Post Wannacry: What you need to know now
D/SRUPTION asked David Swan Director of the Cyber Intelligence Defence Centre to share his thoughts on what Wannacry means for business now.
For the last several weeks the Computer Security Industry has managed to capture headlines thanks to the ‘Wannacry’ malware. This malware had global impact, penetrating hundreds of thousands of computers with estimates running as high as 250,000+ computers and 150 countries. The research into the malware has continued as the story gradually fades, in part because the effects have been mitigated. This is a story that will not go away because the underlying causes of the attacks have not been addressed. Worse, it is highly probable that Wannacry will produce additional and more severe attacks.
There were good reasons for Wannacry to make headlines. Significant corporations and enterprises were infected. A telecommunications company in Spain, a car company in France, hospitals in the UK and India, banks in Russia and Asia were all infected by Wannacry ransomware. Initially it was thought only Windows XP computers were targeted, however as data was compiled, Microsoft Windows 7, x64 variant, was the most affected operating system. The attackers used two pieces of code: one to penetrate the computers; another to spread the infection laterally from inside networks. Although reports indicated 200-250 thousand computers were infected, there is the distinct possibility that even more computers are infected but have not been reported.
Why Wannacry was so succesful
The roots of this attack lie in a number of places.
Microsoft builds Windows operating systems on a planned release cycle with a limited life expectancy. As each new version of Windows is released, older versions receive less support until support is phased out. New versions of Windows generally require newer hardware, sometimes making it di cult and/or expensive to upgrade older computers. Microsoft is notorious for not maintaining ‘backwards compatibility’, meaning new versions of Windows may not support programs or code that operated on older versions. Lastly, Microsoft makes Windows the way Paramount makes Star Trek movies: every other release is a ‘good’ version (we hope) so it doesn’t pay to upgrade too fast. Each new release of Microsoft Windows ‘orphans’ computers using older versions. Companies may not have the money for replacements/upgrades or the ability to modernize computer code no longer supported by Microsoft. In addition there are computers using reused or pirated licenses that can not be ‘patched’ using Microsoft processes.
The net effect is millions of computers attached to the Internet, running obsolete or orphaned operating systems that are vulnerable to attack.
Another reason for Wannacry’s success is that many organizations are slow to update systems. The reasons range from the cost of upgrading hardware or software, specialty software that is dependent on the operating system, or even a shortage of IT personnel. Sometimes computers are not updated simply because financial managers do not see the requirement. The penalty for not upgrading is increased vulnerability. In this case the vulnerabilities included the ones used by Wannacry Ransomware.
The bulk of hacking activity most people encounter, including Wannacry, is criminal activity. Wannacry ransomware encrypts the victims’ data. If the attackers are not paid or, sometimes, even if they are paid, the data is rendered unusable and/or deleted.
There are individual hackers but the most serious criminal hackers have formed groups and associations that specialize in di erent aspects of organizations. A few criminal hacking groups are almost corporate in nature. Some of these corporate hacking organizations are known as ‘cyber unicorns’ because they have managed to steal in excess of USD one billion dollars. Similar to legal corporations, once a criminal hacking organization achieves a revenue stream they are insistent upon protecting, improving and/or replacing their revenue stream. The revenue streams come from the sale of stolen data (intellectual property or trade secrets), the sale of stolen credit cards and/or identities, and, fraudulent advertising (better known as malvertising).
Wannacry is no exception to this general trend. The most accepted analysis is that a group known as the Lazarus group, associated with North Korea, is responsible for creating and launching the attack. A small amount of ransom was paid, approximately USD $105,000.00 as of May 22nd. That’s a mere 350 victims who paid up out of more than 250,000 infected computers.
Is Wannacry still a threat?
Wannacry isn’t going to ‘just go away’. Expect its developers to refine its different component parts from the delivery systems to the encryption processes. Multiple sources have reported variants of the existing malware as well as a newer version dubbed Wannacry 2.0. There are also reports that even with the ransomware neutralized, the portion of the malware that infected computers installed a backdoor that may still be accessed.
Wannacry – and all its variants – remain a threat.
Researchers have managed to attack Windows 10 using another variation of Wannacry. Depending on how much information the researchers released, this could result in another variant of Wannacry being launched.
The bottom line is Wannacry will be with us for a while: the original is still in circulation, version 2.0 is now looking for victims and Wannacry for Windows 10 will probably be released within a few weeks.
David Swan is Director of the Cyber Intelligence Defence Centre