on the system it infected. This brute force methodology is focused on attacking any and all files, without any need to discern file type or size, as the ability to collect on the ransom demands is purely based on the victim’s perceived value of the data that is encrypted and ability to recover.

With that said, there are examples of newer variants of ransomware that are targeting non-traditional technologies making it even harder to detect, contain and recover from an attack. Recent examples of the malicious attacks that are erasing and replacing data with a ransom demand in databases powered by MongoDB and MySQL indicate that more targeted ransomware attacks are on the horizon.

There is no doubt that attackers will improve on their targeting techniques, performing reconnaissance and building out the most effective attack vector to impact specific technologies, all with the goal of disrupting critical systems that will force the target organization to pay the ransom.

More personal ransomware
WannaCry also brings into question the potential impact ransomware could have in conjunction with the rapid adoption of Internet-enabled hardware devices. The proliferation of the Internet of Things has introduced an army of mini computers running scaled-down versions of popular operating systems that connect to the Internet via low-range wireless technologies. These devices are just as vulnerable to ransomware and other computer threats yet are mostly ignored during vulnerability assessments and patching exercises.

Ransomware authors will begin setting their sights on vulnerable Internet-enabled hardware devices. The next evolution of ransomware will quickly move past the encryption of files and databases and will be replaced with extortion via disabling physical systems or medical devices.

It's only a matter of time before people get messages on their car screens saying that the engine has been disabled, or a piece of malicious code locks up their brakes to cause an accident. A far worse situation is if ransomware begins targeting devices used in the medical community causing patients to have to pay if they want their embedded heart defibrillator or portable oxygen tank to keep working. The personal nature of these types of attacks could easily cause life or death situations.

More state-of-the-art techniques
WannaCry is just one example of the coming ransomware evolution that has generated a lot of news coverage, mainly because of how far and wide its reach was.

Unfortunately, cyberattacks will continue to evolve as cybercriminals' methods grow more advanced each year. But, as the problem continues, more state-of-the-art techniques developed by forward-thinking cybersecurity solution providers will adapt to meet the threat.

Groundbreaking counter-measures will emerge that include cutting-edge distributed storage architectures for rapid recovery, early warning detection systems that can identify and slow down a threat before it spreads and innovative protection technologies such as "cloaking" that can reduce the attack surface.

No one is absolutely safe
Chances are you know someone, or some organization, that has suffered a ransomware attack, and as seen with WannaCry, a breach can happen at any time. One thing that should become perfectly clear with its rapid propagation is that no individuals or organizations, regardless of their size, geographic location or industry, are safe from these types of security threats. A breach can happen at any time and it is up to every person to be aware of these threats and be cyber vigilant to help stop them from spreading.

Eric Schlesinger serves as Senior Vice President, Information Security, Polaris Alpha. He has more than 20 years of experience in infrastructure and operations management, focused on building efficient and scalable solutions.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...