Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

5/17/2018
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

WannaCry: How the Notorious Worm Changed Ransomware

This week marked the one-year anniversary of the WannaCry ransomware attacks and its impact can still be seen in the form of such encrypting malware as NotPetya, BadRabbit and Olympic Destroyer.

It was just over a year ago that the WannaCry malware stormed across the globe, infecting hundreds of thousands of vulnerable Windows PCs, throwing the operations of such major organizations as the UK National Health Service, car makers Nissan Renault, delivery company FedEx and mobile communications giant Telefónica into disarray, and putting the world on notice about the threat of ransomware.

The fast-spreading worm essentially encrypted the files, documents, photos and any other data on the victim's computer and displayed a note saying that only the attackers' decryption service could restore access to the files.

In return they demanded $300 in Bitcoin be sent to an address within three days.

Don't pay within a week, and the files would be deleted.

The WannaCry threat didn't last long. The security community reacted quickly, and within days a kill switch was discovered and activated, essentially rendering the malware toothless by ensuring that it couldn't decrypt files on systems it was attacking.

That doesn't mean it's still not out there.

There are still about 2.3 million devices with the Window SMBv1 (Server Message Block) exposed to the Internet, the primary avenue WannaCry took into the systems, according to Juniper Threat Labs. And in March, a Boeing aircraft plant was hit by a cyber attack that appeared to be related to WannaCry. (See WannaCry Ransomware Hits Boeing, but Company Claims It's Contained.)

At the same time, the industry is still feeling the effects of WannaCry a year later. Ransomware remains a problem, though some researchers are seeing a decline in instances, and creators of newer malware took the lessons learned from WannaCry to create such threats as NotPetya, BadRabbit and Olympic Destroyer. The ransomware also put a spotlight on the need for such capabilities as segmentation and advanced endpoint security, and the reasons researchers urge organizations to reduce the exposure of their systems. (See Ransomware: Still a Security Threat & Still Evolving.)

WannaCry may have been effectively neutralized, but the repercussions continue.

The rise of WannaCry
"At a really high level, the reason why WannaCry was so effective what that it was the first time someone had combined a ransomware payload with a network vector," Craig Williams senior threat researcher and global outreach manager for Cisco Talos, told Security Now. "In this particular case, the network vector was what we call EternalBlue. It was an exploit leaked out of the Shadow Brokers release."

Bringing together the WannaCry encrypting malware with the EternalBlue exploit enabled the ransomware to spread rapidly in worm-like fashion. It targeted vulnerable PCs with the Internet-facing SMBv1 ports and, once inside, searched for and spread to machines with similar vulnerabilities that were part of the network.

"WannaCry was a big deal because the victims numbered in the millions and the effects were devastating," Mounir Hahad, head of Juniper Threat Labs, told Security Now in an email. "Technically speaking, it also dawned an era where ransomware can now cross network boundaries and jump countries. It was an effective combination of crypto-ransomware and worm capabilities."

Before WannaCry, ransomware typically needed someone to do something -- opening up an email or going to a website, thus unintentionally letting the malware into the system. This made it difficult for the ransomware to cross network boundaries, Williams said.

In 2016, the SamSam malware became the first to use a network vector, but it wasn't automatic. It still required the attacker to spread the malware around. However, it showed researchers the impending threat of criminals making a piece of malware into an automated worm that could spread rapidly. The WannaCry creators did just that.

It also was the first major new worm seen in the past ten years, since the days of Conficker and Slammer, putting the industry on notice that worms were still around.

Deconstructing WannaCry
However, WannaCry, for all the chaos it caused and anxiety it produced, wasn't the best piece of malware. There were problems with it. For one, it couldn't correlate who paid the ransom and who didn't, so not everyone who paid received the decryption key. It also wasn't stealthy, it spread across the Internet in a haphazard fashion and it had a broken scanning algorithm, which meant it didn't spread as fast as it could have, Williams said. It also had a narrow attack surface, targeting only certain versions of Windows.

And it also had the kill switch.

"The worst piece from a malware standpoint was the idea of the kill switch, which really doesn't make any sense from any security perspective," Williams said. "Effectively what it let people do was turn off the malware which is what happened. So from a practical standpoint, WannaCry was not super successful. WannaCry was more of a proof-of-concept of what may be possible as far as combining data destruction malware with network vectors."

That said, there was pain. Dan Wiley, head of incident response at Check Point, told Security Now that it didn't hit a large number of organizations, so it wasn't as large a problem as many may think. However, "the damage that it did do to the ten or 20 major corporations that were hit with it was pretty dramatic," Wiley said.

Next page: The lasting effects of WannaCry

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12441
PUBLISHED: 2020-08-06
Denial-of-Service (DoS) in Ivanti Service Manager HEAT Remote Control 7.4 due to a buffer overflow in the protocol parser of the ‘HEATRemoteService’ agent. The DoS can be triggered by sending a specially crafted network packet.
CVE-2020-13793
PUBLISHED: 2020-08-06
Unsafe storage of AD credentials in Ivanti DSM netinst 5.1 due to a static, hard-coded encryption key.
CVE-2020-16207
PUBLISHED: 2020-08-06
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. Multiple heap-based buffer overflow vulnerabilities may be exploited by opening specially crafted project files that may overflow the heap, which may allow remote code execution, disclosure/modification of information, or cause the appli...
CVE-2020-16211
PUBLISHED: 2020-08-06
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. An out-of-bounds read vulnerability may be exploited by processing specially crafted project files, which may allow an attacker to read information.
CVE-2020-16213
PUBLISHED: 2020-08-06
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. Processing specially crafted project files lacking proper validation of user supplied data may cause the system to write outside the intended buffer area, which may allow remote code execution, disclosure/modification of information, or ...