WannaCry 3 Years Later, Could it Happen Again?

By Ippolito Forni, Threat Intelligence Analyst

On May 12,  2017,  computers at multiple UK’s National Health Services (NHS) facilities were displaying an ominous message informing the user that the data on the device had been encrypted and asking for a payment to receive the key to decrypt the  data.

Had  the  target been only the NHS, it would have already been a cyber-attack of  remarkable  size, but as the day continued,  there were multiple  reports of the same type of messages appearing in networks in more than 150 countries  world-wide and  it became clear this was a cyber-attack of a scale never seen before.  

The malware deployed was a ransomware named WannaCry. The  self-propagating capability  of this malware was due to its worm features: WannaCry did not required  any command from its operators or interaction from  victims  to keep spreading. It would infect vulnerable machines using the EternalBlue  exploit.  EternalBlue  was  allegedly developed as a cyber  tool  by the  U.S.  National Security Agency and was later stolen and  leaked by the mysterious  self-described  “Shadow Brokers”  group in an act of defiance, or information  warfare, against the U.S. intelligence community. The  EternalBlue, a  de facto cyber weapon,  exploited  the now notorious  CVE-2017-0144 vulnerability  in  SMBv1 server  present in multiple versions of Windows and millions  of  enterprise machines.  

While Microsoft had released patches  for the  CVE-2017-0144  vulnerability two  months  earlier,  countless numbers of  Windows  machines had still not applied  the patches when the WannaCry  events  emerged. Since the exploit did not require human interaction to work, the ransomware developers managed to create a ransomware-worm capable of infecting machines and scanning  local  and remote  networks  for further vulnerable targets. This allowed the ransomware to spread at an extremely fast pace.  Networks were at risk  even when TCP port 139 was closed to external internet traffic,  the port used by SMB, because any infection vector on internal networks could cause the worm to spread.  

The attack was almost certainly  not targeted.  It appears the ransomware creators  intended  to infect as many devices as possible, no matter what data was  stored  on those devices and no matter who owned them. The ransom requested was the equivalent in Bitcoin of $300 which would become $600 if the victim did not pay within 7 days.  

Hidden Kill Switch Prevents Further Escalation  

Later that day, security researcher  Marcus Hutchins  discovered that WannaCry always attempted to connect to a specific domain before encrypting the data. If  the domain was not found, the malware would proceed with data encryption on the victim’s machine. Marcus therefore proceeded registering the domain and redirected the connection attempts to a sinkhole  he controlled.

All  new WannaCry  infections  would connect  to the registered domain effectively stopping  the ransomware from encrypting the data. Marcus had found and enabled the kill-switch.  Malware  developers sometimes hide  kill-switches  in their code  giving t hem access  to  an emergency “shut off”  function should they require to suddenly disable the malware. 

 The activation of the kill-switch effectively defanged new WannaCry infections as the most damaging part, the data encryption, was not occurring any longer.  From that moment on,  most of the activities  of  security staff around the  world focused on the  clean up  of the already  infected devices and patching of vulnerable Windows operating systems to prevent the vulnerability  CVE-2017-0144  from being exploited  again  by  any  malware  leveraging  EternalBlue.  

WannaCry Monetizaion Effort  

The threat actor behind  WannaCry  did not manage to capitalize efficiently on this  cyber-attack, if  monetization was their primary goal. By  mid-June 2017, the operators  managed to rack up little more than US  $100,000 which  is very little money  by 2020  ransomware landscape standards,  particularly considering the  massive number of machines  compromised which, according to Europol, was more than 200,000 in at least 150 countries. The reason behind this  relatively  little monetization is due to the spray-and-pray approach used by the WannaCry  operators. Unlike today’s ransomware operations  that choose and  profile  their  targets extensively, the  actors behind WannaCry,  very likely, were trying to  infect as many machines as possible in the hope that a higher numbers of infected machines  would lead to a higher payout.

Curiously,  the  three  Bitcoin addresses hardcoded into the ransomware  are still receiving payments today in the same US dollar amounts equivalents requested by the operator behind WannaCry 3 years ago, $300 and $600. This strongly indicates that WannaCry is still infecting machines and people are still paying the ransom.   

