The WannaCry ransomware pandemic: week one and the weeks to come.
By The CyberWire Staff
Jun 28, 2017

The WannaCry ransomware pandemic: week one and the weeks to come.

WannaCry is closing out its first week in the wild, and we close out our special coverage of this developing story (barring, of course, further surprising developments).

To summarize, China and Russia have been hardest hit. BitSight finds the highest infection rates among unpatched Windows 7 machines, which account for about two-thirds of the victims. Those behind the attack may have failed to make big money, certainly not nearly as big as the scope of the pandemic might suggest, but they have succeeded in large-scale business disruption, and in drawing odium toward the US National Security Agency. It's worth noting that no serious observer thinks NSA induced the vulnerabilities, but many do think the agency discovered them, developed exploits, and then lost those exploits to the ShadowBrokers. An Congressionally-driven overhaul of the US Vulnerability Equities Process seems likely, and it seems likely to shift policy closer toward a presumption in favor of disclosure.

Shortly after the ShadowBrokers dumped EternalBlue last month, a number of security companies warned that unpatched and old Windows systems were seriously vulnerable to exploitation, yet a disappointingly small number of enterprises took steps to protect themselves. Some security industry introspection at week's end mulls the possibility that too much crying of "wolf" has numbed users against such warnings.

Scope and effect of WannaCry.

WannaCry did not spread by phishing, as far as is known. Phishing is the first explanation most analysts turn to when confronted with ransomware. In this case it was delivered by SMB exploitation and rapidly propagated as a worm.

Estimates of infection rates vary, but most sources agree that Russia and China have been particularly hard hit, with India also seeing a large number of infections. North American and European targets exhibit proportionately lower but still surprisingly high infestations of the ransomware in Check Point's infection map. The infestation in the UK was particularly noteworthy and troublesome because of the temporary disruption it caused in National Health Service patient care. One security company's take on how its clients were affected provides an interesting scorecard; ESET found file/memory detections at the following rates: Russia (30189—45.07%), Ukraine (7955—11.88%), Taiwan (7736—11.55%), Philippines (1973—2.95%), Egypt (1592—2.38%), Iran (1445—2.16%), India (1135—1.69%), Thailand (1036—1.55%), Italy (795—1.19%), Turkey (711—1.06%), and China (706—1.05%). (Note that these are ESET client reports only, so China ranks much lower than it does in other lists.)

There have been some infections in infrastructure targets, as Dragos CEO Robert M. Lee confirms. Such ICS infections in the US at least have been relatively small and ineffectual, but still worrisome. Those interested in the distinctive complexities involved in securing industrial control systems may find the ISA99 Committee's ongoing work interesting.

Recovery and remediation.

If you were using a legitimate version of Windows and you promptly applied the patches Microsoft has issued since March, you had little to fear from WannaCry. To protect systems in the future, begin by following this advice Bitdefender gave CNN Money, quoted with approval by RSA:

  1. Disable your computer's Server Message Block service. 
  2. Install Microsoft's patch. 
  3. Back up your data on an offline hard drive.
  4. Install all Windows updates.
  5. Use a reputable security software to prevent attacks in the future.

CyberInt offers similar advice, also worth quoting:

  1. Anti-Virus software must be up to date and fully functioning.
  2. OS and Security systems updates – the operation system and all security systems must be up to date with the latest security updates.
  3. Mail server policy – Block emails with: CAB, MSI, EXE, SCR, BAT, ZIP, RAR attachments.
  4. Employee awareness – with awareness training you can prevent most of the phishing and websites infections.
  5. Advertiser block – use a third party software to prevent accidently clicking a malware popup.
  6. Use internet explorer 11+ smart-screen and other security add-ons, it is slower but safer than Chrome\Firefox.
  7. Backups – the most important of all, backup your data on external storage. Having a viable backup will enable a successful incident response, leaving attackers high and dry and unable to collect money for their evil doings.

Generalize the recommendations to good digital hygiene, and they'll serve well to limit if not eliminate risk of over ransomware infections.

So far no one has developed a generally applicable decryptor for WannaCry, but as Help Net Security reports, it turns out a glitch in Windows XP does make some limited recovery possible. Researchers at QuarksLab say they've developed a tool that takes advantage of an oddity in the way Windows XP cleans memory. So their tool works on affected XP machines, but only if the computers haven't been rebooted post-infection, and if their memory hasn't been erased or reallocated. So you've got that going for you, but as QuarksLab says, you need a bit of luck. Buena suerte, and don't forget sound hygiene.

What about WannaCry's counterparts in EternalBlue exploitation?

