The WannaCry ransomware pandemic: perspective, reactions, and prospects
WannaCry ransomware hit hard late last week, and enterprises worldwide are bracing for further waves of infestation. The hitherto obscure strain of ransomware propagated in wormlike fashion against systems running older Microsoft software. It exploited the vulnerability the Shadow Brokers leaked last month as the weaponized EternalBlue tool. The rate of infection has been very high, temporarily slowed by discovery and activation of a "kill switch," but most observers expect renewed attack as the unknown controllers upgrade the malware.
Affected systems are running old and in some cases pirated versions of Microsoft operating systems, specifically Windows XP, Windows 8, and Server 2003.
News of the incipient pandemic broke early Friday, with initial reports mentioning infestations in a handful of countries. Early interest focused on the UK's National Health Service, several of whose facilities suffered disruptions serious enough to send staff home, reroute ambulances, and impede patient care. Another early infestation hit Spanish telco Telefonica, which took hasty and extensive emergency measures to contain WannaCry's spread. The number of affected countries rose steadily over the weekend until it reached presently reported levels of more than one hundred fifty, which is close enough to "everywhere" as to make no difference.
There were initial reports that WannaCry's infection vector was a phishing email, but this seems not to be the case, according to Fox-IT, who had initially speculated that this may have been the case, but who've since published a useful overview that discounts the possibility. Instead, the ransomware seems to have propagated as a worm, abusing the network file-sharing protocol Server Message Block (SMB) on affected machines. Worms are a fairly old-school approach to malware. Observers are comparing the week's attacks to 2001's "Code Red" incident, when a worm infected some 359,000 computers worldwide in about fourteen hours.
Official reactions have ranged from the confident-we've-fended-it-off (in Russia) to the so-far-so-good-but-very-worried (in Israel) to the alarmist (red alert in India). In the US the Department of Homeland Security is taking the lead in offering assistance both domestically and internationally. The New York Times reports that President Trump has directed Homeland Security Adviser Thomas Bossert to coordinate the Government's response and organize the search for the responsible threat actors.
In the UK, the National Cyber Security Centre late yesterday issued the following statement, warning that the threat was by no means over:
"Since the global coordinated ransomware attack on thousands of private and public sector organisations across dozens of countries on Friday, there have been no sustained new attacks of that kind. But it is important to understand that the way these attacks work means that compromises of machines and networks that have already occurred may not yet have been detected, and that existing infections from the malware can spread within networks."
HITRUST has followed the events in the UK's healthcare sector with concern. They consider it a serious incident, and while they haven't seen similar effects achieved against North American healthcare targets, they're watching the situation closely and are committed to keeping their members apprised of the evolving threat.
Defense and remediation.
The obvious defenses are to patch, to run current software, and to keep an up-to-date defensive suite running on an enterprise's systems. (Bitdefender, Kaspersky, ESET, Cylance, and Malwarebytes have all claimed to provide protection, and no doubt many others do as well.) There is so far no known decryptor available, but infected users would be ill-advised to trust the actors behind the attack to actually deliver decryption upon payment.
A researcher at Kryptos Logic is reported to have discovered the kill switch domain and sinkholed the ransomware, but few expect this to hold.
Stuart Okin, Vice President at 1E, notes the inherent risks of running outdated software. “When you have a huge variety of old machines and equipment, you’re vulnerable to these kinds of attacks. Organizations still running old versions of Windows need to figure out migration strategies ASAP, as Win 10 has much tighter security features.”
Phil Richards, CISO, Ivanti (formerly LANDESK) characterized the attack as follows: "This appears to be a variant of WanaDecryptor which is a relatively new strain of ransomware. This particular ransomware is correctly identified and blocked by 30% of the AV vendors using current virus definitions. It is correctly handled by both Kaspersky and BitDefender.. There is no public decryption (crack code) available at present. This malware modifies files in the /Windows and /windows/system32 directories and enumerates other users on the network to infect. Both of these actions require administrative privileges." He advises running up-to-date anti-virus software on all endpoints, and he also advises restricting administrative privileges.
