By Integrity360 on June 17, 2022

WannaCry - 5 Years Down the Line

Managed Security Services, Incident Response

What is Wanncry? 

Wannacry ransomware first gained notoriety in 2017 after a global attack that was seen in over 150 countries and in excess of 300,000 devices. Some notable victims include the National Health Service (NHS) in the UK, Renault and FedEx. The feature that made this ransomware variant so successful was its worm-like properties, enabling it to spread across a computer network using the SMBv1 exploit EternalBlue. Wannacry encrypts user files and demands ransom be paid in bitcoin. The amounts were relatively small, usually between $300-$500 dollars, indicating the initial idea was less targeted and to get as many victims to pay as quickly as possible.  

 

Although no threat actor took responsibility for the attacks, researchers found key identifiers in the code pointing towards the Lazurus group, an infamous North Korean cybercriminal organisation, and Korean timestamps in the ransomware metadata.

Is Wannacry still a threat? 

Yes and no. In the ever-evolving world of cyber threats, 5 years is a lifetime. Within weeks of the Wannacry attacks, security vendors had supplied detection and prevention methods for the eternal blue exploits and the Wannacry decryption tools were made publicly available. Patches were made available to squash the exploit, in fact, SMBv2 was already available prior to the attacks but many organisations had not made the change (even after they had been warned) and Microsoft had provided patches 1 month prior. 

The point I am trying to make here is that Wannacry should not have been a threat, to begin with, but bad patch management could leave an organisation open to this attack. It is not uncommon for Incident responders to be called in by a victim to find that they are using software versions that are years out of date. 

However, As previously mentioned, 5 years is a lifetime, the threat landscape is completely different and it is unlikely (but not impossible) that a threat group would attempt Wannacry. It is more likely they would try something newer with fewer detection methods and more recent exploits. 

So, what has changed in 5 years? 

Wannacry focused on a single extortion method, deploying malware resulted in encrypted files, the victim had to pay up to gain access to those files. Now we are seeing more ransomware deployed as part of a double or even triple extortion tactic. With double extortion, the threat actors will exfiltrate the victim's data and then encrypt the files and folders. The victim will then be held to ransom with the threat of having their data leaked, in addition to their local files being encrypted. Triple extortion has the added threat of a Distributed Denial of Service attack if the victim delays or refuses payment.  

Additionally, ransomware has become more complex. Most recently, we have seen ransomware from the BlackCat group (aka AlphV). The first ransomware group to successfully use the Rust programming language to compromise victims. The flexibility of Rust allows BlackCat's operators to individually tailor attacks against targets. Unfortunately, there is also no known method of decryption. 

Read more about Ransomware in: Your Guide to 2022

 

It's all doom and gloom, what can we do??? 

There is a lot of focus on the ransomware aspect of the attack, however, this is the final stage of many. If we look at the Mitre ATT&CK framework and how Wannacry maps to it, we see there are 7 stages prior to the impact (Ransomware). Each one of these stages is also an opportunity for detection/prevention. Yes, the ransomware operators' attacks and extortion methods are advancing, but by doing so, they are having to access more systems and add extra steps prior to the final impact. Therefore, by focusing on these previous steps, and not the ransomware, we can build defences to detect/prevent prior to any ransomware being deployed (and having that dreaded call to IR). 

A firewall is great and protecting yourself from external threats is the right thing to do, but just look at the activities from the Wannacry ransomware. The majority of the action is internal. So don’t forget to invest in a good EDR, NGAV, IDS/IPS devices and other internal detection/logging devices. If you catch any ransomware/malware before that impact stage, you will save yourself one heck of a headache and probably a lot of money. 

CTA-Incident-Response-1

Excerpts of this piece have been published in the Global Security Mag and excerptsBetanews