Sam Coleman

The end is just the beginning

In Blog post by Sam Coleman

The global attack of Wannacry ransomware last week was unprecedented. But that was just the opening salvo for this ShadowBrokers cyber weapon as new variants are already worming their destructive paths into systems. How did we get here and what happens next?

The toll we know of is devastating enough. Over the weekend of May 12-14, when the ransomware know known as WannaCry (with others calling it Wana, WanaCrypt etc) was awoken, 200,000 machines across 150 countries had been hit. Its chilling message of pay €300 in bitcoins or lose all data on the now encrypted machine a textbook example of how ransomware behaves, pushing the term into the global vocabulary with headlines across the world. In some ways, it’s the worst IT attack since Yahoo password hack or other related personal data and credit card data. But this is different, far more deadly in its real world consequences. With hospitals a particular favourite of ransomware, locked medical records could truly be a matter of life or death; critical infrastructure could also be vulnerable, business activity grinding to a halt. Europol has now issued a statement on May 14 that WannaCry 1.0 is estimated to have infected 1.3 million computers. And while there’s been a slight pause on the virus’s next iteration since it was introduced (as you’ll see in the next paragraph), slowing its spread, evidence is already mounting that the no kill switch version is being developed as well as other iterations that may be lurking, waiting to be awoken. Writing on his blog, Matt Suiche, the founder of Comae Technologies, elaborated on some of the new variants of the ransomware that cybersecurity specialists are finding in the wild. MalwareTech, the anonymous techie who identified and saved the world from WannaCry 1.0’s more comprehensive destruction, is already warning that WannaCry 2.0 is learning its first mistakes and flaws and will likely strike in week 20.

And consider, this situation is lucky. MalwareTech, when first discovering the exploit, had the presence of mind to identify the command IP that the malware used as the kill switch. This IP (, the URL kill switch, was unregistered and MalwareTech registered it for USD10. Once kill switch was enacted, the malware was disabled. The financial consequences of WannaCry 1.0 – thanks to its hardwired bitcoin payment addresses – allow us to know that less than USD26,000 was gained from the exploit, an absolute pittance compared to its ferocious genius. Again, the operative word at this moment: lucky. But that relief will probably not apply to WannaCry 2.0.

Of NSA, Microsoft and cyber complacency

One of the first questions that the world is asking is how did such a situation come to be? The answer is of course a combination of greed, ignorance, and reliance on IT systems that defines our modern life and a healthy serving of state sponsored cyber warfare. Greed as ransomware is one of the fastest and most lucrative criminal exercises in the world; ignorance as most businesses have not taken the threat seriously enough to install security systems; reliance as – certainly the case of hospitals demonstrate – in that we simply can’t function without IT systems in work or society. And the cyberwarfare aspect in the sense that WannaCry and weaponised tech developed with the resources of a state agent falling into the hands of nefarious actors will become far more common and with deadlier consequences going forward.

Let’s start with the motivating numbers on why to lay the groundwork for what and how. Ransomware has become a massive, skyrocketing criminal business. In 2016, it’s already surpassed the USD1 billion mark according to the FBI and sees no signs of abatement. In fact the ransomware protection market is set to reach USD17 billion; a significant investment. Also, inspection of phishing emails reveals that 40 percent contain ransomware; a deadly cocktail (which is how WannaCry was released).

That segues us to how WannaCry 1.0 became so fast in its speed and effectiveness to cease networks and their data. For that, it was exploited a Microsoft vulnerability known as MS17-010. The key factor in the ‘success’ of this malware strain called WannaCry is its lateral movement within networks, that it allows to infect other machines. To achieve lateral network it leverages a bug in Windows SMBv1 and SMBv2. MS17-010 has close similarity with a previous patch named MS08-067. MS08-067 is a notorious within the security and hacker communities because, almost without fail, it allows entry into a network. The bug is still used by penetration testers, even after a decade. During the release of patch MS08-067 a major malware outbreak came to light. The malware responsible at the time was Conficker. Conficker spread all over the world and infected computers in many countries causing havoc and panic. But make no mistake: WannaCry, in every variation, is much worse.

The real story, however, is how MS17-010 was weaponised by the Equation Group, a cyber battalion that answers to the NSA, for use in penetrating and surveilling targets as the tool called EternalBlue. Kept in its arsenal, MS17-010 and associative zero days were ready for battle when and if needed. But a breach and data dump by a group called the ShadowBrokers late last year exposed those weapons, offering them up for sale. And when they didn’t get bought, the ShadowBrokers kept their promise and offered many of them for free on the dark web via Tor and other spaces. Speculation is that criminal networks found those bugs and hacks and turned them into the engines to spread ransomware.

But ignorance, of being in cybersecurity denial, is one the most unforgivable reasons for this to be happening. For starters, Microsoft – after the ShadowBrokers revealing of the vulnerability – sent out a patch months ago with an urgency alert. But the fact is many IT administrators ignored it, especially in the healthcare sector, for a basic truth in IT: either worries about patch disruption to normal operations, cost of implementation or both. It’s common practice for IT managers to test the patch first, to see if it affects systems, APIs etc and only then send it to all the network machines. Cost, especially for developing countries and extremely cost conscious entities like the NHS in the UK also played a factor.

How does that explain firms like Spain’s Telefónica, FedEx in US and Renault in France falling prey? The fact is – global MNC to local business – there’s been a slow wakeup to the need to invest in cybersecurity and network protection. That “it can’t happen to me attitude” when faced with a proper security cost causes decision makers to demure. But seeing the destruction of the threat landscape from today’s perspective, that will most certainly change.

What now?

As we wait for the very real possibility of WannaCry 2.0, there are some concrete steps that all companies and individuals should follow including immediately downloading and applying the patch, not downloading zips and our own advisory by Clavister ransomware expert Andreas Åsander. But it’s also time to enact endpoint security, IP reputation and a robust firewall strategy to stay as protected as possible. As one researcher put it, the one silver lining of WannaCry is that it will – hopefully – be a clarion call to invest in security. Because rest assured, this story is evolving as fast as the criminal minds that seek to exploit the complacent.