The WannaCry ransomware (which was discovered in May 2017) is the cockroach of the malware family – it simply will not die. This is according to Kaspersky Labs which released research showing that around 75,000 of their clients were subject to a WannaCry ransomware attack during the period July to September in 2018.
Much like the ubiquitous scuttling kitchen pest the ransomware is self-propagating – meaning that once a single Windows system on a Windows network is affected, the ransomware proceeds to infect other unpatched machines – without human intervention (such as opening an email or a malicious attachment). This type of ransomware has been dubbed a ‘ransomworm’ by security researchers.
Beside the fact that the ransomware is still active one and half years after it was discovered, the Kaspersky Lab research also revealed some other startling stats, including the fact that the worm was responsible for 28% of attacks in Q3 2018, a growth of two thirds when compared to Q3 2017.
“It is concerning to see that WannaCry attacks have grown by almost two-thirds compared to the third quarter of last year,” said David Emm, principal security researcher at Kaspersky Lab. “This is yet another reminder that epidemics don’t cease as rapidly as they begin – the consequences of these attacks are unavoidably long-lasting.”
The what and how of WannaCry
To summarize, the WannaCry ransomware worm encrypts files on Windows PCs preventing users from accessing those files.
WannaCry exploits a weakness in the Windows implementation of the Server Message Block (SMB) protocol. The SMB protocol assists various nodes on a network communicate, and Microsoft’s implementation could be tricked by specially crafted packets into executing arbitrary code.
Once WannaCry has been launched the hackers then demand payment in Bitcoin in order to provide decryption keys that will enable the users to decrypt those files.
The program code is not hidden and was relatively easy for security pros to analyze the threat. Once launched, WannaCry tries to access a hard-coded URL; if it does not succeed in doing this it then moves on to a secondary objective which involves encrypting a number of vital formats such as Microsoft Office files, MP3s and MKVs – locking the user out of those files. It then displays a ransom demand for $300 worth of Bitcoin.
In the case of WannaCry, many experts believe that the ransomware was the work of a North Korean hacking group known as the ‘Shadow Brokers’ – although Symantec believes that another group of hackers (also North Korean) known as ‘The Lazarus Group’ are responsible. Authorities in the U.K. and the U.S. concurred with both opinions, attributing the WannaCry attack to North Korea – although that country’s leadership denies any responsibility for the attack.
WannaCry and the NSA
The ability of the WannaCry ransomware to spread like wildfire across the Windows ecosystem shocked many in the information security establishment. Later revelations further startled security experts due in part to the fact that the United States National Security Agency (NSA) had been fully aware of the vulnerability of the Windows system to this sort of attack. The NSA made the ill-informed decision (accusations abound that they wished to exploit this weakness) not to report the vulnerability to the wider information security community. In fact, WannaCry was belatedly revealed after an NSA hacking tool (the EternalBlue exploit) was stolen by cyber criminals who then used it to launch the ransomware attacks.
The why of WannaCry
However – it is important to realize that Kaspersky Labs reporting of 75,000 attacks in Q3 2018 does not necessarily mean that the WannaCry ransomware actually achieved its objective, in fact given that Kaspersky Labs supplies tools to prevent these sorts of attacks from succeeding it probably means exactly the opposite. What is worrying is that these were attacks which were prevented and tracked (one assumes) – how many organizations are still quietly paying the ransom of $300 worth of Bitcoin?
Many organizations have paid heed to warnings from Microsoft and installed the patch that prevents infection by WannaCry. Microsoft released the update (Microsoft Security Bulletin MS17-010) almost two months before the WannaCry epidemic started – so organizations have very little room to argue that they were not aware of the problem – and this is where good security practice comes in.
A large number of organizations did not apply the update and the damage was done. Although Kaspersky did not release hard data on how many users had not applied the Microsoft update it appears that there are still organizations that have still not applied the fix.
For example, in March 2018, Boeing was hit with a suspected WannaCry attack. Boeing claimed it did little damage, affecting only a few production machines. The company was able to stop the attack and bring the affected systems back to full functionality quickly.
A key reason why Boeing was able to recover so quickly was that patches for the vulnerabilities that WannaCry exploits were readily available. However, the patches were not in place before the attack – which goes some way to explaining why WannaCry can still do damage after all this time. It is apparent that only some organizations are effective at keeping up with patching and updates.
This should be a warning to organizations to pay far closer attention to these issues.
In 2017 the WannaCry ransomware devastated Windows systems run by the British National Health Service (NHS), as well as affecting thousands of Windows operating systems across the globe.
The WannaCry ransomware cyber-attack cost the NHS almost £100 million and led to the cancellation of 19,000 appointments, the NHS revealed in October 2018. The reason for the damage – a number of NHS Trusts hadn’t applied the Windows update.
The lion’s share of the money spent by the NHS was in June and July 2017. The expenditure of £72 million was to fix the damage done and ensure upgraded system security. Closer attention to updates would have negated the need for these remedial measures.
The damage could have been far worse – to the tune of tens of billions of dollars spread across around 150 countries. However, a few hours after the attack began, a 23-year-old cybersecurity researcher, Marcus Hutchins figured out the ‘kill switch’ to stop it, while sitting at a computer in his bedroom at his parents’ house in England.
Organizations need to start paying much more attention to updates and patches for operating systems. However, the blame must also be shared by Microsoft.
The damage, given the costs revealed by the NHS is not only limited to the financial impact of immediate triage attempts – it can have long term implications.
The legacy of not installing updates can also have lingering effects on both operations and consumer faith in the organization. Using the NHS and Boeing examples, a rhetorical question needs to be asked (and not to make light of the issue) – would you trust a company to fly you to a destination safely or undertake a kidney transplant if they cannot protect their in-house systems? More effort needs to be focused on stopping the spread of ransomware.
At the moment many security experts are concerned that the original version of WannaCry is not the most urgent threat. It is rather the ability of hackers to reengineer and refine the malicious software.
In order to stop the spread of ransomware vigilance is required.