It’s the Russians! No, wait, it’s the North Koreans! No, wait…
It’s been interesting to watch the so-called experts take such authoritative positions regarding the recent global ransomware virus with virtually zero evidence to support their arguments.
Last month, the WannaCry virus infected roughly 300,000 systems in more than 150 nations, and demanded $300 in Bitcoins in exchange for the decryption of victim systems. If the victim did not pay the ransom after three days, the demand doubled to $600. If the ransom remained unpaid, then eventually the adversary would threaten to delete the victim’s data.
FedEx was among the American companies impacted along with Renault factories in France, the Interior Ministry of Russia, Telefonica in Spain, the Andhra Pradesh police department in India, PetroChina in China, and numerous and diverse globally distributed systems.
But ultimately, only around 230 victims paid ransoms, which totaled approximately $70,000.
The scale of the attack has incited some hasty widespread speculation that the malware originated in North Korea. But these claims are circumstantial at best. Speculation such as this, based on a single piece of incidental and inconclusive evidence, detracts from real and meaningful conversations about inherent software vulnerabilities that result from:
- Manufacturers’ refusal to incorporate security-by-design into software development;
- The failure of organizations worldwide to protect their systems and client data according to their value and potential for harm; and
- Governments’ responsibility to manage, secure and disclose discovered vulnerabilities.
How WannaCry spread so fast
The only advanced aspect of the WannaCry malware was the incorporation of the EternalBlue vulnerability in Microsoft Windows SMB v1 (MS17-010). EternalBlue and DoublePulsar exploits utilized in the malware were disclosed by The Shadow Brokers in April 2017. The hacker group claimed that the tools were pilfered from the NSA; however, those claims remain unverified.
Microsoft released a patch for the vulnerability exploited by EternalBlue on March 14, 2017. Users who updated their systems or who automatically installed updates were already protected from WannaCry by the time the virus was unleased in May. Those organizations that were victimized by WannaCry found themselves in that position because they were either operating outdated or illegitimate software or because they failed to update their systems in the months since Microsoft’s release of the patch.
WannaCry infected an initial host (or patient zero) via spear-phishing, social engineering, or a watering-hole attack. Researchers have alleged that the malware was programmed in Chinese with machine-translated ransom demands. Before encrypting the victim’s files, the malware checked whether an obscure URL, which might be used as a kill-switch, remained inactive. Then it mapped the system’s file-sharing mechanisms.
The global self-proliferation of the WannaCry ransomware worm was mostly due to EternalBlue’s capacity to laterally compromise additional systems via shared networks, drives, folders and the like.
Things could have been much worse
WannaCry was actually poorly designed compared to other ransomware. For starters, the success of a ransomware campaign depends on inflicting damage on high-priority targets or on coercing either a few victims into paying large ransoms or many victims into paying small ransoms. The WannaCry attack attracted very high publicity and very high law-enforcement visibility while inflicting arguably the least amount of damage a similar campaign that size could cause and garnering profits lower than even the most rudimentary script kiddie attacks. Few if any major targets were irreparably harmed. In fact, the spread of the malware appears to indicate that no sector or victim demographic was particularly targeted. At this time, infections appear coincidental. The code reportedly relied on four hardcoded Bitcoin addresses and lacked any mechanisms to identify which victims paid the ransom.
In contrast, even unsophisticated ransomware assigns a unique Bitcoin address or identifier to each victim because if no victim files are decrypted upon the receipt of payment, then only a minimum of victims will pay the ransom. The assignment of individual identifiers is necessary if the attackers intend the malware to automatically decrypt files once a victim pays the ransom. As a result of the poor design, the WannaCry threat actors were likely overwhelmed by the task of identifying and decrypting the files of even the 220 paying victims. Further, the malware contained what is believed to be an obfuscation and an anti-sandbox feature that checked for the inactivity of a nonsensical URL. The result? A researcher was reportedly able to halt the global attack by purchasing the URL for a meager $10.69.
If these developmental flaws were not present in the ransomware, the attack could have spread to hundreds of thousands more systems and could have reaped millions in victim ransoms. But the early evidence indicates that WannaCry was launched by unsophisticated threat actors who luckily figured out how to incorporate the EternalBlue vulnerability into their ransomware. The low ransom values and the failure to assign a unique victim identifier indicates that the threat actors were either unsophisticated or did not anticipate the significant proliferation of the malware.
Ultimately, only around 230 victims paid WannaCry ransoms, which totaled approximately $70,000. (Photo: iStock)
The Lazarus group is an advanced persistent threat (APT) allegedly responsible for cyber attacks against Sony, SWIFT, the Bangladesh Bank, and Operation DarkSeoul. Lazarus is often attributed to North Korea or profiled as Chinese cyber mercenaries who periodically operate on behalf of North Korea. On May 15, 2017, Google researcher Neel Mehta tweeted about similarities in code from a 2015 malware sample attributed to the Lazarus advanced persistent threat (APT) group and a February 2017 sample of the WannaCry cryptor. Further, the two malware initially targeted the same list of file extensions.
While it is possible that the Lazarus group is behind the WannaCry malware, the likelihood of that attribution proving correct is dubious because the evidence is circumstantial at best. It remains more probable that the authors of WannaCry borrowed code from Lazarus or a similar source. Script kiddies and other unsophisticated threat actors (and even some sophisticated groups) often borrow code from other successful malware. The malware is then either adapted or updated until it barely resembles its original source. The practice minimizes adversarial knowledge barriers and resource expenditures while maximizing the likelihood of successful compromises. The shared code was even removed from a later version of WannaCry, and the list of extensions targeted by WannaCry expanded.
