Unwrapping the Mystery: Did a Big, Slimy Internet Worm Make Hundreds of Organizations WannaCry?

Two weeks into the WannaCry aftermath, response teams are getting back to normal, organizations are re-evaluating their infrastructures, and even the bitcoin payments the fraudsters were collecting have almost stopped trickling in.

It’s time now to look into the data to find clues about what made WannaCry spread so rapidly and with such a wide scope. Is the mystery nothing more than a big slimy internet worm? So far, that’s what IBM X-Force data shows.

Where’s That Smoking Gun?

According to data from IBM X-Force, which includes spam monitoring, managed clients and incident response data, we have been observing the rapid spread of the WannaCry ransomware outbreak. Within 48 hours, the malware had infected hundreds of thousands of endpoints across the globe. More than 150 countries were affected, and there was no end in sight. Only the accidental discovery of a kill switch managed to slow down the havoc, which was spreading like wildfire.

But at the end of the day, WannaCry is nothing more than ransomware. Although it does have devastating effects, it is not considered sophisticated, and it is typically operated by groups that just want a little money. Yet something made it become the biggest ransomware attack of all time.

The fact is, ransomware campaigns, as large as they may be, usually only infect one person at a time. On corporate networks, shared drives or mapped cloud drives can also get encrypted, but normally the spread is limited to the infected endpoints or to that one company. Whether it comes via malware-laden email attachments or through stealthy exploit kits that drop the malware without a sign, a campaign’s overall reach remains limited and takes a lot more time than WannaCry did.

IBM X-Force scanned over 1 billion spam emails in search of WannaCry payloads and found none. To date, not one security vendor has managed to locate a spam email carrying this particular payload. Combining these factors, the answer to the smoking gun question might be as simple as it is old: It was nothing more than a computer worm. Without its worm replication, WannaCry would have never been able to spread the way it did.

Watch the on-demand webinar series: Orchestrate Your Security Defenses to Avoid Ransomware Attacks

A Familiar Recipe

A worm it might be, but it needed some help to spread through organizational networks the way it did. In these relatively protected environments, how was that possible?

Looking at past cases, a pattern emerged. The recipe is rather predictable:

  • A Microsoft vulnerability;
  • A worm that knows how to use it; and

Having analyzed the malware and seeing that it generated randomized IP addresses to scan for, X-Force researchers went back to the data to look for those ingredients with the theory that WannaCry was indeed that sort of worm.

We were seeing a definite spike in port scanning for Transmission Control Protocol (TCP) ports 139 and 445 on the days the attack broke, since firewalls denied events on those ports. The significant increase started on May 12, 2017, at 8 a.m. UTC and lasted about 24 hours at the initial phase.

The worm was looking for a way in and a means to serve up its next ingredient: a potentially viable exploit.

WannaCry Ransomware Worm Knocks on Port 445

This is where things got more interesting. The exploit WannaCry used was taken from a public leak facilitated by a group that calls itself Shadow Brokers. The group alleged that it managed to leak attack tools and exploits directly from the National Security Agency (NSA), which led many to see these exploits as weapon-grade tools. The malware’s operators not only gained access to at least two of those exploits, but they also knew how to use them, which could be a hint as to the class of actors involved.

One particular exploit, dubbed EternalBlue, was being used to compromise the Server Message Block (SMB) network protocol in networks that allowed SMB to be accessed from the external world. Access to SMB, which is a resource and file sharing protocol, should not be enabled at all and is effectively disabled on consumer internet connections (cable modems and home user ISPs block port 445 that communicates via the SMB protocol).

After all, what organization would want outsiders to share their files, printers or other network assets? Alas, unpatched Microsoft vulnerabilities and security misconfigurations eventually allowed the worm to exploit the SMB protocol in a large number of random networks. SMB v1 and SMB v2 were vulnerable on unpatched systems, while SMB v3 was not. WannaCry most likely got there by an arbitrary scan across the internet in search of soft spots to hit.

As it turns out, it found quite a few targets across industries and critical infrastructure throughout the globe. The highest prevalence was recorded in Russia and China, as well as other countries in that region. This might be because those countries had more unpatched, legacy, and outdated or pirated operating systems running.