“This is an unfortunate example of the very real and potentially devastating effects cybercrime can have on society, " Ebba Blitz, CEO of Alertsec, told us "Make sure all the software on your system is up to date. This includes the operating system, the browser and all of the plug-ins that you would normally find in a browser. In order to minimize the impact of ransomware attacks like this, IT departments should also be sure to install a scanning software that blocks or sandboxes suspected files.”
Rich Barger, Director of Cyber Research, Splunk said, “This event should serve as a global wakeup call – the means of delivery and the delivered effect is unprecedented." He thinks the threat actors behind the attacks are either "going to get very rich, or spend a very long amount of time in jail.”
“The WCry/WannaCry ransomware strain has now hit 11 countries in just three hours – researchers are scrambling to look for Patient Zero. While Spain and Russia look to be hit the hardest, other countries including Italy, Portugal, Ukraine and Pakistan look to be affected as well. This is one of the largest global ransomware attacks the cyber community has ever seen.
“Initial reports that this malware is propagating on its own – for those who remember the early 2000s, this is a worm – malware that infects a machine and then looks for other vulnerable hosts on the same network or randomly scans and looks for other vulnerable hosts to infect.
“In England, this ransomware attack is causing ripples much further than financial gain. With their IT systems at a complete shutdown, a number of hospitals all over London are said to be turning away ambulances as they’re not confident they can care for patients. Hospitals are understood to have lost the use of phone lines and computers, with some diverting all but emergency patients elsewhere.
“Ransomware is arguably the No. 1 method of cyber attack in 2017, and this attack demonstrates the paramount need for critical enterprises to have a ransomware playbook in place for when they are attacked. Protecting critical infrastructure from cyber attack is a responsibility that cannot be taken lightly."
Among the protective measures he recommends enterprises consider are compartmentalizing and self-containing until they can report 100 percent patching compliance, disabling or blocking the SMB v1 service, and monitoring for and mitigating scan behavior on TCP/445, externally and internally.
Possible sequelae.
Whoever's behind WannaCry is expected to upgrade the ransomware to bypass the defensive measures so far taken. There were reports over the weekend that a version without the "kill switch" had been produced and was spreading rapidly in the wild. Those reports were premature. A version without the kill switch did indeed appear, but it lacked the worm functionality that made the original so virulent.
Heimdal Security has reported the recent emergence of another ransomware strain, Uiwix, which exploits the same vulnerabilities as WannaCry and exhibits a similar self-replicating functionality, but which lacks the kill switch.
Microsoft's reaction.
Microsoft took the unusual step of issuing patches for software that's beyond its end-of-life, and no longer supported. The fixes covered Windows XP, Windows 8, and Server 2003.
Redmond characterized this unusual move as follows: "This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind."
Microsoft's President and Chief Legal Officer Brad Smith renewed Redmond's familiar call for a "Digital Geneva Convention" over the weekend in a blog post outlining Microsoft's take on the issues the pandemic raised. He has some starchy words for governments in general and for NSA in particular that are worth quoting in full:
"Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action."
EternalBlue, stockpiling, and the Vulnerability Equities Process.
There is, of course, no direct acknowledgement, either official or unofficial, that the EternalBlue weaponized zero-day came from NSA, but the general consensus is that it did: the Microsoft statement isn't unusual in being direct and matter-of-fact on this point. EternalBlue was dumped in the wild by the Shadow Brokers in their April release. It's worth noting that Microsoft fixed these bugs in March, before they were dumped, so either they discovered them on their own (not thought likely), were tipped off by the Shadow Brokers (even unlikelier), or were notified by NSA (most think this the likeliest eventuality).
In any case, Microsoft isn't saying how it learned of the problem. If it was tipped off by NSA, the tip was probably run through the US Intelligence Community's controversial Vulnerability Equities Process (VEP). The VEP has attracted criticism from both sides, some seeing it as providing the Government cover for an inherently dangerous policy of "stockpiling" vulnerabilities when immediate disclosure to vendors or in some cases users would contribute greatly to herd immunity. Others ask why NSA (to pick one agency) should be responsible for software vendors' quality control—after all, NSA didn't write the buggy code, and NSA (and other agencies) have a legitimate foreign intelligence mission that can be served by holding exploitable zero-days.
