WannaCry continues to be a reminder of the challenges that organizations face in dealing with the ransomware threat.
The ransomware landscape has evolved considerably since WannaCry dramatically drove home the potential severity of the threat five years ago on May 12. What has changed somewhat less over the same period is enterprise preparedness in the face of ransomware attacks.
Ransomware emerged and has remained entrenched as one of the most difficult security issues for organizations across sectors in the past few years. WannaCry itself, while nowhere near as widespread as it was initially, remains a potent threat and even figured in some vendor lists of top malware threats as recently as last November.
By most accounts, enterprise organizations have gotten better at remediating vulnerabilities and updating obsolete and outdated software. Even so, the vulnerable version of the Server Message Block (SMB) protocol that WannaCry used to spread like wildfire remains in widespread use across organizations and regions. Most attacks against the SMB protocol still attempt to exploit EternalBlue, the exploit that was used in the WannaCry attacks. Patching and vulnerability management programs continue to pose challenges, as do practices such as threat detection, remediation, and response.
Meanwhile, ransomware and the manner in which it is used have changed. Many ransomware attacks these days are highly targeted and involve hands-on tactics for maximum effectiveness. Tools are increasingly becoming multiplatform, meaning they can be used to attack different operating systems. Examples of these tools include Conti, BlackCat, and Deadbolt.
And the proliferation of ransomware-as-a-service offerings has lowered the barrier to entry for common cybercriminals, even as it has fostered increasingly businesslike hierarchies and processes within the criminal industry. A high percentage of ransomware attacks these days also involve data theft and denial-of-service attacks as additional forms of extortion.
Alive and Kicking
“WannaCry, though not nearly as prevalent of a threat as it once was, is still alive and kicking,” says Tessa Mishoe, senior threat analyst at LogicHub. Over the time between its first attacks and now, the ransomware industry has learned from WannaCry’s efforts and the responses to it — whether it be new tactics such as auctioning data and blackmailing customers or new techniques like more complex virtual machine escapes and persistence. “Ransomware’s increase in market share should be a good indicator of how WannaCry launched more intrigue into ransomware,” Mishoe says.
WannaCry surfaced on May 12, 2017, and in a matter of days spread to some 300,000 computers worldwide. Though many have described it as ransomware, one of its main functions was to wipe data clean from infected systems.
Numerous organizations were affected by the outbreak, including FedEx, Nissan, and, perhaps most notably, the United Kingdom’s National Health Service. The US Department of Justice and numerous others have attributed the malware and the attacks to North Korea’s Lazarus Group. Over the years, researchers have estimated damages associated with the malware to be more than $1 billion dollars.
The malware spread via a publicly leaked, US National Security Agency (NSA)-developed exploit called EternalBlue that targeted a critical remote code execution vulnerability (MS17-010) in Microsoft’s Server Message Block 1.0 (SMBv1) file-sharing protocol. Once installed on a system, WannaCry quickly spread to other devices running a vulnerable SMB version. Most of these were older Windows systems, such as those running on Windows Vista, Windows 7, and Windows 8.1.
Though Microsoft had issued a patch for the SMB flaw more than a month before WannaCry, millions of computers were unpatched against the problem when the malware hit.
A Continuing Threat
Five years later, attackers are continuing to use the EternalBlue exploit to deploy WannaCry and other malware on enterprise systems.
A recent analysis conducted by Barracuda Networks of attacks over a three-month period shows a staggering 92% of all attacks on SMB port 445 involve attempts to use the EternalBlue exploit.
“There are still machines out there that have never been patched against these sorts of exploits and likely won’t ever be,” says Jonathan Tanner, a senior security researcher at Barracuda. “So, it’s not a lot of work on the attackers’ part to try to find and exploit these systems.”
Much of this also is due to continued delays in organizations updating their infrastructures. A survey of 500 IT decision-makers by vendor ExtraHop found 68% of respondents admitting to still running SMBv1, even though newer, more secure versions of the file-sharing protocol have been around for years. The company will be discussing the obstacles that companies face in hardening themselves for ransomware attacks at the upcoming RSA Conference (RSAC), in a session aptly entitled, “What Will It Take to Stop Ransomware?” Read more: https://bit.ly/3MgtYf6
You can also read this: Microsoft: Ransomware Relies on the Gig Economy