A Worm’s Eye View

It may be unsettling to come to terms with, but WannaCry was both predictable and preventable. According to the data available at this time, the attack appears to have followed an age-old recipe for spreading and exploiting weak networks:

  • Random scanning for vulnerable IPs to reach many different parts of the world at once;
  • Weapon-grade exploits to pierce through the perimeter;
  • Worm faculty that spread the ransomware through networks once it found a way in;
  • Partner organizations that likely transmitted the infection to one another, which could explain why 16 hospitals in the U.K. went down at nearly the same time.

Computer Worms: As Old as the Internet

Computer worms, or rapidly self-replicating programs, are as old as the internet itself. Dating back as far as 1949, John von Neumann, a pioneer in the discovery of self-replicating cells and human DNA, devised the theory that would lead to the creation of the first computer worm, as in self-replicating data. Two decades later, in 1971, the first actual worm, Creeper, was created to access endpoints via the ARPANET. Worms have not stopped appearing since.

Fast forward to the past 20 years, and we can all recall the megaworms that have hit since the year 2000. Below are some of the most notorious:

  • Code Red attacked the Index Server ISAPI Extension in Microsoft Internet Information Services. The vulnerability was reported a month before Code Red was discovered.
  • SQL Slammer exploited vulnerabilities in Microsoft SQL Server and MSDE. Slammer became the fastest spreading worm of all time.
  • Conficker infected up to 15 million Microsoft Server systems running everything from Windows 2000 to Windows 7 Beta.

The list goes on and on. In light of these historical cases, it’s fortunate that WannaCry was not that fast spreading, relatively speaking. But unlike its predecessors, it carried a paralyzing payload or ransomware. As we witnessed, that made for a very nefarious combination, and similar cases can be expected in the future.

Who Would WannaCry?

In the wake of WannaCry, we’re left with questions about the motives behind the outbreak. It is increasingly clear that, unlike other ransomware attacks, WannaCry was not about money. The malware only managed to collect a very conservative amount of bitcoin relative to its unprecedented reach — about 50 BTC at the time of this writing. Those wallets are being watched closely by law enforcement agencies, so the attackers cannot move them without being discovered.

If not money, then what was the motive to wreak havoc across the globe?

Some voices have been hinting at a link to North Korea, due in part to the discovery of code overlap between WannaCry tools and those used by the Lazarus group that perpetrated the Sony and SWIFT attacks in 2014 and 2016, respectively.

While IBM Security agrees with the analysis that code overlap does exist between WannaCry and Cantopee, the backdoor reportedly used by Lazarus Group, we think it’s still rather early to tie a connection to a specific actor. We need more evidence beyond this single piece of data. The Lazarus Group malware has been widely discussed and publicized in recent years, and it is possible that whoever is responsible for WannaCry had access to the same source code. In this case, relying on code overlap alone for attribution may not be as effective.

As WannaCry dies down, we’re left with an important lesson: Amid the technological sophistication of our times, security basics are crucial and should be revisited thoroughly as key risk indicators such as WannaCry change our threat landscape going forward.

Download the Ransomware Response Guide from IBM INCIDENT RESPONSE SERVICES

Share this Article:
Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM Security Intelligence blog. Limor comes to IBM from organizations like RSA Security, where she spent 5 years as part of the RSA research labs and drove the FraudAction blog on RSA's Speaking of Security. She also served as the Marketing Director of Big Data analytics startup ThetaRay, where she created the company's cybersecurity thought leadership. Limor is considered an authority on emerging cybercrime threats. She participated as a highly appreciated speaker on live InfraGard New York webcasts (an FBI collaboration), spoke in RSA events worldwide, conducts live webinars on all things fraud and cybercrime, and writes a large variety of threat intelligence  publications. With her unique position at the intersection of multiple research teams at IBM, and her fingers on the pulse of current day threats, Limor covers the full spectrum of trends affecting consumers, corporations, and the industry as a whole. On the social side, Limor tweets security items as @iCyberFighter and is an avid Brazilian Jiu Jitsu fighter.