International norms in cyberspace.
Various Russian news outlets have offered their own pious calls for international comity in cyberspace, warning of the risk cyber criminals pose to peace, order, and prosperity. They point with sadness to the zero-day's alleged NSA provenance, and treat the Shadow Brokers as independent actors, hacktivists with a profit motive.
The Shadow Brokers, as a refresher, are a group that claims to sell stolen espionage tools for financial gain, although from the beginning they've acted much more like a malign not-for-profit than they have a serious organized crime gang. If they're getting paid, it's not from trading exploits as far as anyone can see. Their self-presentation practically begs not to be taken at face value: the implausibly fractured English, the equally implausibly avowed criminal motives, and the professed antipathy to "wealthy elite" (sic)—all this comes across like an anti-Davos Man scripted by B-list screenwriters. Here's a fair sample of their communication style, as manifested in a recent blog post: "So this week is being about money. The ShadowBrokers showing you cards the ShadowBrokers wanting you to be seeing. Sometime peoples not being target audience. Follow the links for new dumps. Windows. Swift. Oddjob.” We challenge anyone to find actual human beings, whatever their native language might be, for whom this represents a natural, unforced voice.
Four interesting questions arise, assuming that the leaked tools came, as most have concluded, from NSA stocks. First, how did the Shadow Brokers get them? Speculation continues to center, as it has for months, on the possibility of an insider leak. There are background rumblings within the US
Government, according to the New York Times and others, that an Intelligence Community contractor is the leaker, but very little is known about this. Second, what's the Shadow Brokers' motive? They don’t appear to have earned much from their leaks—a couple of thousand bucks, by the most generous estimates—and their recent dumps have been accompanied by fire-sale, giveaway language. If their goal was to produce work for, and draw odium towards, the US Intelligence Community, they've enjoyed a measure of success. Third, for whom are the Shadow Brokers working, if not themselves alone? Attribution is risky, of course, and at best circumstantial, but in this case the tone, effect, and capabilities of the group, as well as the most obvious answer to the cui bono question, do hint that the hidden hand is a Russian service as opposed to a criminal gang. (And on form the distinction between Russian services and Russian gangs has often proved a distinction without a difference.) And fourth, to what extent does undisclosed vulnerability research represent a security challenge large enough to amount to a major single point of failure for the larger community?
Is this crime paying?
The WannaCry pandemic is unusual in being very indiscriminate. If it is a simple criminal operation, however, it hasn't paid off nearly as much as the disruption it induced might lead one to think. The extortion going rate appears to be about $600 in Bitcoin. Brian Krebs took a look at the Bitcoin wallets being used to accept ransom on behalf of WannaCry. By Saturday he thought they'd pulled in about $26,000, which seems small for the disruption they'd caused. And caveat lector: there may be payments cached elsewhere, and the tally may have risen somewhat as the rate of infection has somewhat abated.
Industry reaction.
The effect on the UK's National Health Service (NHS) attracted the most initial attention because of the alarming possibility it presented of harm to patients.
Oliver Tavakoli, CTO at Vectra Networks, offered these comments on the NHS and its susceptibility to cyberattack:
“This is not the first time the NHS has been the target of ransomware. Just last October a major attack hit Northern Lincolnshire and Goole NHS Foundation Trust, causing it to cancel operations and other activities. However, today’s appears to be the most serious and successful attack yet on the UK’s health infrastructure.
"Add to this that Telefonica, a major telecoms, mobile, and broadband provider with operations in Europe as well as South America, appears to have been hit with the same brand of ransomware. It raises serious concerns about whether this is a targeted (and contained) attack on infrastructure, or a ransomware variant that is loose in the wild and starting to propagate indiscriminately like CryptoLocker did in 2013. If it’s the latter, we could yet see more instances further afield as the day progresses in other major markets such as the US.
