Do you still remember how WannaCryptor ran
its – winding – course? It was a tale that revealed a number of intriguing plot
lines amid the ransomworm’s numerous twists and turns.
You’ve no doubt heard about WannaCryptor, aka
WannaCry or WCrypt, many times before, but there may still be things that have
escaped you in the general hubbub of daily life. Here are a few tidbits that
helped make WannaCryptor – and, indeed, the people involved with it in a good
or bad way – stand out.
No need to play ball
First, unlike many of its malicious peers and contrary to initial reports, WannaCryptor did not rely on duping the target into
clicking on a link in, or attachment to, a malicious email. Instead, the
malware leveraged a software exploit known as EternalBlue. This tool, allegedly developed by the United
States’ National Security Agency (NSA) and then stolen and dumped online by the
Shadow Brokers hacking group, targeted a critical flaw in an outdated version of Microsoft’s Server Message
Block (SMB) implementation, which is used mainly for file- and printer-sharing
in corporate networks.
Having scanned the internet for machines with
port 445 (conventionally associated with SMB) open, the attackers exploited the
SMB flaw and went on to install another tool, DoublePulsar, thought to have
been stolen from the NSA. This backdoor paved the way for the main payload
that, once implanted and executed, encrypted the files.
Importantly, Microsoft released a critical security update for this vulnerability a full 59
days before the global outbreak. Furthermore, ports associated with any of the
three SMB versions should never be exposed to the internet. In addition,
Microsoft had advised a long time before the attack that the first
version of SMB (SMBv1), which is some three decades old and for which the patch
had also been released, should no longer be used. The bottom line? A compromise
by WannaCryptor was completely avoidable even in the absence of an installed
patch, simply by applying some basic security configurations. This, in fact,
applies to measures against malware in general, as it often targets open ports
and then exploits known software flaws.
Writhing worm and old’s cool
WannaCryptor’s worm-esque functionality had
some eerie echoes of techniques from the days of yore (in computer terms,
anyway). In fact, security folks had expected that ransomware would come to be
paired with self-propagating worms to greatly aid and abet the main payload’s
spread. Much like old-school worms – think Code Red in 2001, SQL Slammer in 2003, Sasser in 2004, and Conficker in 2008 – WannaCryptor, too, traversed vulnerable
corporate networks voraciously, feeding off a security loophole for which a
patch had been available for quite a while. This time, the malware packed a
particularly powerful punch in that its main payload was ransomware that
completely incapacitated the affected machines. “History doesn’t repeat itself,
but it often rhymes”, as Mark Twain is sometimes believed to have said.
Once in a machine, WannaCryptor leveraged its
worm functionality to feed on other vulnerable devices within the local network
and on the open internet. As soon as another exposed machine was found and
compromised courtesy of the same unpatched SMB loophole, it was abused for
“paying it forward”, continuing the vicious cycle of compromising computers,
encrypting files, and demanding ransom.
The “deal” gone awry
Speaking of the main payload, ESET Senior
Research Fellow David Harley recently pointed out that the malware’s operators were very unlikely
to keep their side of the bargain even if the victims held up theirs. To
elaborate on that point – there was no automated or practicable way for the
attackers to know which victim had paid up and which had not. How can you
possibly share an unlock code if you can’t ascertain if the victim has paid up?
In fact, the money side of things failed
precipitously for the attackers considering the extent of the campaign and the
damage it wrought – some 300,000 machines compromised, each in potential
exchange for $300 (or, after three days, $600) for the decryption key. When the
dust settled, the operators of the three Bitcoin wallets associated with
WannaCryptor – to date unknown, by the way – emptied them in late July and early August, moving around
some 52 bitcoin, worth US$140,000 at that time. If the attackers were indeed
cashing out, it was hardly a windfall given the scale of the attack and the
fact that many other ransomware campaigns rake in millions in profits with much
less brouhaha and far fewer victims.
This, combined with some other quirks of
WannaCryptor, has prompted many security practitioners to believe that the
malware was never intended to be a money-grubbing machine. Instead, it has been
called an elaborate disk trasher, or it may have been planned as a small
operation that ended up getting out of hand.
Ten bucks
It’s not only in the Matrix that “everything
that has a beginning has an end” (I left out “Neo” on purpose here). How did
the WannaCryptor outbreak stop – for the most part, anyway? In a most
anti-climactic fashion – with a “switch“.
As WannaCryptor was being foisted on users
throughout the world, a 22-year-old malware analyst from England dived into
samples of the code, noticing something peculiar about its behavior. The
researcher, a Marcus Hutchins aka MalwareTech, saw that the malware tried to connect to a
gibberish – and unregistered – domain.
Then, doing what those who track botnets for
a living often do, he took possession of the domain for the sake of further
insight into, and ultimately to stop, the attackers’ shenanigans. Except that
this time, first, there was no botnet involved and, second, Hutchins apparently
had no clue that, by buying the domain (for less than US$10) and making it
“live”, the malware’s “kill switch” would be turned on. Thereafter, whenever
WannaCryptor connected to the domain, the malware simply shut down, rather than
starting its spreading and disk-encrypting routines. This was instrumental in
slowing WannaCryptor’s propagation to a trickle within a few hours, earning
Hutchins the possibly undeserved designation “[accidental] hero”.
In an odd twist – and much to the
astonishment of many members of the security community – Hutchins was arrested
at the Las Vegas airport in early August on charges that he had helped develop and spread a banking Trojan called Kronos
(detected by ESET as Win32/Agent.QMH)
in 2014 and 2015. The next month, security journalist Brian Krebs published a
long piece, connecting Hutchins to several possibly unsavory
online personas. Hutchins, who is now on bail pending trial and denies any
wrongdoing, may face 40 years in jail.
On set
With WannaCryptor firmly in the rearview
mirror, let’s hope … er, no, let’s not. “Hope is not a strategy,” as some
prominent people, including film director James Cameron, have averred. Instead,
let’s learn the lessons offered by the outbreak unless we want to
provide fodder for a disaster movie. As far as I’m concerned, the tale of the
WannaCryptor outbreak and much of what happened in its wake has all the makings
of a Hollywood script.