WannaCry: How the Notorious Worm Changed Ransomware

It was just over a year ago that the WannaCry malware stormed across the globe, infecting hundreds of thousands of vulnerable Windows PCs, throwing the operations of such major organizations as the UK National Health Service, car makers Nissan Renault, delivery company FedEx and mobile communications giant Telefónica into disarray, and putting the world on notice about the threat of ransomware.

The fast-spreading worm essentially encrypted the files, documents, photos and any other data on the victim's computer and displayed a note saying that only the attackers' decryption service could restore access to the files.

In return they demanded $300 in Bitcoin be sent to an address within three days.

Don't pay within a week, and the files would be deleted.

The WannaCry threat didn't last long. The security community reacted quickly, and within days a kill switch was discovered and activated, essentially rendering the malware toothless by ensuring that it couldn't decrypt files on systems it was attacking.

That doesn't mean it's still not out there.

(Source: iStock)

There are still about 2.3 million devices with the Window SMBv1 (Server Message Block) exposed to the Internet, the primary avenue WannaCry took into the systems, according to Juniper Threat Labs. And in March, a Boeing aircraft plant was hit by a cyber attack that appeared to be related to WannaCry. (See WannaCry Ransomware Hits Boeing, but Company Claims It's Contained.)

At the same time, the industry is still feeling the effects of WannaCry a year later. Ransomware remains a problem, though some researchers are seeing a decline in instances, and creators of newer malware took the lessons learned from WannaCry to create such threats as NotPetya, BadRabbit and Olympic Destroyer. The ransomware also put a spotlight on the need for such capabilities as segmentation and advanced endpoint security, and the reasons researchers urge organizations to reduce the exposure of their systems. (See Ransomware: Still a Security Threat & Still Evolving.)

WannaCry may have been effectively neutralized, but the repercussions continue.

The rise of WannaCry
"At a really high level, the reason why WannaCry was so effective what that it was the first time someone had combined a ransomware payload with a network vector," Craig Williams senior threat researcher and global outreach manager for Cisco Talos, told Security Now. "In this particular case, the network vector was what we call EternalBlue. It was an exploit leaked out of the Shadow Brokers release."

Bringing together the WannaCry encrypting malware with the EternalBlue exploit enabled the ransomware to spread rapidly in worm-like fashion. It targeted vulnerable PCs with the Internet-facing SMBv1 ports and, once inside, searched for and spread to machines with similar vulnerabilities that were part of the network.

"WannaCry was a big deal because the victims numbered in the millions and the effects were devastating," Mounir Hahad, head of Juniper Threat Labs, told Security Now in an email. "Technically speaking, it also dawned an era where ransomware can now cross network boundaries and jump countries. It was an effective combination of crypto-ransomware and worm capabilities."

Before WannaCry, ransomware typically needed someone to do something -- opening up an email or going to a website, thus unintentionally letting the malware into the system. This made it difficult for the ransomware to cross network boundaries, Williams said.

In 2016, the SamSam malware became the first to use a network vector, but it wasn't automatic. It still required the attacker to spread the malware around. However, it showed researchers the impending threat of criminals making a piece of malware into an automated worm that could spread rapidly. The WannaCry creators did just that.

It also was the first major new worm seen in the past ten years, since the days of Conficker and Slammer, putting the industry on notice that worms were still around.

Deconstructing WannaCry
However, WannaCry, for all the chaos it caused and anxiety it produced, wasn't the best piece of malware. There were problems with it. For one, it couldn't correlate who paid the ransom and who didn't, so not everyone who paid received the decryption key. It also wasn't stealthy, it spread across the Internet in a haphazard fashion and it had a broken scanning algorithm, which meant it didn't spread as fast as it could have, Williams said. It also had a narrow attack surface, targeting only certain versions of Windows.

And it also had the kill switch.