Analysts also  highlight that the last time those  three  Bitcoin wallets were emptied was on the 3rd  of August 2017. They have been  left idle ever since even though they contain around $20,000 in Bitcoin and they, occasionally, keep receiving new ransom payments. $20,000 is a decent amount of money that any APT would like to retrieve to finance further operations. It is not clear why the APT behind WannaCry decided to leave those Bitcoins, but a possible explanation is that those Bitcoin are likely tainted and monitored and any transaction occurring from those wallet would likely trigger alerts from all the Blockchain Analysis companies monitoring them. In addition to that, should the funds reach any cryptocurrency exchange for cryptocurrency conversion purposes, they would likely be identified as WannaCry ransom funds and immediately frozen. 

Infections Like WannaCry are Possible in 2020  

Given the impact that WannaCry had in such a short time frame, the question is: could  this happen again?  The answer is a definite  “yes”  for another wormable  malware, while for another  wormable  ransomware, just like WannaCry, the answer is  “maybe not”.  

Worms, malware  families  capable of self-propagating without operator or victim’s interaction, are nothing new. They rely on exploits that provide remote code execution by leveraging severe vulnerabilities.  At the time of reporting, analysts believe with moderate confidence that 8 vulnerabilities affecting Windows devices could be paired with a worm variant: 

• CVE-2020-0796 
• CVE-2020-0609  
• CVE-2020-0610  
• BlueKeep CVE-2019-0708  
• BlueKeep II CVE-2019-1181  
• BlueKeep III CVE-2019-1182  
• BlueKeep IV CVE-2019-1222  
• BlueKeep V CVE-2019-1226   

All  BlueKeep  vulnerabilities are being actively exploited in the wild, yet  no threat actor seems to have  weaponized  them into a worm.  Analysts believe that the self-propagating features make worms very noisy and difficult to control. It is unlikely they will be used in targeted attacks, but are befitting if chaos/diversion is an intended goal.  This is probably the reason why the developers of WannaCry created a kill-switch in the first place 

New Ransomware Modi Operandi and TTPs  

APTs have very defined goals  such as  data exfiltration and/or  monetization from a tailored attack. A worm does not fulfill these use-cases.  Particularly in  the ransomware arena,  EclecticIQ analysts have seen major developments in the last few years. Most ransomware attacks are now targeted and APT groups extensively profile organizations to:  

1. Understand the victim’s capability and willingness to pay the ransom.  
2. Dentify data that should be encrypted.  
3. Target data for  exfiltration  prior  to  encryption.  

These types of attacks are leading to  a single,  one-time  ransom payment in the  hundreds of thousand/million-dollar  range, a figure multiple times over what the threat actor behind WannaCry managed to collect in 3 years, targeting hundreds of thousands of machines.  

It is plausible that an APT might leverage a worm, or even a ransomware worm like WannaCry, as diversion.  An APT could use a disruptive ransomware-worm  not to monetize, but to create  disarray  and use that as  smokescreen to divert  incident responders and  security researchers’ from the real  objective and activities of  an  APT  group.  

Wormable  exploits remain possible as long as  there are systems with Remote Code  Execution  vulnerabilities.  According to an  Erratasec report form last year, there are approximately 1 million vulnerable RDP devices facing the internet. This does not include vulnerable RDP devices in internal networks. With an attack surface this wide, a worm would find fertile ground for speedy propagation.  

Patching is the primary response to prevent, not just worms, but any cyber-attack exploiting one of these vulnerabilities. Patching is the  responsibility of every organization to defend  from  cyber-attacks  but also to prevent their compromised infrastructure from being used  as a bridgehead to attack other organizations. If there is one lesson that needs to be learnt from the WannaCry outbreak of 3 years ago, it is the importance of keeping your operating systems and applications patched and up to date.c Enterprises concerned with protecting information assets should  think carefully about patch prioritization. 

Investment  in information security  and threat intelligence can help identify trending vulnerabilities like  the  EternalBlue-associated CVE-2017-0144  for  high priority patching  before catastrophe occurs.  

We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.