Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

// // //
5/17/2018
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

WannaCry: How the Notorious Worm Changed Ransomware

This week marked the one-year anniversary of the WannaCry ransomware attacks and its impact can still be seen in the form of such encrypting malware as NotPetya, BadRabbit and Olympic Destroyer.

It was just over a year ago that the WannaCry malware stormed across the globe, infecting hundreds of thousands of vulnerable Windows PCs, throwing the operations of such major organizations as the UK National Health Service, car makers Nissan Renault, delivery company FedEx and mobile communications giant Telefónica into disarray, and putting the world on notice about the threat of ransomware.

The fast-spreading worm essentially encrypted the files, documents, photos and any other data on the victim's computer and displayed a note saying that only the attackers' decryption service could restore access to the files.

In return they demanded $300 in Bitcoin be sent to an address within three days.

Don't pay within a week, and the files would be deleted.

The WannaCry threat didn't last long. The security community reacted quickly, and within days a kill switch was discovered and activated, essentially rendering the malware toothless by ensuring that it couldn't decrypt files on systems it was attacking.

That doesn't mean it's still not out there.

(Source: iStock)
(Source: iStock)

There are still about 2.3 million devices with the Window SMBv1 (Server Message Block) exposed to the Internet, the primary avenue WannaCry took into the systems, according to Juniper Threat Labs. And in March, a Boeing aircraft plant was hit by a cyber attack that appeared to be related to WannaCry. (See WannaCry Ransomware Hits Boeing, but Company Claims It's Contained.)

At the same time, the industry is still feeling the effects of WannaCry a year later. Ransomware remains a problem, though some researchers are seeing a decline in instances, and creators of newer malware took the lessons learned from WannaCry to create such threats as NotPetya, BadRabbit and Olympic Destroyer. The ransomware also put a spotlight on the need for such capabilities as segmentation and advanced endpoint security, and the reasons researchers urge organizations to reduce the exposure of their systems. (See Ransomware: Still a Security Threat & Still Evolving.)

WannaCry may have been effectively neutralized, but the repercussions continue.

The rise of WannaCry
"At a really high level, the reason why WannaCry was so effective what that it was the first time someone had combined a ransomware payload with a network vector," Craig Williams senior threat researcher and global outreach manager for Cisco Talos, told Security Now. "In this particular case, the network vector was what we call EternalBlue. It was an exploit leaked out of the Shadow Brokers release."

Bringing together the WannaCry encrypting malware with the EternalBlue exploit enabled the ransomware to spread rapidly in worm-like fashion. It targeted vulnerable PCs with the Internet-facing SMBv1 ports and, once inside, searched for and spread to machines with similar vulnerabilities that were part of the network.

"WannaCry was a big deal because the victims numbered in the millions and the effects were devastating," Mounir Hahad, head of Juniper Threat Labs, told Security Now in an email. "Technically speaking, it also dawned an era where ransomware can now cross network boundaries and jump countries. It was an effective combination of crypto-ransomware and worm capabilities."

Before WannaCry, ransomware typically needed someone to do something -- opening up an email or going to a website, thus unintentionally letting the malware into the system. This made it difficult for the ransomware to cross network boundaries, Williams said.

In 2016, the SamSam malware became the first to use a network vector, but it wasn't automatic. It still required the attacker to spread the malware around. However, it showed researchers the impending threat of criminals making a piece of malware into an automated worm that could spread rapidly. The WannaCry creators did just that.

It also was the first major new worm seen in the past ten years, since the days of Conficker and Slammer, putting the industry on notice that worms were still around.

Deconstructing WannaCry
However, WannaCry, for all the chaos it caused and anxiety it produced, wasn't the best piece of malware. There were problems with it. For one, it couldn't correlate who paid the ransom and who didn't, so not everyone who paid received the decryption key. It also wasn't stealthy, it spread across the Internet in a haphazard fashion and it had a broken scanning algorithm, which meant it didn't spread as fast as it could have, Williams said. It also had a narrow attack surface, targeting only certain versions of Windows.

And it also had the kill switch.

"The worst piece from a malware standpoint was the idea of the kill switch, which really doesn't make any sense from any security perspective," Williams said. "Effectively what it let people do was turn off the malware which is what happened. So from a practical standpoint, WannaCry was not super successful. WannaCry was more of a proof-of-concept of what may be possible as far as combining data destruction malware with network vectors."

That said, there was pain. Dan Wiley, head of incident response at Check Point, told Security Now that it didn't hit a large number of organizations, so it wasn't as large a problem as many may think. However, "the damage that it did do to the ten or 20 major corporations that were hit with it was pretty dramatic," Wiley said.

Next page: The lasting effects of WannaCry

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-25936
PUBLISHED: 2023-01-30
Versions of the package servst before 2.0.3 are vulnerable to Directory Traversal due to improper sanitization of the filePath variable.
CVE-2022-25967
PUBLISHED: 2023-01-30
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. **Note:** This is exploitable only for users who are rendering templates with user-defined data.
CVE-2023-24622
PUBLISHED: 2023-01-30
isInList in the safeurl-python package before 1.2 for Python has an insufficiently restrictive regular expression for external domains, leading to SSRF.
CVE-2023-24623
PUBLISHED: 2023-01-30
Paranoidhttp before 0.3.0 allows SSRF because [::] is equivalent to the 127.0.0.1 address, but does not match the filter for private addresses.
CVE-2022-48303
PUBLISHED: 2023-01-30
GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace c...