By Ippolito Forni, Threat Intelligence Analyst
On May 12, 2017, computers at multiple UK’s National Health Services (NHS) facilities were displaying an ominous message informing the user that the data on the device had been encrypted and asking for a payment to receive the key to decrypt the data.More than 70,000 devices, including MRI scanners, blood-storage refrigerators, and other medical equipment across multiple facilities in the United Kingdom were displaying the same message. Most medical services were shut down except for the emergency services.
Had the target been only the NHS, it would have already been a cyber-attack of remarkable size, but as the day continued, there were multiple reports of the same type of messages appearing in networks in more than 150 countries world-wide and it became clear this was a cyber-attack of a scale never seen before.
The malware deployed was a ransomware named WannaCry. The self-propagating capability of this malware was due to its worm features: WannaCry did not required any command from its operators or interaction from victims to keep spreading. It would infect vulnerable machines using the EternalBlue exploit. EternalBlue was allegedly developed as a cyber tool by the U.S. National Security Agency and was later stolen and leaked by the mysterious self-described “Shadow Brokers” group in an act of defiance, or information warfare, against the U.S. intelligence community. The EternalBlue, a de facto cyber weapon, exploited the now notorious CVE-2017-0144 vulnerability in SMBv1 server present in multiple versions of Windows and millions of enterprise machines.
While Microsoft had released patches for the CVE-2017-0144 vulnerability two months earlier, countless numbers of Windows machines had still not applied the patches when the WannaCry events emerged. Since the exploit did not require human interaction to work, the ransomware developers managed to create a ransomware-worm capable of infecting machines and scanning local and remote networks for further vulnerable targets. This allowed the ransomware to spread at an extremely fast pace. Networks were at risk even when TCP port 139 was closed to external internet traffic, the port used by SMB, because any infection vector on internal networks could cause the worm to spread.
The attack was almost certainly not targeted. It appears the ransomware creators intended to infect as many devices as possible, no matter what data was stored on those devices and no matter who owned them. The ransom requested was the equivalent in Bitcoin of $300 which would become $600 if the victim did not pay within 7 days.
Hidden Kill Switch Prevents Further Escalation
Later that day, security researcher Marcus Hutchins discovered that WannaCry always attempted to connect to a specific domain before encrypting the data. If the domain was not found, the malware would proceed with data encryption on the victim’s machine. Marcus therefore proceeded registering the domain and redirected the connection attempts to a sinkhole he controlled.
All new WannaCry infections would connect to the registered domain effectively stopping the ransomware from encrypting the data. Marcus had found and enabled the kill-switch. Malware developers sometimes hide kill-switches in their code giving t hem access to an emergency “shut off” function should they require to suddenly disable the malware.
The activation of the kill-switch effectively defanged new WannaCry infections as the most damaging part, the data encryption, was not occurring any longer. From that moment on, most of the activities of security staff around the world focused on the clean up of the already infected devices and patching of vulnerable Windows operating systems to prevent the vulnerability CVE-2017-0144 from being exploited again by any malware leveraging EternalBlue.
WannaCry Monetizaion Effort
The threat actor behind WannaCry did not manage to capitalize efficiently on this cyber-attack, if monetization was their primary goal. By mid-June 2017, the operators managed to rack up little more than US $100,000 which is very little money by 2020 ransomware landscape standards, particularly considering the massive number of machines compromised which, according to Europol, was more than 200,000 in at least 150 countries. The reason behind this relatively little monetization is due to the spray-and-pray approach used by the WannaCry operators. Unlike today’s ransomware operations that choose and profile their targets extensively, the actors behind WannaCry, very likely, were trying to infect as many machines as possible in the hope that a higher numbers of infected machines would lead to a higher payout.
Curiously, the three Bitcoin addresses hardcoded into the ransomware are still receiving payments today in the same US dollar amounts equivalents requested by the operator behind WannaCry 3 years ago, $300 and $600. This strongly indicates that WannaCry is still infecting machines and people are still paying the ransom.
Analysts also highlight that the last time those three Bitcoin wallets were emptied was on the 3rd of August 2017. They have been left idle ever since even though they contain around $20,000 in Bitcoin and they, occasionally, keep receiving new ransom payments. $20,000 is a decent amount of money that any APT would like to retrieve to finance further operations. It is not clear why the APT behind WannaCry decided to leave those Bitcoins, but a possible explanation is that those Bitcoin are likely tainted and monitored and any transaction occurring from those wallet would likely trigger alerts from all the Blockchain Analysis companies monitoring them. In addition to that, should the funds reach any cryptocurrency exchange for cryptocurrency conversion purposes, they would likely be identified as WannaCry ransom funds and immediately frozen.
Infections Like WannaCry are Possible in 2020
Given the impact that WannaCry had in such a short time frame, the question is: could this happen again? The answer is a definite “yes” for another wormable malware, while for another wormable ransomware, just like WannaCry, the answer is “maybe not”.
Worms, malware families capable of self-propagating without operator or victim’s interaction, are nothing new. They rely on exploits that provide remote code execution by leveraging severe vulnerabilities. At the time of reporting, analysts believe with moderate confidence that 8 vulnerabilities affecting Windows devices could be paired with a worm variant:
- BlueKeep CVE-2019-0708
- BlueKeep II CVE-2019-1181
- BlueKeep III CVE-2019-1182
- BlueKeep IV CVE-2019-1222
- BlueKeep V CVE-2019-1226
All BlueKeep vulnerabilities are being actively exploited in the wild, yet no threat actor seems to have weaponized them into a worm. Analysts believe that the self-propagating features make worms very noisy and difficult to control. It is unlikely they will be used in targeted attacks, but are befitting if chaos/diversion is an intended goal. This is probably the reason why the developers of WannaCry created a kill-switch in the first place
New Ransomware Modi Operandi and TTPs
APTs have very defined goals such as data exfiltration and/or monetization from a tailored attack. A worm does not fulfill these use-cases. Particularly in the ransomware arena, EclecticIQ analysts have seen major developments in the last few years. Most ransomware attacks are now targeted and APT groups extensively profile organizations to:
- Understand the victim’s capability and willingness to pay the ransom.
- Dentify data that should be encrypted.
- Target data for exfiltration prior to encryption.
These types of attacks are leading to a single, one-time ransom payment in the hundreds of thousand/million-dollar range, a figure multiple times over what the threat actor behind WannaCry managed to collect in 3 years, targeting hundreds of thousands of machines.
It is plausible that an APT might leverage a worm, or even a ransomware worm like WannaCry, as diversion. An APT could use a disruptive ransomware-worm not to monetize, but to create disarray and use that as smokescreen to divert incident responders and security researchers’ from the real objective and activities of an APT group.
Wormable exploits remain possible as long as there are systems with Remote Code Execution vulnerabilities. According to an Erratasec report form last year, there are approximately 1 million vulnerable RDP devices facing the internet. This does not include vulnerable RDP devices in internal networks. With an attack surface this wide, a worm would find fertile ground for speedy propagation.
Patching is the primary response to prevent, not just worms, but any cyber-attack exploiting one of these vulnerabilities. Patching is the responsibility of every organization to defend from cyber-attacks but also to prevent their compromised infrastructure from being used as a bridgehead to attack other organizations. If there is one lesson that needs to be learnt from the WannaCry outbreak of 3 years ago, it is the importance of keeping your operating systems and applications patched and up to date.c Enterprises concerned with protecting information assets should think carefully about patch prioritization.
Investment in information security and threat intelligence can help identify trending vulnerabilities like the EternalBlue-associated CVE-2017-0144 for high priority patching before catastrophe occurs.
We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.