Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

5/17/2018
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

WannaCry: How the Notorious Worm Changed Ransomware

This week marked the one-year anniversary of the WannaCry ransomware attacks and its impact can still be seen in the form of such encrypting malware as NotPetya, BadRabbit and Olympic Destroyer.

It was just over a year ago that the WannaCry malware stormed across the globe, infecting hundreds of thousands of vulnerable Windows PCs, throwing the operations of such major organizations as the UK National Health Service, car makers Nissan Renault, delivery company FedEx and mobile communications giant Telefónica into disarray, and putting the world on notice about the threat of ransomware.

The fast-spreading worm essentially encrypted the files, documents, photos and any other data on the victim's computer and displayed a note saying that only the attackers' decryption service could restore access to the files.

In return they demanded $300 in Bitcoin be sent to an address within three days.

Don't pay within a week, and the files would be deleted.

The WannaCry threat didn't last long. The security community reacted quickly, and within days a kill switch was discovered and activated, essentially rendering the malware toothless by ensuring that it couldn't decrypt files on systems it was attacking.

That doesn't mean it's still not out there.

(Source: iStock)
(Source: iStock)

There are still about 2.3 million devices with the Window SMBv1 (Server Message Block) exposed to the Internet, the primary avenue WannaCry took into the systems, according to Juniper Threat Labs. And in March, a Boeing aircraft plant was hit by a cyber attack that appeared to be related to WannaCry. (See WannaCry Ransomware Hits Boeing, but Company Claims It's Contained.)

At the same time, the industry is still feeling the effects of WannaCry a year later. Ransomware remains a problem, though some researchers are seeing a decline in instances, and creators of newer malware took the lessons learned from WannaCry to create such threats as NotPetya, BadRabbit and Olympic Destroyer. The ransomware also put a spotlight on the need for such capabilities as segmentation and advanced endpoint security, and the reasons researchers urge organizations to reduce the exposure of their systems. (See Ransomware: Still a Security Threat & Still Evolving.)

WannaCry may have been effectively neutralized, but the repercussions continue.

The rise of WannaCry
"At a really high level, the reason why WannaCry was so effective what that it was the first time someone had combined a ransomware payload with a network vector," Craig Williams senior threat researcher and global outreach manager for Cisco Talos, told Security Now. "In this particular case, the network vector was what we call EternalBlue. It was an exploit leaked out of the Shadow Brokers release."

Bringing together the WannaCry encrypting malware with the EternalBlue exploit enabled the ransomware to spread rapidly in worm-like fashion. It targeted vulnerable PCs with the Internet-facing SMBv1 ports and, once inside, searched for and spread to machines with similar vulnerabilities that were part of the network.

"WannaCry was a big deal because the victims numbered in the millions and the effects were devastating," Mounir Hahad, head of Juniper Threat Labs, told Security Now in an email. "Technically speaking, it also dawned an era where ransomware can now cross network boundaries and jump countries. It was an effective combination of crypto-ransomware and worm capabilities."

Before WannaCry, ransomware typically needed someone to do something -- opening up an email or going to a website, thus unintentionally letting the malware into the system. This made it difficult for the ransomware to cross network boundaries, Williams said.

In 2016, the SamSam malware became the first to use a network vector, but it wasn't automatic. It still required the attacker to spread the malware around. However, it showed researchers the impending threat of criminals making a piece of malware into an automated worm that could spread rapidly. The WannaCry creators did just that.

It also was the first major new worm seen in the past ten years, since the days of Conficker and Slammer, putting the industry on notice that worms were still around.

Deconstructing WannaCry
However, WannaCry, for all the chaos it caused and anxiety it produced, wasn't the best piece of malware. There were problems with it. For one, it couldn't correlate who paid the ransom and who didn't, so not everyone who paid received the decryption key. It also wasn't stealthy, it spread across the Internet in a haphazard fashion and it had a broken scanning algorithm, which meant it didn't spread as fast as it could have, Williams said. It also had a narrow attack surface, targeting only certain versions of Windows.

And it also had the kill switch.

"The worst piece from a malware standpoint was the idea of the kill switch, which really doesn't make any sense from any security perspective," Williams said. "Effectively what it let people do was turn off the malware which is what happened. So from a practical standpoint, WannaCry was not super successful. WannaCry was more of a proof-of-concept of what may be possible as far as combining data destruction malware with network vectors."

That said, there was pain. Dan Wiley, head of incident response at Check Point, told Security Now that it didn't hit a large number of organizations, so it wasn't as large a problem as many may think. However, "the damage that it did do to the ten or 20 major corporations that were hit with it was pretty dramatic," Wiley said.

Next page: The lasting effects of WannaCry

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27314
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
CVE-2019-18630
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
CVE-2021-25344
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
CVE-2021-25345
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
CVE-2021-25346
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.