Euro Security Watch with Mathew J. Schwartz

Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks , Endpoint Security

Why Does EternalBlue-Targeting WannaCry Remain at Large?

'The Most Widely Successful Wormable Malware Becomes Almost a Permanent Hangover'
Why Does EternalBlue-Targeting WannaCry Remain at Large?
WannaCry's ransom note

Where were you on May 12, 2017? For many cybersecurity professionals, the answer is "trying to contain the fallout from WannaCry," the ransomware that on that day began hitting organizations worldwide.

See Also: Identity Security Clinic

WannaCry spread quickly because it included an exploit for a widespread flaw in Windows Server Message Block version 1, aka EternalBlue. The flaw, CVE-2017-0143, was long ago patched by Microsoft - in fact, shortly before WannaCry appeared - via its MS17-010 security update.

So it's concerning that as security firms in recent weeks have been recapping top trends from 2020, one particular strain of malware and one particular vulnerability continue to loom large: WannaCry and EternalBlue.

Security firm Trend Micro, for example, reports that the most common type of malware family detected last year was WannaCry, followed by cryptocurrency miners and Emotet, which was recently disrupted by police.

Trend Micro's list of the most-detected malware families in the wild in 2020. Note that this list of detected malware - not a count of infections - is based on the infrastructure, endpoints and servers tied to this particular firm and its customers, meaning that security firms operating across different sectors, geographies or serving different company sizes may have very different perspectives.

Nearly four years after WannaCry hit the world, infecting hundreds of organizations, why does it remain so prevalent?

"The one thing that really keeps WannaCry prevalent and active is the fact that it is wormable ransomware," says Rik Ferguson, vice president of security research at Trend Micro. "Couple that with the fact that Shodan showed me just now that there remain 9,131 internet-facing machines vulnerable to MS17-010 and you quickly begin to understand why it continues to propagate."

Trend Micro's Rik Ferguson

EternalBlue appears to have begun life at the National Security Agency, which apparently built the exploit for the SMB_v1 flaw. That exploit subsequently leaked or got stolen and was subsequently obtained and leaked by the Shadow Brokers group in 2017. The NSA appears to have given Microsoft a heads-up, because the technology giant released a patch for the flaw on March 14, 2017, exactly one month before Shadow Brokers leaked EternalBlue.

The EternalBlue-targeting version of WannaCry appeared two months later, with many experts saying it appeared to have been developed by North Korean hackers, who may then have lost control of it. Malware researcher Marcus Hutchins identified a kill switch in the malware, thanks to it searching for a specific URL and only attempting to encrypt a system if it could not reach that address. Hutchins registered the URL, which had the effect of shutting down the version of WannaCry then circulating in the wild.

"Many of the versions we see spreading in the wild today are modified versions of the original, and they do not have - or else they bypass - the kill switch, which contributes to the spread," Ferguson tells me. "But the vast majority of these detections have a broken encryption module, meaning they still spread but do not encrypt - and thus go unnoticed."

That's a reminder that while WannaCry may be the most detected malware, it doesn't mean it's the most damaging or even infects the most systems. Not every such piece of code in circulation gets past security software, and even if it does, that's no guarantee of success.

Flaws Slowly Fade Away

While that's all positive, that WannaCry continues to circulate means it is still continuing to infect at least some unpatched systems.

Unfortunately, some unpatched systems fade away asymptotically, declining in number but never reaching zero (see: Eternally Blue? Scanner Finds EternalBlue Still Widespread).

In 2020, for example, the 15th-most-seen piece of malware by Trend Micro was Conficker - a malware family that was first spotted hitting a Microsoft Server vulnerability in 2008. "Other variants after the first Conficker worm spread to other machines by dropping copies of itself in removable drives and network shares," according to Trend Micro. And the malware, which includes the ability to try and spread itself to a number of randomly generated URLs, continues to spread.

"Just as we saw with Conficker, the most widely successful wormable malware becomes almost a permanent hangover," Ferguson says.

Top 20 types of malware detected by F-Secure's endpoint protection products in 2020

From a profitability perspective, attackers wielding crypto-locking malware for targeted attacks are continuing to have a heyday, racking up nearly $370 million in known profits last year, blockchain analysis firm Chainalysis reports. That figure represented a 336% increase over known 2019 earnings.

While ransomware profits may be surging, from a quantitative standpoint, when it comes to the most-seen malware in the wild, little has changed in recent years.

Finnish security firm F-Secure, for example, reports that 2020's top malicious code attacks were network exploits and file-handling errors. And the most-seen type of attempted exploit continues to be against the SMB_v1 flaw known as EternalBlue.

"There are three different threat detections that contributed to this: Rycon, WannaCry and Vools," Christine Bejerasco, vice president of security firm F-Secure's Tactical Defense Unit, tells me.

F-Secure's Christine Bejerasco

Some of the other most prevalent types of attacks in the wild last year utilized LNKs, which are Windows shortcut files "used by different types of malware in order to point to the different implants that they have, and then execute those," Bejerasco said in a recent F-Secure webcast.

Unpatched Windows Flaws: Never a Good Sign

Ferguson says he's not at all surprised that WannaCry hasn't died.

"So what is the biggest lesson and how much should we worry? The biggest lesson is that there are still far too many machines not patched against even 3-year-old vulnerabilities - and older - on both public-facing and private networks and that fact, rather than the survival of WannaCry, should be the biggest concern," he says.

Odds are that if an organization has a system vulnerable to old malware, there are many more sins present, too.

"We need to be a little bit more religious than this when it comes to elevating our security posture, because if we leave such types of vulnerabilities unpatched for too long, what else are we doing?" says Bejerasco.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.