The WannaCry Ransomware Pandemic: Sloppy but Dangerous. What about ICS? And Sequelae Include the Usual Fraud.
June 28, 2017.
By The CyberWire Staff
WannaCry infections have resumed, but at a slower rate, as the kill switch in the original version is removed. A now warned and worried online world is working to secure itself against this second, apparently less virulent, variant of the ransomware. Attribution, which is still at a very circumstantial and preliminary stage, continues to point toward North Korea. Technical experts think they've found evidence of connection to that country's Lazarus Group in the code, and non-technical observers are voting on form: WannaCry is quaking like a Pyongyang campaign.
The ransomware itself is getting sniffish reviews. It's dangerous, to be sure, but also sloppily constructed.
Industrial control system (ICS) security experts warn that many operational technology (OT) systems are built upon the software vulnerable to the EternalBlue exploits used to distribute WannaCry. They also warn that patch-and-backup won't be quite so easy in the ICS world as it is in the ordinary IT world.
Easy Solutions, an end-to-end fraud prevention shop, says the expected second wave of WannaCry has indeed hit, but it's not the wave that's been in the forefront of people's expectations. That is, it's not more ransomware, and isn't even an EternalBlue exploit.
Sloppy but dangerous.
Analysts who've taken a technical look at WannaCry's code give it poor reviews. Wired has a good compendium of reactions to this strain of ransomware and the inferred talents of its masters. Ransom payments have now topped $70,000, but that's not much, considering the scope and scale of the attack. Indeed, it's in the ballpark established by the past two years' ransomware attacks on, for example, medical centers.
Craig Williams, of Cisco’s Talos unit, told Wired “From a ransom perspective, it’s a catastrophic failure. High damage, very high publicity, very high law-enforcement visibility, and it has probably the lowest profit margin we’ve seen from any moderate or even small ransomware campaign.” Those would indeed be big problems for a criminal gang or a lone skid. A nation-state espionage service might care a bit less, depending on its objectives, but if the signs really do point to North Korea, that country's Lazarus Group is likely to be disappointed by the low margins. The DPRK is closely interested in the alternative source of revenue cybercrime offers.
Hacker House's Matthew Hickey told the magazine that the collection mechanism the extortionists set up has a manual backend that's wholly inadequate to handling the volume of ransom demands the attack generated. (And, Cisco's Talos observes, the victim interface is pretty lousy, too: the "Check Payment" button doesn't even work.)
Errata Security's Rob Graham said, also to Wired, that “It looks impressive as hell, because you think they must be genius coders in order to integrate the NSA exploit into a virus. But in fact, that’s all they know how to do, and they’re basket cases otherwise."
So if you're a victim, think twice about paying ransom. The ransomware infrastructure is dodgy and inadequate, not up to the state-of-the-criminal-art. F-Secure did tell CSO that they've seen some cases of victims getting their files back after payment, but paying up is a very questionable remedy. Far better to have backed up, and to have patched.
What about ICS?
Discussion of WannaCry has tended to focus on the threat to IT systems. But OT systems are also vulnerable to ransomware in general and WannaCry in particular. In some respects, because of their owners' well-founded horror of downtime, ICS are even more attractive to extortionists than are enterprises worried about ordinary business IT.
We spoke with ICS security maven Joe Weiss, Managing Partner at Applied Control Solutions, and well-known for blogging at Control Global. We asked him what WannaCry means for industrial control systems. He noted that several manufacturers have apparently stopped work at plants because of WannaCry infestations of control systems. The central problem is that many industrial control systems are built on the earlier versions of Microsoft software vulnerable to the EternalBlue exploits being used to install WannaCry ransomware. Among the companies said to be affected, Weiss notes, are automobile manufacturers like Renault, Dacia, and Nissan.
The problem, apparently, is that the earlier versions of Microsoft software used in ICS aren't just off-the-shelf versions of Windows. Rather, they're Windows as mediated by industrial control system vendors, industry-leading companies like Siemens, Emerson, or Honeywell. They don't (and can't, according to Weiss, given the complexity and purposes of the systems-of-systems they construct) simply take Windows out of the box and use it. So the patches Microsoft issued to foreclose EternalBlue exploitation can't just be applied immediately, but only after they've been checked to ensure that the patches themselves won't disrupt the industrial control systems whose vulnerabilities they're intended to remediate.