Uiwix seems to have proved, in the Register's characterization, "a damp squib," failing to gain traction largely because it lacks WannaCry's worm functionality. More worrisome to most observers is Adylkuzz, cryptocurrency-mining malware that began spreading quietly even before WannaCry broke out into the wild. Its effect on victims has so far been to slow their machines down. The controllers of Adylkuzz are monetizing it in a straightforward fashion, mining coins.

There are rumors that bear watching of a DNS campaign apparently aimed at establishing persistence in its targets. Its command-and-control is said to have gone dark at about the time WannaCry went public. Reports from security firm Sedco may be related to the rumored observations, but that's unconfirmed: Sedco says it noticed early, evasive EternalBlue exploitation that spawns malicious threads inside legitimate applications. Whatever if anything may be up with what Sedco's observing, it appears to be laying the groundwork for some future campaign.

What about attribution?

There are two distinct attribution questions. Who's behind WannaCry? And who's behind the EternalBlue leaks? 

Most preliminary suspicion about WannaCry has fallen and continues to fall on North Korea. Pyongyang is in financial straits as its very ambitious military R&D programs find their resources constrained by increasingly stringent international sanctions, and North Korea is thought to have few inhibitions about turning to cybercrime to make up its shortfalls. A number of researchers have found signs in WannaCry code that indicate a connection to the Lazarus Group, a DPRK threat actor believed implicated in earlier capers.

The ShadowBrokers, of course, are the ones who leaked the EternalBlue exploits last month. By consensus those were NSA discovered exploits, and the agency has attracted considerable criticism since their release. It appears NSA tipped Microsoft off to the vulnerabilities early this year, which prompted Microsoft not only to move out of its regular patch cycle in February, but to issue patches for vulnerable software that's beyond its end-of-life and no longer supported. 

The identity of the ShadowBrokers remains unknown. Speculation centers on two prime suspects: Russian intelligence services, or a very high-end hacktivist or group of hacktivists. The ShadowBrokers are lately doing a lot of communicating by posting to steemit. They say they have a lot of other material they've stolen from NSA, and they plan to make that available on a subscription basis beginning next month. The Brokers' syllable-chewing communiques (archly crafted to read like something by a non-native speaker of English, but no known non-native speaker actually speaks like that) suggest a double-minded motive. They hope to make money (they really haven't, so this claim may be safely read with skepticism) and they want to do successful battle with a worthy opponent (the Equation Group), so striking against the "wealthy elite" and their tools in the security industry and the US Intelligence Community. That second motive seems more plausible.

What to expect in coming months.

WannaCry will fade as old systems are fixed or replaced, but further use of EternalBlue exploits can be expected. If the ShadowBrokers live up to their word, more leaked exploits can be expected next month.

We received some commentary by email from security firm eSentire. They offer these predictions, some hopeful, some less so:

  • Patch hygiene will improve - We’re hopeful that organizations will significantly alter their continuous patch hygiene. Microsoft has even released new emergency patches for Windows XP and 2003, which speaks to the seriousness of the event and the risk of deploying out-of-date operating systems in production environments. 
  • More Shadow Brokers disclosures - We haven’t heard the last of the Shadow Brokers. The hacking group claims to have more tools and information stolen from the U.S. Intelligence community. As they expose new “cyber weapons” adopted by opportunistic threat actors, suddenly everyone is at risk. 
  • More variants of WannaCry - TheWannaCry story will inspire a new set of attacks. They won’t all necessarily be ransomware, but it remains to be the most hyper-productive model for cybercriminals in terms of monetizing attacks.
  • Worms exploiting broad vulnerability + hostile payload: IoT - Knowing how quickly worm-based attacks can do massive damage, there is potential for physical damage to infrastructure as we move to IoT. This becomes something that we need to decide on about how we’re going to manage risk. The lack of focus or preparedness for IoT cybersecurity puts everyone at increased risk.
  • Fragility of the infrastructure and limited human involvement - With infrastructure that is globally connected and the challenge of patch management, fast-spreading threats can cause massive damage. Especially to embedded systems where there is not ongoing support for vulnerabilities. Plus, future attacks will involve less and less human intervention.

Mark McArdle, eSentire's CTO, offered this perspective and advice. “Collaboration is essential," he told us. "There’s an attack vs. defense asymmetry in that it’s really easy to for attackers to attack, and really difficult for organizations to respond. Organizations will be on their own, unless they start to build out their trust circles and collaborate on how to defend against threats. Additionally, we have to be mindful about attributing attacks to specific geographies or state-entities. In this case, officials have stated that Russia was considered to be the most attacked. But if we think that a political opponent will retaliate, that could mean cyberwarfare against everybody.”