After 2 Years, WannaCry Remains a ThreatPoorly Written Ransomware Still Infects Unpatched Systems
It all started two years ago this month.
See Also: Threat Briefing: Ransomware
Over the course of several days in May 2017, WannaCry tore a path of online destruction throughout 150 countries across the globe, damaging the IT infrastructure of several major institutions and businesses, including the National Health Service in the U.K., automakers Nissan, Honda and Renault, as well as enterprise stalwarts such as FedEx.
What turned out to be a "kill switch" discovered by British security researcher Marcus Hutchins helped stem the tide, but not before the ransomware left a lasting impression on the cybersecurity landscape.
The origins of WannaCry still remain mysterious two years after the first attack, although the United States and its intelligence agencies have pinned the attacks on the North-Korean linked group Lazarus, which is also referred to as Hidden Cobra.
Additionally, the leaking of the so-called EternalBlue and EternalRomance National Security Agency exploit tools by the Shadow Brokers in April 2017 helped the WannaCry attackers give their malware worm-like capabilities that enabled it to spread faster. These vulnerabilities remain a concern even as the threat from WannaCry has largely receded (see: Eternally Blue? Scanner Finds EternalBlue Still Widespread).
And while the immediate dangers associated with WannaCry have faded, the ransomware still lurks, and many systems have not been patched to prevent exploits by EternalBlue and EternalRomance.
"We hear less about WannaCry in the news these days, largely because the malware can no longer encrypt hard disks as the command and control unit was rendered ineffective; but it doesn't mean the vulnerability is completely obsolete," says Karl Steinkamp, product director at Coalfire, a Colorado-based provider of cybersecurity advisory services.
"We see certain countries more affected even today because these nations are less likely to patch and use more antiquated systems," Steinkamp adds. "Even in the U.S., patching isn't nearly as proactively addressed as it should be."
To mark the two-year anniversary of WannaCry, security firm Malwarebytes published a study that found more than 4.8 million detections of the ransomware have been identified since May 2017. While the number of detections has dropped significantly since the kill switch was found, unpatched systems remain vulnerable, says Adam Kujawa, director of Malwarebytes Labs.
Although detection has decreased, the Malwarebytes research shows that computer systems, especially those in Eastern Europe and parts of Asia, remain vulnerable. In the two years since the initial outbreak, the countries with the most WannaCry detections, according to Malwarebytes, are India (727,883), Indonesia (561,381), the U.S. (430,643), Russia (356,146) and Malaysia (335,814).
That's not to say other countries have avoided the problem. For instance, while China largely avoided the initial attack, there have been 113,785 detections within that country since then, the Malwarebytes analysis found. Other countries that have had large numbers of WannaCry detections since the original attack include India (19,777), Indonesia (19,192) and the U.S. (3,325), according to the study.
"Two years on and it is has never been more important for firms to patch their systems."
—Richard Gold of Digital Shadows
There's no one particular reason why WannaCry detections have drifted east to Asia, but Kujawa suspects it has a lot to do with lax security practices and lack of awareness.
"Many organizations don't bother with patches or updates unless it is hurting their business or computer in some way," he tells Information Security Media Group. "We don't know if this is the only reason there are so many vulnerable systems in the APAC region, but it seems to be the most likely based on the data we have."
The Malwarebytes analysis also found that there are "hundreds of thousands of systems" still vulnerable to the EternalBlue and EternalRomance exploits. This has helped threat actors launch a new wave of Trojans, including Emotet and TrickBot, which have targeted businesses around the world.
By using these exploits, Kujawa says attackers have "supercharged" their malware.
"Using the 'Eternal' exploits, with what we consider to be 'commercial' malware, would basically supercharge that malware with new infection capabilities," Kujawa says. "For example, Emotet used to be just a banking Trojan that would steal from the data. It is distributed through malicious e-mails with nasty macro scripts embedded in Office documents. Now Emotet has far more capabilities than it used to. In addition to the new functionality they added to the malware by using the exploits that WannaCry used, this malware can move laterally throughout a network basically acting as a worm."
The Malwarebytes research is corroborated by the Shodan search engine, which shows over 1 million systems still susceptible to EternalBlue exploits, specifically through the SMB flaw for which Microsoft issued a patch during the original WannaCry outbreak. Still, many companies and their security teams have not updated their systems in the two years since.
This might be the greatest lesson from WannaCry: Patching systems matters - a lot.
"The issue should really be less about WannaCry and more about patching to address the vulnerability that was leaked due to ExternalBlue, the NSA-designed exploit, not to mention any new issues as they arise," Steinkamp of Coalfire says. "Proactive patching is a best practice that is often neglected and always recommended - whether against WannaCry or the next great threat. We don't recommend companies wait to find out what it is."
Those types of sentiments are echoed throughout the security industry.
"Two years on and it is has never been more important for firms to patch their systems," says Richard Gold, head of security engineering at Digital Shadows, a London-based security firm. "Just this week we have seen a critical vulnerability emerge with Microsoft Remote Desktop service, which has similar characteristics with the vulnerability that the WannaCry worm used to compromise unpatched systems through the EternalBlue exploit."
Still Feeling the Effects
As Gold points out, the effect that WannaCry has had on the industry is never far away.
On May 14, Microsoft took the unusual step of sending out patches for Windows XP, Windows 2003, Windows 7 and Windows Server 2008 after the discovery of a remote execution vulnerability within Remote Desktop Services. A single exploit of one unpatched machine could allow malware, such as WannaCry, to spread through a network in a worm-like fashion (see: To Prevent Another WannaCry, Microsoft Patches Old OSs).
Even Hutchins, who found the kill switch, is back in the news after pleading guilty in U.S. federal court to charges of creating banking malware (see: WannaCry Stopper Pleads Guilty to Writing Banking Malware).
Looking Beyond WannaCry
While the overall amount of WannaCry detections will no doubt continue to drop, Kujawa of Malwarebytes says the ransomware is still likely to cause a host of security problems over the next few years.
Cybercriminals are picking up where the originators of WannaCry left off, using the old NSA exploits to their advantage. That's the next development the security industry must come to grips with in the months and years ahead, Kujawa says.
"We don't think that there are many - if any - new attempts to spread WannaCry as the malware itself was pretty terrible," he says. "It was great at infecting and spreading, but the 'kill switch' feature makes this malware unreliable. So by the time we hit the three- or four-year anniversary of WannaCry, I doubt we would see any more than the odd infection from an old and previously uncleaned system.
"However, we do expect to see more malware that uses the same tactics and tricks that we saw with WannaCry, since families like Emotet and Trickbot have shown how successful using these tools can be."