WannaCry II: The Sequel No One Wants to See
In filmmaking, sequels tend to raise the stakes with tougher antagonists, increased danger and more nightmarish scenarios with which the heroes have to contend. Audiences love to watch familiar characters, who barely survived the challenges of the first film, pushed to the absolute limit to overcome even higher odds, with much more on the line if they fail.
This is exactly that sort of nightmare scenario that could very well be brewing right now for many businesses worldwide — only in the real world, plot twists come with real consequences.
WannaCry: A Summer Blockbuster
The WannaCry ransomware attack made global headlines on May 12, 2017, when it infected more than 200,000 endpoints and crippled many high-profile organizations, including numerous hospitals in the U.K.
Initial reports blamed old or outdated computers running Windows XP, although subsequent reports indicated that the majority of victims were running Windows 7. While Microsoft had to rush out an emergency patch to secure Windows XP, a patch had been available for other versions since March 2017.
The scale of the damage is still being calculated, and I suspect that there will be quite a bit of shifting of blame over the next few months. However, the fact remains that this attack targeted a weak spot that could have been protected either with newer software and hardware assets, or with better patching practices.
Here is the scary part: The exploitation tool that was the backbone of the attack may have been developed by an intelligence agency. But the means by which it was deployed, and the ransomware it delivered, were not nearly as sophisticated as the scale of the attack might have suggested.
Ransomware kits are available on the Dark Web to help would-be fraudsters launch attacks with a relatively small amount of technical know-how. Some ransomware is even available as open source code. It was more than just good attack tools that made WannaCry so impactful.
Big Bang, Small Profit
Some security experts researching the WannaCry attacks pointed to evidence suggesting that the actors behind the attacks were relatively inexperienced. Others noted that the actors might be tied to a nation-state, since they gained access to at least two weapon-grade exploits and apparently knew how to use them. Some suggested that an easy-to-find kill switch, which proved crucial in slowing down the attacks, was a rookie mistake. Others chalked it up to an anti-sandbox trick gone unexpectedly wrong.
As of May 25, the scammers had collected payments from fewer than 400 victims. We know this because they demanded payment in bitcoin, and bitcoin transactions are public. We also know that they are using just three bitcoin addresses to receive payment, while more sophisticated ransomware could presumably generate a unique bitcoin address for each victim.
These factors almost certainly contributed to the relatively low profits, estimated at around about $113,000 so far. It’s interesting to note that the bitcoin exchange saw a hike from about $1,300 before the attack to $2,400 per coin by the time the attack ended. It has since been steadily dropping.
In spite of its disruptive effect, WannaCry was, by many measures, a failed attack. It might have been a high-profile attack, but it yielded a relatively small return. For comparison, the CryptoWall ransomware gang took in an estimated $325 million before finally being shut down.
A Sequel No One Wants to See
WannaCry is still out there, freely available for amateur criminals to bundle together into a copycat ransomware program to unleash on the world. More worryingly, professional scammers could repurpose this worm-malware cocktail with the benefit of hindsight, fixing mistakes that hampered the original attacks.
It’s important to stay a step ahead. Review your own plans critically to protect your organization from advanced attacks, being careful to fill all the obvious and not-so-obvious gaps.
This time around, we know that the problem included Windows machines without the proper security patches, and misconfigured access to Transmission Control Protocol (TCP) ports 139 and 445. These problems, while sometimes logistically difficult to solve, are at least well understood. Any organization that takes IT security as seriously as it ought to should be well into a process of making sure that their vulnerable assets are properly patched.
WannaCry has forced organizations that may have grown complacent to sit up and take notice. Ransomware is a commercial endeavor: The goal is to infect companies large and small, and extort as much money as possible. A thousand organizations with 10 unpatched devices each can be more easily compromised than a single company with 10,000 devices and a dedicated IT security team on hand to respond to an attack.
Additionally, smaller companies are less able to absorb the cost of downtime and more likely to pay when they fall victim to ransomware. But it is no good to simply protect against the last attack, because future attacks will almost certainly come from a number of different angles.
Mobile Devices Make Soft Targets
While it is true that WannaCry brought Windows patching to the forefront of the security basics stage, we can’t forget other platforms that have become commonplace in the organizational asset scheme. There is one key area that many organizations miss when reviewing the possible source of malware or ransomware infection: mobile devices. Mobile platforms are just as susceptible to ransomware attacks and can act as backdoors for cybercriminals to gain access.
Contrary to common belief, it’s not all about Android devices. In March 2017, Apple issued an update to its iOS operating system after a number of iPhone users were targeted by a ransomware attack launched via the Safari browser. Up to that point, many users had wrongly assumed that Apple devices were immune to such threats.
Android users are perhaps more keenly aware that their devices are prone to malware infection, but the range and sophistication of attacks on the Android platform has been steadily growing. Nowadays, an Android device can be infected by downloading a seemingly benign app, clicking a malicious link in a social media, email or text message, or by visiting an unreputable website or app store.
According to the Pew Research Center, 28 percent of Americans don’t use any security feature to access their phones, while 34 percent don’t take any security measures when they download apps from public app stores. Additionally, the average user has between 25 and 27 apps on his or her device. Simple arithmetic suggests each mobile device in your organization contains eight or nine apps that have been downloaded with no regard for security. Multiply that by 20, 100 or 1,000 mobile devices, and the scale of the risk becomes hard to accept, especially in light of attacks that can paralyze the entire organization.
Can you trust your users to make sensible choices when they download apps, browse the web or peruse social media on their company-issued devices? A properly deployed mobile device management (MDM) solution can reduce the risk of malware infecting the protected network by restricting users from particularly risky activity on their mobile devices.
You may have also noticed that the attack vectors — i.e., spam email, publicly available apps, public websites, etc. — favored by cybercriminals are pretty indiscriminate. The popular image of the cybercriminal bent on taking down large organizations for notoriety is out of date. The goal now is to make money, and small or midsized organizations represent a much softer target because they are more likely to have unprotected mobile devices.
Roll the Credits
WannaCry had a massive impact on organizations and will likely cost the affected ones dearly. But it if such impact can be caused by an attack scenario that was inherently simplistic, a much larger, more sophisticated attack may be looming in the not-too-distant future.
The time to act is now. To that end, every business owner and IT manager should ask the following questions about every endpoint, including mobile ones:
- Do I manage risk tied to the stationary and mobile devices entering my networks?
- Do I have a place where I can see if my mobile devices, laptops and desktops are properly patched and compliant with my current security policy?
- Can I prevent mobile device users from downloading unauthorized apps the same way I can control desktop users?
- Do I have any mobile malware detection software on top of the detection solutions for other assets?
- What control do I have over websites that my users are visiting on all devices?
- Should I lock my most sensitive data in a secure container on mobile devices?
- Can I be sure that only devices that are clean and free of malware are connecting to my data?
This might seem daunting, but security professionals can take some very simple steps to mitigate their organizations’ exposure to WannaCry — or whatever the next attack might be.