"With the UK government setting its sights on a renewed paperless strategy for the NHS during this decade, including another go at digitizing all patient data, UK hospitals represent a tantalizing target for cybercriminals. The ongoing proliferation of poorly secured IoT-connected devices in the NHS hasn’t helped either and can provide an easy backdoor for malicious hackers. Without robust security defenses in place, sensitive patient data and connected medical devices are ripe for the picking.
"It makes the ability to identify, understand and intervene early in the in-progress attack’s lifecycle all the more essential. Such insight can limit the impact before it becomes mission-critical. Being able to isolate known infected hosts and rapidly re-image them to return them to a trusted “known good” configuration can make the difference between having to pay a ransom to recover a machine or not.
“Given the speed and scale of the attacks, it seems likely that it enters via one machine and spreads laterally on the inside using some form of scan/exploit playback. Ransomware like this does not require external command and control signaling, and so renders traditional perimeter defenses which look for a call-back useless in detecting and preventing the spread of this ransomware attack.”
"The NHS and key infrastructure providers alike must also realize that traditional perimeter defenses are not enough. Leveraging the latest technologies, such as machine learning and advanced behavioral analytics, organizations can automate the tracking of an attacker’s activities inside a network before a ransomware action brings down essential systems. Placing a focus on where and how to intervene minimizes the time patients are endangered and reduces the impact of a given threat. Any subsequent attempts at remote control of the compromised device will also be spotted using this behavioral approach to security detection.”
We also heard from Mike Cotton, Vice President, Research and Development, Digital Defense. He said, "The latest Shadowbroker's release was probably the most high-impact exploit drop we've seen in the last several years. While earlier leaks from the Shadowbrokers focused on less common device services and third-party software, the exploit drop released in the April targeted core Windows operating system services and were likely among the crown jewels of the NSA toolkits." He also sees a significant future for EternalBlue in the wild: "The ETERNALBLUE exploit in particular allows for reliable remote compromise of a wide variety of Windows server and client systems using nothing but network access as a precondition. It will remain one of the most heavily used exploits in attacker toolkits for years to come."
High-Tech Bridge CEO Ilia Kolochenko sees, again, the root problem as failure to respect security fundamentals.
"This incident exposes how a two-month old vulnerability can cause global panic and paralyze the largest companies and governmental institutions on all continents. Worse, cybercriminals could have easily released this worm just after the NSA's 0day was leaked two months ago, and this would have led to much more destructive consequences.
"There is nothing new in this particular attack, and the main cause of the epidemic is our failure to adhere to cybersecurity fundamentals.
"Many companies were infected because they failed to maintain a comprehensive inventory of their digital assets, and just forgot to patch some of their systems. Others, omitted or unreasonably delayed security patches. Last, but not least – malware's capacity to self-propagate leveraged the lack of segregation and access control within corporate networks.
"It would be unreasonable and inappropriate to blame the NSA for any significant contribution to this attack. Similar 0days are bought and sold almost every day, and many other organizations participate in these auctions - virtually anyone can (un)intentionally leak an exploit and cause similar damage. The real problem is that in 2017, the largest companies and governments still fail to patch publicly disclosed flaws for months. Practically speaking, the NSA doesn't really need a 0day to get their data - their negligence "invite" attackers to get in.
"Companies and organizations that have fallen victim to this attack, can consider contacting their legal departments to evaluate whether their IT contractors can be held liable for negligence and breach of duty. Failure to update production systems for over two months - can certainly qualify at least as carelessness in many jurisdictions."
Paul Barber, from the managed service provider IT Specialists, offers advice and caution about the problem of ransomware taken as a whole.
“It is appalling that our health service would be targeted, but we must focus on employee education and insist on vigilance at all times, especially as it seems that this is a ransomware attack. Of course, updating all software to the latest patched versions, installing and updating your AV, and having robust security solutions will help, the most important thing is to ensure daily offsite backups are in place, to protect business data. These steps will guard against other malware and non-malicious incidents.
"Email continues to be the most common way to be infected by ransomware which highlights the critical need for employee education. The lack of this education is manna from heaven for cybercriminals, who can click and send mass emails to generate profit, as they calculate that at least some of the emails will be opened.