"The worst piece from a malware standpoint was the idea of the kill switch, which really doesn't make any sense from any security perspective," Williams said. "Effectively what it let people do was turn off the malware which is what happened. So from a practical standpoint, WannaCry was not super successful. WannaCry was more of a proof-of-concept of what may be possible as far as combining data destruction malware with network vectors."

That said, there was pain. Dan Wiley, head of incident response at Check Point, told Security Now that it didn't hit a large number of organizations, so it wasn't as large a problem as many may think. However, "the damage that it did do to the ten or 20 major corporations that were hit with it was pretty dramatic," Wiley said.

Next page: The lasting effects of WannaCry

The lasting effects of WannaCry
Despite the malware's weaknesses, WannaCry's influence can be seen throughout the industry a year later. That influence can be seen in the ransomware that has come since. Ransomware like NotPetya and Olympic Destroyer took was WannaCry was doing and improved on it.

"WannaCry took what was supposed to be a precision ammunition, namely EternalBlue, and turned it into a weapon of mass infection," Juniper Threat Labs' Hahad said. "Seeing how effectively it spread, several other malware, such as NotPetya and BadRabbit, followed suit using similar techniques to infect as many hosts as possible. NotPetya, for instance, expanded on those techniques by also incorporating EternalRomance as a method of spreading to other computers."

(Source: Wikipedia)

NotPetya "came out a month later and it used multi-vectors and a lot of really evasive techniques," Williams said, adding:

"It used probably one of the most advanced scanning mechanisms we've ever seen. It combined a supply-chain attack of the initial vectors so it spread almost invisibly across the world and then all at once it wiped systems all over the world. WannaCry was a wakeup call. But it happened so quickly and it shut down so quickly, a lot of people thought maybe they got lucky. But then a month later when NotPetya hit, people realized that these were not going to stop. This is the first worm vulnerability in a long time and it continues to be used today for different types of malware."

This newer generation of ransomware also is less noisy and more targeted than WannaCry, Check Point's Wiley said. WannaCry made headlines around the world, researchers attacked it and very quickly they figured it out and neutralized it. The ransomware attackers who came after that looked to keep out of the spotlight to keep the money coming in.

"You want to be just right under the threshold of pain," he said, noting that companies are still paying tens or hundreds of thousands of dollars in ransomware extortion. "Sure, it's a lot of pain per company and globally it has an impact, but it doesn't get anyone's attention because it's right under the threshold for a lot of the law enforcement agencies to get involved."

What's next
Cyber criminals also are being more selective. Rather than a scattershot across the world, they're being more targeted in their efforts.

"For attackers, it's becoming much more intimate," Wiley said. "They're choosing their victims very carefully, profiling them a lot more carefully, and definitely targeting them one at a time ... the financial effectiveness of [WannaCry] is not as lucrative as targeting a particular corporation, extorting them to the maximum and then moving on to the next victim."

WannaCry also has highlighted the ways organizations can better protect themselves against ransomware threats, including segmenting machines if they can't be patched to reduce the amount of damage done. In addition, companies need to shut down the vulnerabilities that allow WannaCry and other ransomware to get into the systems. SMB should never be exposed to the Internet. The same goes for Remote Desktop Protocol, Wiley said. If it's exposed to the Internet and isn't protected against brute-force login attacks or by two-factor authentication, it needs to be shut down.

And that highlights the key problem. Despite the warnings, there are still millions of machines with SMBv1 still exposed to the Internet.

"Many companies have learned from the major attack, but there will always be a big enough trailing crowd that is unable to change its security posture," Hahad said. "One year later and we are still seeing about 2.3 [million] devices with SMBv1 still exposed to the Internet … This is often a result of having understaffed security teams that are bogged down by manual processes and complex policies, creating fertile ground for future attacks. For example, it is reported that every day in Q1 2018, an average of 20,000 systems scan the Internet looking for still-open SMB ports, which are the ports used in the WannaCry campaign through the Eternal Blue exploit."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.