It has been five years since the dumpster fire we all remember as WannaCry. WannaCry is self-propagating ransomware that held hundreds of thousands of devices around the world hostage in 2017. While the WannaCry attack was catastrophic, the worm-like ransomware attack also served as a lesson for cybercriminals and network defenders alike. From a cybercriminal’s perspective, it was a perfect example of what not to do. For network defenders, WannaCry highlighted the risks associated with destructive, self-propagating malware.
A Fateful day in May
On 12 May 2017, WannaCry ransomware began spreading like wildfire through computer networks across the world, encrypting over 200,000 devices across150 countries in 24 hours. WannaCry was considered “wormable”, meaning the malware could self-propagate without any human interaction. A ransom note was displayed on compromised devices demanding a ransom of $300 – $600, which was much less than the average ransom demands from other ransomware groups at the time.
WannaCry used the “EternalBlue” exploit that had been released by the Shadow Brokers threat group, who allegedly stole it previously from the United States National Security Agency (NSA). EternalBlue exploits a series of vulnerabilities in Microsoft’s Server Message Block (SMB) protocol. Although Microsoft released a patch to address the vulnerabilities in March 2017, several computers remained unpatched.
The backdoor “DoublePulsar” was used to maintain persistence and deliver the final WannaCry ransomware payload. WannaCry could scan the network and worm its way onto other vulnerable Windows devices.
The Kill Switch Domain
Hours after the campaign began, security researcher Marcus Hutchins discovered a domain name listed in the code of WannaCry. The domain did not already exist, so Hutchins registered the domain name. Registering domains found in malware samples was a familiar practice for Hutchins as part of his role as a malware researcher.
Hutchins and his colleague Jamie Hankins further inspected the code and realized that after deploying, WannaCry attempted to contact the domain. If the malware was unable to make contact with the domain, it would proceed to infect the device and encrypt the files. If the malware was able to make contact with the domain, it would not infect the system. Registering the domain acted as a kill switch, which is a mechanism used to shut down a device or in this case a piece of malware.
What was the impact?
By the time the dust had settled, WannaCry had infected over 230,000 devices in 150 countries causing approximately $4 billion in damages. The National Health Service (NHS) in the UK was one organization known to be impacted by the attack, which led to several emergency rooms having to close their doors and thousands of medical appointments to be rescheduled. Routine and emergency surgeries were canceled as NHS staff were unable to access their devices.
The kill switch prevented additional computer systems from being infected, but there were still thousands of systems infected with WannaCry. This spread was exasperated by the minimal chances of victims receiving a decryption key from the attackers even after a ransom payment was made. This was due to WannaCry not having a process for determining which victims paid and which did not.
Who was behind the attack?
The world was left wondering who was behind this disruptive attack. Several theories bubbled up to the surface in the days following the attack. On 18 May 2017, Digital Shadows (now ReliaQuest) applied the Analysis of Competing Hypothesis technique to determine the likelihood of each theory. At that time, we assessed that WannaCry may have been launched by an unsophisticated cybercriminal actor for several reasons including the poor coordination and implementation of the attack.
However, in May 2017 security researchers began connecting the dots and attributed the code to “APT38” (aka Lazarus), a North Korean state-sponsored threat group. On 18 Dec 2017, the United States publicly attributed the WannaCry attack to North Korea. Four years later on 17 Feb 2021, three North Korean computer programmers were indicted for their part in several cyber crimes, including the creation of WannaCry ransomware. APT38 is known for carrying out financially-motivated attacks, which is unusual for a nation state threat group. Many North Korean APTs are financially-motivated. This may be due to sanctions that negatively impact North Korea’s economy.
The cyber underground was watching alongside defenders
The cybercriminal community also likely learned several lessons from this impactful attack. WannaCry showed ransomware developers the importance of creating mechanisms to differentiate between victims. Failing to deliver a decryption key to a victim after a ransom payment is made is ultimately bad for business and could dissuade future victims from paying. Reputation is important for ransomware groups. Persuading victims that paying a ransom is the best choice allows these groups to make significant profits, which has been demonstrated by the remarkable escalation of ransomware activity since WannaCry.
In combination with the fatal payment flaw, the WannaCry attack had more victims than the attackers could handle, which quickly got out of hand. Communicating with thousands of victims across several time zones is physically and logistically challenging. This has also been demonstrated by the DarkSide ransomware group, who experienced these challenges during the Colonial Pipeline attack. The group had rules prohibiting attacks against critical infrastructure, but DarkSide likely experienced difficulties managing the actions of all of its affiliates.
Finally, the WannaCry attack exposed a worldwide patch management issue. Exploiting a single vulnerability in thousands of devices can have dire consequences. Network defenders know patch management is challenging because every environment has different dependencies and infrastructure. Cybercriminals are aware of this and exploiting vulnerabilities remains a top attack vector for many ransomware groups.
Five years after the infamous WannaCry attack, ransomware remains arguably the biggest threat facing business. When ransomware attacks make headlines or impact an entire supply chain, the cyber security community tries to squeeze every last bit of information and evidence out of these events. This is for several reasons, but mainly for prevention and attribution. However, we have to understand that we are not the only ones watching and learning what not to do. As network defenders get smarter, so do cybercriminals. Ransomware remains one of the largest threats to organizations across the globe not because we are failing, but because cyber security professionals and cybercriminals alike are evolving.
The techniques, tactics, and procedures of ransomware groups have evolved since WannaCry, but several commonly exploiting attack vectors remain such as:
- Phishing (T1566 Phishing)
- Weak or Stolen Credentials (T1078 Valid Accounts)
- Insecure remote access (T1133 External Remote Services)
- Software vulnerabilities (T1190 Exploit Public Facing Application)
Reviewing and implementing the mitigations listed alongside each of these techniques within the MITRE ATT&CK knowledge base of adversarial techniques, tactics, and procedures can significantly reduce the likelihood of attack. Applying the MITRE ATT&CK framework can enable security teams to make quicker, more confident actions, that are based on up to date cyber threat intelligence.
Digital Shadows (now ReliaQuest) monitors ransomware groups to provide strategic, operational, and tactical intelligence. If you are a network defender looking to stay up to date with the evolving ransomware threat landscape, you can sign up for our Search Light (now ReliaQuest GreyMatter Digital Risk Protection) platform for access to extensive threat profiles, indicators of compromise (IOCs), a daily feed of victims, a comprehensive breakdown targeting by sectors and geographies.