"While public sector bodies have a civil duty to share the devastating effects of a cyber-attack, we think this news of attacks is just the tip of the iceberg, and many go unreported, especially within the SME community.
"Government offices will have IT teams and funding to restore information, even if it was not backed up adequately. However, we believe that the greater threat lies with the small businesses that have installed an anti-virus and believe they have adequate protection.”
"This represents a large escalation in the ransomware marketplace," Chris Roosenraad, Director of UltraDNS at Neustar said. "It is the merger of ransomware and an Internet worm, with the worst of both. It is a new weaponization of the Internet, and shows how quickly an exploit can go from disclosure to attack."
Michael Patterson, CEO of Plixer put the incident in the context of the rapidly expanding attack surfaces in the healthcare sector:
“Nearly all modern clinical workflows at healthcare institutions are now digital. When the end stations and servers used by clinicians become unavailable, patient care suffers and lives are put at risk. This very fact makes healthcare organizations a prime target for ransomware. Effected organizations should now be working to limit the lateral spread of the infection and restore health record systems. This can be accomplished by inspecting historical network traffic looking for peer-to-peer communication as well as machines which have communicated with the domains and servers hosting the malware. Data backup and disaster recovery planning should be a high priority for healthcare institutions. Taking effected machines off line and having data backups that can quickly become live instances are steps that can be taken to bring services back online quickly. Healthcare organizations should also be collecting logs and data flows to ensure they can investigate the traffic patterns of these exploits to identify other potentially infected hosts before they spread internally. This will also help IT Teams to not only be alerted to cyber attacks, but also have the forensic data to see where the hacker penetrated the system and close that hole.”
Robert Capps, VP of Business Development for NuData Security offered thoughts on why the healthcare sector can be particularly attractive to ransware extortionists:
“We are seeing an increasing number of hackers using ransomware to extort organizations for money. These attacks can be very destructive to the target and highly lucrative for the attacker. In February of last year, a Los Angeles hospital paid about $17,000 worth of bitcoins after a data breach. Since then, several medical institutions have been crippled by ransomware, forcing them to turn away patients. These criminals are responsible for a growing percentage of financial fraud, malware, and other cyber threats. They either make money directly from the attack, from the sale of the data, or from money laundering after cyber attacks. They will continually find new ways to penetrate consumer accounts and corporate networks, and evade detection by tools deployed to counter such threats. Organizations that hold critical and personal information about their users or stakeholders have a choice. Rather than just protecting transactional data, accept the full ramifications of data protection and system security by designing their systems to protect their users and ALL account data first."
Christopher Pierson, CSO and General Counsel for Viewpost, had these observations:
"Across 2016 and 2017 we have seen an increase in malware attacks that encrypt user data on that computer and other attached storage shares and will release the files in exchange for a ransom, traditionally paid with BitCoin. More recently, these attacks have escalated to systems that are being specifically targeted and are more critical in nature. It seems in 2017 Cybercriminals have found that targeting computers that have critical data and/or data that is not as frequently backed-up provides for increased certainty of payment of the ransom.
"As shown by the attack on National Health Services (NHS), customers in England today and in 11 other countries thus far, the healthcare sector is a frequent target for attacks. While not distinguishing among victims, the WanaCrypt0r malware has impacted the healthcare and other sectors across Europe. Healthcare computers are usually always on, less frequently patched due to their role in the healthcare process, and often times hospitals and clinics are lagging behind on cybersecurity controls.
"Similar ransomware incidents have hit here in the U.S. in the past and targeted the healthcare vertical. Ransomware attacks in 2016 grew to nearly 4,000 each day. The current WanaCrypt0r ransomware attack seeks $300 worth of BitCoin from its victims.
"Obviously robust cybersecurity controls such as anti-malware (A-V), up-to-date patching, and recent backups are all good, but organizations should have in place behavioral-based technologies that can detect the initiation of encryptions practices across multiple computers and specific anti-ransomware technologies available to ensure swift isolation of affected computers.”