WannaCry Because the Worst Is Yet to Come
The WannaCry ransomware outbreak that emerged last week and is exploiting a vulnerability discovered and hidden for an unknown amount of time by the NSA is arguably the worst ransomware we’ve seen thus far. It’s not just encrypting files and locking users out of their machines, but it’s also self-propagating and uses exploit code, behavior that hasn’t been seen in ransomware until now.
In short, WannaCry is the logical evolution of the ransomware campaigns that have been going on for the last three or four years. Many of the early campaigns were simplistic and some included coding or other errors that allowed security researchers to find ways around the encryption. In other cases, experts were able to develop master keys to decrypt victims’ files. And some of the operators behind these campaigns made mistakes that allowed law enforcement officials to track them down and take them off the board.
WannaCry is different in a lot of ways. First, and most importantly, WannaCry does not rely on phishing emails or drive-by downloads to infect users. Those vectors are what operators rely on when they don’t have other options. They’re unreliable, because they require users to do something. While the annals of Internet security history are littered with major events that started with a user doing something, it’s usually more efficient and predictable to route around the user altogether if you’re an attacker. And that’s what WannaCry does.
The ransomware scans the Internet for Windows machines with a specific vulnerable version of SMB exposed, and when it finds one, that’s when the fun starts. WannaCry then uses the EternalBlue exploit, which was part of one of the Shadow Brokers dumps last month, to compromise the target machine. That exploit will then install a backdoor known as DoublePulsar, also found in the Shadow Brokers files and attributed to the NSA.
“Even if the EternalBlue exploit fails in the first place, the attack code still tries to leverage the DoublePulsar backdoor which might have been installed in a previous attack,” Kaspersky Lab said in an analysis of the WannaCry outbreak.
“Perhaps the main reason why Wannacry was so successful is the fact that the EternalBlue exploit works over the Internet without requiring any user interaction. It works on top of TCP port 445. Last week, our internet facing sensors registered an uptick in port 445 connections on Thursday May 11th, one day before the major outbreak noted on Friday. This means it’s possible the worm was released on Thursday, possibly even late Wednesday evening.”
Second, WannaCry behaves a lot like the Internet worms that were common about 10 or 15 years ago. Once it’s on a new machine, the ransomware will scan the network the computer is on, looking for any other PCs with the SMB vulnerability and port 445 open. If it identifies a vulnerable machine, it then delivers the EternalBlue exploit and starts the cycle all over again.
Third, the as-yet unidentified attackers behind the WannaCry campaign aren’t using some commodity code that they bought on an underground forum on the cheap. WannaCry is relatively sophisticated when compared to other major pieces of ransomware, and it also includes some code that has been tied directly to a group involved in attacks against the Bank of Bangladesh and several other institutions that use the SWIFT financial network. That team, known as the Lazarus group, has been linked to North Korea, and security researchers have identified key links between the WannaCry code and a tool used by the Lazarus group as far back as 2015.
“The attribution to Lazarus Group would make sense regarding their narrative which in the past was dominated by infiltrating financial institutions in the goal of stealing money. If validated, this means the latest iteration of WannaCry would in fact be the first nation state powered ransomware,” researcher Matt Suiche of Comae said in his analysis, which exposed the Lazarus group link.
WannaCry is bad. But it’s probably just a hint of what’s coming. Researchers have been warning about the potential for a large-scale ransomware worm like this for some time, and while WannaCry has caused some trouble, it could be a lot worse. A ransomware worm that targets IoT or ICS systems would have the potential to truly wreak havoc on a massive scale. Imagine traffic lights or autonomous cars being held for ransom. It’s not a pretty picture but it probably isn’t too far off in the future either.