The WannaCry ransomware (which was discovered in May 2017) is the cockroach of the malware family – it simply will not die. This is according to Kaspersky Labs which released research showing that around 75,000 of their clients were subject to a WannaCry ransomware attack during the period July to September in 2018.
Much like the ubiquitous scuttling kitchen pest the ransomware is self-propagating – meaning that once a single Windows system on a Windows network is affected, the ransomware proceeds to infect other unpatched machines – without human intervention (such as opening an email or a malicious attachment). This type of ransomware has been dubbed a ‘ransomworm’ by security researchers.
Beside the fact that the ransomware is still active one and half years after it was discovered, the Kaspersky Lab research also revealed some other startling stats, including the fact that the worm was responsible for 28% of attacks in Q3 2018, a growth of two thirds when compared to Q3 2017.
“It is concerning to see that WannaCry attacks have grown by almost two-thirds compared to the third quarter of last year,” said David Emm, principal security researcher at Kaspersky Lab. “This is yet another reminder that epidemics don’t cease as rapidly as they begin – the consequences of these attacks are unavoidably long-lasting.”
The what and how of WannaCry
To summarize, the WannaCry ransomware worm encrypts files on Windows PCs preventing users from accessing those files.
WannaCry exploits a weakness in the Windows implementation of the Server Message Block (SMB) protocol. The SMB protocol assists various nodes on a network communicate, and Microsoft’s implementation could be tricked by specially crafted packets into executing arbitrary code.
Once WannaCry has been launched the hackers then demand payment in Bitcoin in order to provide decryption keys that will enable the users to decrypt those files.
The program code is not hidden and was relatively easy for security pros to analyze the threat. Once launched, WannaCry tries to access a hard-coded URL; if it does not succeed in doing this it then moves on to a secondary objective which involves encrypting a number of vital formats such as Microsoft Office files, MP3s and MKVs – locking the user out of those files. It then displays a ransom demand for $300 worth of Bitcoin.
In the case of WannaCry, many experts believe that the ransomware was the work of a North Korean hacking group known as the ‘Shadow Brokers’ – although Symantec believes that another group of hackers (also North Korean) known as ‘The Lazarus Group’ are responsible. Authorities in the U.K. and the U.S. concurred with both opinions, attributing the WannaCry attack to North Korea – although that country’s leadership denies any responsibility for the attack.
WannaCry and the NSA
The ability of the WannaCry ransomware to spread like wildfire across the Windows ecosystem shocked many in the information security establishment. Later revelations further startled security experts due in part to the fact that the United States National Security Agency (NSA) had been fully aware of the vulnerability of the Windows system to this sort of attack. The NSA made the ill-informed decision (accusations abound that they wished to exploit this weakness) not to report the vulnerability to the wider information security community. In fact, WannaCry was belatedly revealed after an NSA hacking tool (the EternalBlue exploit) was stolen by cyber criminals who then used it to launch the ransomware attacks.
The why of WannaCry
However – it is important to realize that Kaspersky Labs reporting of 75,000 attacks in Q3 2018 does not necessarily mean that the WannaCry ransomware actually achieved its objective, in fact given that Kaspersky Labs supplies tools to prevent these sorts of attacks from succeeding it probably means exactly the opposite. What is worrying is that these were attacks which were prevented and tracked (one assumes) – how many organizations are still quietly paying the ransom of $300 worth of Bitcoin?