"Unless you know malware can affect the operation of the system, there's not necessarily any reason to patch it," Weiss notes. Avoiding downtime is vital, and shutting down to patch amounts effectively to a self-imposed denial-of-service. Renault, Dacia, and Nissan, Weiss says, pre-emptively shutdown so Windows workstations on the factory floor wouldn't be compromised. Thus they themselves elected to interrupt service, a serious decision commensurate with the seriousness of the risk.
"There were two cases last year where ransomware did affect Windows systems in manufacturing environments. In one case it cost the manufacturer several weeks of production," Weiss said. "If you're encrypting a critical computing system that's necessary for the operation of a process, you're going to have a problem." Note that this sort of attack forces a system shutdown. It's not, Weiss emphasizes, destructive in the way, for example, Stuxnet was. And "theoretically, you should have backups."
Patching and patching expeditiously is good advice for IT but not necessarily for OT systems. "It's only good if the patch is coming from the vendor, and if the vendor has tested the patch," Weiss said. "If you don't do this, you're going to become your own attacker." Having that SCADA vendor in the middle makes ordinary application of standard Microsoft fixes impossible. "That Microsoft software on [a vendor's] system has been modified by [the vendor]. There's a lot of testing that goes on here. And we're systems of systems. What's going to happen to the other systems affected?"
Assembly lines have been shut down before because of premature, untested patching. When you have to change Windows environments, you may or may not affect other systems connected to them. So ICS patching is neither as simple nor as painless as people tend to think it is.
Update 5.18.17:An overview of the ISA99 Committee's work to develop standards on Industrial Automation and Control Systems (IACS) Security may be found here.
We also exchanged email with Eddie Habibi, CEO and Founder of PAS. Why, we asked, were so many industrial control systems running old, beyond-end-of-life, unpatched software? "The adage of 'if it ain’t broke, don’t fix it' applies to the world of ICS in spades," he told us. "Because safety and production are paramount; stable, functional systems can go unpatched and operate on older OS for years. So, this is certainly a phenomenon that is more prevalent in ICS than what you typically find in a corporate IT environment." He also noted some of the same complexity about patching that Weiss described for us. "In the case of WannaCry, we are talking about operator workstations and other Window-based devices. The patching process itself is not difficult, and there are processes in place to do this work so that production is minimally or not impacted at all. The preference though is to do patches during certain windows (i.e., maintenance and turnarounds). There are also gates that typically must occur before a patch is applied. For instance, ICS vendors must approve a patch before it is applied, which requires testing on their part."
There's also a false sense of security surrounding many industrial operations, "the belief that they are air gapped or obscure enough to avoid compromise. These beliefs are becoming more difficult to hold with successful attacks such as WannaCry." Segmentation, of course, can afford a degree of protection, but, Habibi emphasized, that's only a single layer of protection. He recommends endpoint detection and response (EDR) as a way of protecting systems that goes beyond a perimeter-only approach to security. "The truth is that only 20% of the cyber assets in most plants have any EDR applied to them. The remaining 80%, which includes controllers and smart field instruments, lack similar security controls."
Microsoft issued its unusual patches in mid-March, the Shadow Brokers dumped EternalBlue in mid-April, and the attack came in mid-May. But Habibi thinks people needed some clarity about why, with industrial control systems, rapid patching is by no means as easy as it seems. "Although two months may seem like an eternity in a corporate IT environment, it is not the case within an industrial process facility’s network. Given the number of gates that patches typically must pass through, the estimation of risk when there have not been any public cases of ransomware in a facility’s network, and the reticence that process control engineers have towards updating working process control systems, it is no surprise that many did not take the step of patching…until now."
Fraud follows fear.
We've seen a lot of speculation about what the next attack wave will look like, and many are concerned about the kill-switchless versions that are appearing. Yet in retrospect an entirely predictable second wave has already materialized. After every major attack or vulnerability disclosure, criminals are quick to take advantage of the attendant fear to pitch bogus life preservers to those worried they may be, or may become, victims. Easy Solutions finds that this has indeed occurred already in the wake of WannaCrypt. Various third-party mobile app stores are offering protection from the ransomware, but those protective apps are for the most part bogus, and commonly infested with adware. Easy Solutions identifies the problem as Adware.mobidash, a module often found in games to monetize user activity through online purchases. So steer clear of apps promising protection, and instead patch and update your systems.