Attacks/Breaches

5/18/2017
11:30 AM
Gary Warner
Gary Warner
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

WannaCry: Ransomware Catastrophe or Failure?

Using Bitcoin payments as a measure, the WannaCry attack is not nearly as profitable as the headlines suggest. But you should still patch your Windows systems and educate users.

Wannacry (or WannaCrypt) is being called the "worst cyberattack in history" or at least the "biggest ransomware offensive in history," but those headlines just don’t line up with reality.

Despite public reports that as many as 300,000 computers in 150 countries have been infected with the malware, the normally observable pattern of delivery, destruction, and payment associated with a ransomware attack are largely missing. Phishing emails have been the primary delivery method for almost all other ransomware attacks to date. With this attack, the delivery method is still under debate but the main spreading mechanism is through Server Message Block (SMB) which is a protocol used by Windows computers to share files between each other. By invoking a flaw in SMB, a single infected computer can infect every other vulnerable machine on the same network. But is the attack size being touted in the media accurate? And is this really about ransomware?  After some very frightening initial headlines, the story just doesn't hold up to deeper inspection.

This is partly because the malware was disabled by a 22-year-old British malware researcher. Malware authors try to detect researchers by checking to see if the malware is running in a simulated network environment. One test is for the malware to ask the computer it is running on: "Can you reach this non-existent website?" If it can, then the malware can be certain it is running in a simulated network, where researchers are routing every Internet request to monitoring stations they control. (For those who do malware analysis – think ApateDNS redirecting everything to iNetSim.)

Figure 1 - WannaCry code calling non-existent domain 
Source: PhishMe
Figure 1 - WannaCry code calling non-existent domain
Source: PhishMe

By registering the "non-existent" Internet address that malware was using for its test, now every Internet user can resolve the address, which made the malware believe that everyone was in a simulated network, so they should not be infected because they were likely researchers.

The researcher, who guards his anonymity fiercely because he routinely ruins the lives of criminals, shares his intelligence here and blogged about his discovery here

The high count of "infected" computers are actually the number of computers that are asked to try to reach the formerly non-existent domain. However, analysis of the code shows that if that domain is reached, the malware simply terminates itself and offers no further risk to the computer that tried to infect itself. Perhaps these would be better counted as malware attempts rather than malware infections.

Payments Don't Add Up
The over-reporting of the malware is further confirmed by looking at the payment method. As far as researchers know, there are only three primary bitcoin addresses:

  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

After reviewing hundreds of screen shots and talking to dozens of other researchers, no one has seen another bitcoin for malware since this round of the attack began on May 12th.

By pasting the addresses above at https://blockchain.info/ you can get a screen shot that will tell you how many payments and how many bitcoins have been made to each of the addresses. For example:

https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
(As of MAY 17, 2017 12:50 PM Eastern – 109  transactions totaling 16.75 bitcoins)

https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
(As of MAY 17, [email protected]: 50 PM ET- 95 transactions totaling 16 Bitcoins)

https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
(As of MAY 17, 2017 12:50 PM ET- 84 transactions totaling 11.17 bitcoins)

That’s only 288 payments totaling 43.92 bitcoins.

Bitcoin is currently trading at a near all-time high of $1,830 USDollars per BitCoin, which is about $80,000.  But if there were 300,000 victims … that wouldn’t make any sense. Certainly more than 1/10th of 1% of the victims would have paid the ransom! IBM claimed last year that 70% of companies admitted to paying ransom to get their files back.

So, $80,000 seems a bit shy of a ransomware catastrophe. Heck, Hollywood Presbyterian yielded 40 bitcoins just in a single ransomware instance in 2016. Want to discuss a ransomware catastrophe? Let's talk about Locky! Let's talk about Cerber! Let's talk about CryptoLocker! Remember that in Q1 2016 the FBI told CNN that ransomware had collected $209 million in ransom fees just that quarter.

WannaCry isn't even close. Sure, a handful of companies that didn't patch their Windows systems got hit hard, but organizations that were broadly impacted were, in many cases, using outdated, unsupported computers that were not patched.

Where are the ‘Mixers?’
The other interesting thing is that the criminals who steal money via Bitcoin normally immediately begin the process of laundering their Bitcoin by using online services called “mixers,” or by gambling with the money in Bitcoin casinos that also act as mixers. Bitcoin tracking services, such as Elliptic, a company that helps law enforcement de-anonymize Bitcoin, confirm that they can find no evidence of the Bitcoin received from ransomware victims being spent or cashed out.  It is likely that the criminals are too frightened to touch their ill-gotten gains knowing that there has never been closer scrutiny on a Bitcoin Wallet than there is right now.

Or is it possible that there is no financial criminal planning to make money from this attack? Could this be merely an attempt to discredit the U.S. intelligence agency, the NSA? Part of the drama about the attack is that, according to Russian security firm Kaspersky Lab, and confirmed by others, the ransomware spreads via an SMB exploit originally created by the NSA under the code name "EternalBlue" and leaked to the world by "Shadow Brokers" back on April 14th, a month after Microsoft patched the underlying vulnerability, known as MS17-010. Because Windows XP has gone through "end of life," security patches were no longer being created for XP, which is part of why XP systems have been said to be infected at a far greater rate than other Windows operating system versions. Microsoft has now issued an Emergency Patch for XP.

A Warning Shot
Whenever the entire world freaks about security, we have an opportunity as security practitioners. When every CEO, CSO, CISO, CIO and CRO on the planet is thinking about a cyberattack, there will certainly be questions asked such as, “Would this have impacted us?” or “Do you need anything to be safer?” This is not the time to go buy a new shiny toy to put on your shelf, but it is time to review your security practices.

In this situation, a March 14th 2017 patch would have saved your organization from a May 12th cyberattack. What is your timeline for implementing an urgent cybersecurity patch globally within your organization?  If it is less than two months, use this as an opportunity to improve that timeline.

In this situation, Windows XP within your network could have a devastating impact. Use this as a time to fight. Whatever reason someone has given to you that defended, "why we still must have XP" – fight them on it. Use this as an opportunity to insist that obsolete software be migrated away. If it’s a budgetary constraint, demand the budget. If it’s considered an irreplaceable piece of legacy special-purpose hardware, demand a replacement anyway, or a thorough penetration test to prove that your Windows XP is truly network-isolated from everything.

Remember that most of the ransomware that is actually being paid out is still being delivered by phishing email. Make sure that your employees know what to do when they see a suspicious email. If you don’t have a way to convert your employees from "the weak spot on the chain" to empowered "security sensors" feeding internal attack intelligence to your response teams then review your internal practices.

Related Content:

Gary Warner is one of PhishMe's elite cybercrime researchers, where his current research areas are malware analysis, social networks of cyber criminals, hate groups, and terrorists. Involved in cybersecurity since 1989, he began his career helping large organizations connect ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11505
PUBLISHED: 2018-05-26
The Werewolf Online application 0.8.8 for Android allows attackers to discover the Firebase token by reading logcat output.
CVE-2018-6409
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter.
CVE-2018-6410
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.
CVE-2018-6411
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection.
CVE-2018-11500
PUBLISHED: 2018-05-26
An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account.