Had North Korea launched the WannaCry attack, it likely would have either attacked more strategic targets, or it would have attempted to capture more significant profits. Given the geopolitical landscape, it is unlikely that it would have hit Russia and China as heavily because they are some of North Korea’s only strategic allies. China, upon which North Korea heavily depends, may have been the greatest victim of the WannaCry attack, with an estimated 40,000 infected systems. Many of the systems in China were compromised because they relied on illegitimate versions of Windows and were therefore unable to download the patches released by Microsoft.
The malware utilized by the Lazarus group has increased in sophistication since their discovery in 2007, by incorporating new attack vectors, exploits and tools via a metaphorical "malware factory" of developers and third-party mercenaries. There is no logical rational defending the theory that the methodical group, known for targeted attacks with tailored malware, would suddenly launch a global campaign dependent on barely functional ransomware. The obvious and likely conclusion from Neel Mehta’s discovery is that the WannaCry actors, who are separate from Lazarus and North Korea, briefly borrowed code from an outdated Lazarus sample before upgrading to more modern code.
Others postulate that the WannaCry attack did not demand large ransoms or inflict significant harm because it was a false flag operation intended to embarrass and embattle the NSA for allegedly developing tools like EternalBlue. This theory is likewise devoid of merit considering that the Shadow Brokers very publicly disclosed the vulnerability, it was already being exploited by other hackers, and that the vulnerability had already been patched by Microsoft. While it is possible that this was a miscalculated false flag operation, it seems implausible.
Microsoft was quick to blame the success of the WannaCry campaign on the NSA, alleging that the agency should never have developed EternalBlue and that the vulnerability should have been disclosed sooner. Even if the Shadow Brokers claims were true, the liability and responsibility for the risk remain with Microsoft for developing inherently flawed Operating Systems that failed to minimize exploitable vulnerabilities by incorporating security-by-design throughout the developmental lifecycle of the software according to NIST 800-160.
Instead, Microsoft, like the vast majority of software and technology manufacturers, rushed their product to market with the intent to actively use consumers as "crash test dummies" for vulnerability discoveries. This systemic cultural fault in software development endangers users daily and enables the efforts of cyber adversaries. The result of these practices is the necessity for the constant release of patches and upgrades that repair old vulnerabilities while introducing new ones. Further, many of the large organizations impacted by WannaCry may not have patched their systems because they did not want to pay Microsoft for the privilege.
Although irresponsible, the response was understandable. To them, the fees likely felt like a choice to either pay a ransom to an unknown adversary or to pay a ransom to Microsoft. An organization, or any user that already paid for a product, should not have to pay additional fees to repair inherent vulnerabilities in that code; especially, if those flaws could have been mitigated or remediated prior to release if the manufacturer had incorporated security-by-design throughout development.
Timing was key
Aside from the injustices of the economics of software licensing, organizations had no justifiable excuse for their failure to mitigate the EternalBlue vulnerability prior to exploitation. The patch has been available since March for most modern operating systems. Organizations around the world demonstrated that they either rely on antiquated systems or that over the course of two months, they could not find the time or resources to update and patch their systems. Profits and continuous operation superseded risks to consumers, sensitive data, critical infrastructure, and national security.
Meanwhile, the stockpiling of vulnerabilities and the planting of exploits within systems and applications by governments is a serious concern. As early as 2013, hacker organizations demonstrated that a single entity can compromise systems across the globe and thereby simultaneously threaten numerous targets in multiple nations. Inevitably, less sophisticated threat actors have emulated their prolific attacks and have adapted and developed methodologies to launch attacks on the global theater. In the face of these threats, organizations have continued to refuse to modernize their systems or to adopt layered defenses that incorporate bleeding-edge technologies such as artificial intelligence. Even when ransomware began to return in 2015, the entrenched ideologies and profit centric focus of corporations and agencies still outweighed concerns for national security, consumer well-being, or the defense of critical infrastructure.
What’s the solution?
Victims of WannaCry were lucky that a more sophisticated threat actor did not integrate EternalBlue into more powerful malware, sooner. That said, every script kiddie and more sophisticated adversary on the planet saw the widespread compromise of over 200,000 systems via a self-propagating malware and a publically available exploit. Imitators are emerging, and innovators are improving on the methodology and success of WannaCry and more sophisticated malware, in complex, multi-vector attack campaigns.
Manufacturers need to begin to incorporate security-by-design into their software while the public, regulators and legislators need to ensure that they do so. Organizations must protect data and systems according to their value and potential for impact or harm, by adopting layered defenses, by promoting cyber-hygiene best practices, and by developing and investing in bleeding-edge technologies such as artificial intelligence solutions. Finally, organizations and associated geopolitical entities should consider the potential impact on users and businesses before inserting software backdoors or before concealing knowledge of software vulnerabilities that will inexorably be exploited by malicious cyber adversaries to inflict immeasurable harm on civilians, businesses, and critical infrastructure organizations.
James Scott is a senior fellow with the Institute for Critical Infrastructure Technology. This is an abridged version of a blog post that originally published on ICIT’s website. The opinions expressed here are the writer’s own. He can be reached at firstname.lastname@example.org.