The WannaCry Ransomware Pandemic: Attribution, Kill Switches, Crimes, and Torts

Organizations continue their recovery from the WannaCry ransomware pandemic amid warnings that the first wave is unlikely to be the last. The number of companies pointing out that their products were, or would have been, effective in foreseeing, detecting, preventing, or mitigating WannaCry infection has grown. (Among them are Symantec, Sophos, Fortinet, Securonix, Tenable, and BitSight.) There are also some preliminary and circumstantial claims indicating attribution.

Who's behind the WannaCry campaign?

WannaCry looks very much like a criminal campaign, financially motivated if stumbling in execution. (Reports suggest that ransom deposited in the Bitcoin wallets set up for that purpose has yet to be moved, and in any case not much has been deposited). Given that the ShadowBrokers had dumped the EternalBlue exploit last month, it was open to any gang or state to make such use of it as they saw fit. 

Late yesterday a Google researcher noted similarities between a WannaCry cryptor sample taken in February of this year (and which Kaspersky Lab's Global Research & Analysis Team thinks is an early variant of the code that broke into the wild Friday) and a sample of code obtained from the Lazarus Group in February of 2015. As usual, the attribution is provisional and circumstantial, but investigation will bear watching. The Lazarus Group is thought to be a North Korean government actor generally believed to have been responsible for the Dark Seoul malware used against South Korean targets (discussed here by Palo Alto Networks), Operation Blockbuster (exposed by Novetta as the root of the 2014 Sony Pictures wiper attack), and the looting of the Bangladesh Bank through its connection to the SWIFT financial transfer system.

Andrew Spangler, Principal Cybersecurity Consultant and Malware Analyst at Nuix, advises caution in attribution. "I have seen no evidence at this time which points toward who might be behind the attack," he told us in an email. "Attribution is a very murky area and is likely wrong more often than it is right. I suspect the motivation may be nothing more than simply monetary. This attack is interesting in that it is widespread, crossing regions and industries." (It's worth noting in this context that the Lazarus Group has been involved in financial cybercrime. Of course, this remains merely part of the circumstantial evidence.) 

"At this time it is not known, but it looks to be a shotgun approach to compromise as many systems as quickly as possible before anti-virus definitions have an opportunity to catch up," Spangler added. "It is possible the attackers were not even aware of how successful the attack would be, or how effective the propagation method would be. The ETERNALBLUE SMB exploit which is used as the propagation method is extremely effective against anyone who has not patched this vulnerability."

So again, best practices would have you keep your patches up-to-date. As Spangler put it, "This attack highlights the importance of staying up to date with security patches. The patch which would have prevented this propagation method from being successful was released in March by Microsoft. The initial ingress point of this malware appears to be e-mail, and as such it highlights the importance of user education regarding computer security.  This attack also shows some weaknesses of anti virus and explains why industries are moving toward adaptive endpoint solutions."

Why the kill switch?

Why did WannaCry have a kill switch in the first place? Cylance researchers are looking into the ransomware, and they offer as a preliminary note the observation that kill switches are holdovers from the "worm wars" of the early 2000s, when owners wanted to be able to dismantle their malware once it had met their goals. The objective would be to keep the malicious code better targeted, to, as Cylance puts it, "keep it from going wild once it gets out."

The kill switch would appear to be ambivalent, however, since it admits of simple changes. "Attackers can either hijack the kill switches by mutating the code to meet their needs or remove the kill switch altogether," Cylance told us in an email. "If the kill switch is hijacked, malicious actors can alter the code so Bitcoin instructions go to their paypoints. If the kill switch is removed altogether, the downside is that they [te initial users] lose control over the worm when goes out into wild."

The widespread and indiscriminate spread of WannaCry would seem to argue, we suggest, against the possibility that the attackers were serious about containing their attack code. Alternatively, and this may be the case given the apparently careless exposure of the kill switch, they may have been less skilled or less attentive than sound criminal tradecraft would demand.

What about litigation?

There's a growing sense among affected third-parties (like patients in the UK's National Health Service) that the organizations victimized by the attack should have taken better measures to protect themselves, particularly since WannaCry was spread by exploiting a known and patched vulnerability that persisted for the most part in systems that were beyond their end-of-life. Observers expect litigation to follow, and they doubt that Microsoft will be the plaintiffs' target. Microsoft points out that the affected organizations were running either unpatched or unsupported software, and some legal commentators agree that arguably negligent to do so. Given that it appears personal data weren't exposed in the campaign, it seems likely that lawsuits, if any, would come from people directly injured by the suspension of services the ransomware induced in some organizations.