Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

5/17/2018
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

WannaCry: How the Notorious Worm Changed Ransomware

This week marked the one-year anniversary of the WannaCry ransomware attacks and its impact can still be seen in the form of such encrypting malware as NotPetya, BadRabbit and Olympic Destroyer.

It was just over a year ago that the WannaCry malware stormed across the globe, infecting hundreds of thousands of vulnerable Windows PCs, throwing the operations of such major organizations as the UK National Health Service, car makers Nissan Renault, delivery company FedEx and mobile communications giant Telefónica into disarray, and putting the world on notice about the threat of ransomware.

The fast-spreading worm essentially encrypted the files, documents, photos and any other data on the victim's computer and displayed a note saying that only the attackers' decryption service could restore access to the files.

In return they demanded $300 in Bitcoin be sent to an address within three days.

Don't pay within a week, and the files would be deleted.

The WannaCry threat didn't last long. The security community reacted quickly, and within days a kill switch was discovered and activated, essentially rendering the malware toothless by ensuring that it couldn't decrypt files on systems it was attacking.

That doesn't mean it's still not out there.

There are still about 2.3 million devices with the Window SMBv1 (Server Message Block) exposed to the Internet, the primary avenue WannaCry took into the systems, according to Juniper Threat Labs. And in March, a Boeing aircraft plant was hit by a cyber attack that appeared to be related to WannaCry. (See WannaCry Ransomware Hits Boeing, but Company Claims It's Contained.)

At the same time, the industry is still feeling the effects of WannaCry a year later. Ransomware remains a problem, though some researchers are seeing a decline in instances, and creators of newer malware took the lessons learned from WannaCry to create such threats as NotPetya, BadRabbit and Olympic Destroyer. The ransomware also put a spotlight on the need for such capabilities as segmentation and advanced endpoint security, and the reasons researchers urge organizations to reduce the exposure of their systems. (See Ransomware: Still a Security Threat & Still Evolving.)

WannaCry may have been effectively neutralized, but the repercussions continue.

The rise of WannaCry
"At a really high level, the reason why WannaCry was so effective what that it was the first time someone had combined a ransomware payload with a network vector," Craig Williams senior threat researcher and global outreach manager for Cisco Talos, told Security Now. "In this particular case, the network vector was what we call EternalBlue. It was an exploit leaked out of the Shadow Brokers release."

Bringing together the WannaCry encrypting malware with the EternalBlue exploit enabled the ransomware to spread rapidly in worm-like fashion. It targeted vulnerable PCs with the Internet-facing SMBv1 ports and, once inside, searched for and spread to machines with similar vulnerabilities that were part of the network.

"WannaCry was a big deal because the victims numbered in the millions and the effects were devastating," Mounir Hahad, head of Juniper Threat Labs, told Security Now in an email. "Technically speaking, it also dawned an era where ransomware can now cross network boundaries and jump countries. It was an effective combination of crypto-ransomware and worm capabilities."

Before WannaCry, ransomware typically needed someone to do something -- opening up an email or going to a website, thus unintentionally letting the malware into the system. This made it difficult for the ransomware to cross network boundaries, Williams said.

In 2016, the SamSam malware became the first to use a network vector, but it wasn't automatic. It still required the attacker to spread the malware around. However, it showed researchers the impending threat of criminals making a piece of malware into an automated worm that could spread rapidly. The WannaCry creators did just that.

It also was the first major new worm seen in the past ten years, since the days of Conficker and Slammer, putting the industry on notice that worms were still around.

Deconstructing WannaCry
However, WannaCry, for all the chaos it caused and anxiety it produced, wasn't the best piece of malware. There were problems with it. For one, it couldn't correlate who paid the ransom and who didn't, so not everyone who paid received the decryption key. It also wasn't stealthy, it spread across the Internet in a haphazard fashion and it had a broken scanning algorithm, which meant it didn't spread as fast as it could have, Williams said. It also had a narrow attack surface, targeting only certain versions of Windows.

And it also had the kill switch.

"The worst piece from a malware standpoint was the idea of the kill switch, which really doesn't make any sense from any security perspective," Williams said. "Effectively what it let people do was turn off the malware which is what happened. So from a practical standpoint, WannaCry was not super successful. WannaCry was more of a proof-of-concept of what may be possible as far as combining data destruction malware with network vectors."

That said, there was pain. Dan Wiley, head of incident response at Check Point, told Security Now that it didn't hit a large number of organizations, so it wasn't as large a problem as many may think. However, "the damage that it did do to the ten or 20 major corporations that were hit with it was pretty dramatic," Wiley said.

Next page: The lasting effects of WannaCry

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28452
PUBLISHED: 2021-01-20
This affects the package com.softwaremill.akka-http-session:core_2.12 from 0 and before 0.6.1; all versions of package com.softwaremill.akka-http-session:core_2.11; the package com.softwaremill.akka-http-session:core_2.13 from 0 and before 0.6.1. CSRF protection can be bypassed by forging a request ...
CVE-2020-28483
PUBLISHED: 2021-01-20
This affects all versions of package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.
CVE-2021-21269
PUBLISHED: 2021-01-20
Keymaker is a Mastodon Community Finder based Matrix Community serverlist page Server. In Keymaker before version 0.2.0, the assets endpoint did not check for the extension. The rust `join` method without checking user input might have made it abe to do a Path Traversal attack causing to read more f...
CVE-2020-25686
PUBLISHED: 2021-01-20
A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same...
CVE-2020-25687
PUBLISHED: 2021-01-20
A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This...