Learning from past mistakes is a crucial part of every job. Four years after WannaCry’s outbreak, analyzing which weak security practices allowed this ransomware to proliferate is pivotal in trying to avoid similar events in the future. This blog focuses on mapping MITRE ATT&CK to the WannaCry campaign and will discuss some of the key lessons learned (or that we should have learned by now) in the aftermath of this destructive campaign.
They say that time flies and, believe it or not, today marks the fourth anniversary of WannaCry’s worldwide outbreak. The WannaCry attack was a malware attack which targeted Windows operating systems and managed to encrypt devices in more than 150 countries within a day. WannaCry—also known as WannaCrypt, Wana Decrypt0r 2.0, and Wanna Decryptor—was a watershed moment in the cybersecurity industry and put the spotlight on the growing risks linked with ransomware attacks.
A brief overview of WannaCry
On 12 May 2017, the infosec community was taken by storm by the devastating spread of a new malware encrypting Windows devices and asking for a ransom to be paid in Bitcoin. At that time, ransomware was nothing new, but the speed at which this malware was able to self-propagate and infect new victims represented a drastic shift in previously observed tactics.
Although initially thought to be the result of a widespread phishing campaign, WannaCry malware exploited a vulnerability in Microsoft’s Server Message Block (SMB) protocol. This exploit, called “EternalBlue”, was a weaponized vulnerability leaked by the Shadow Brokers threat group who allegedly stole it previously from the United States’ National Security Agency (NSA). After gaining access to the victims’ machine with this exploit, WannaCry used “DoublePulsar”, a backdoor with a history similar to EternalBlue, to install and execute a copy of this malware.
In the first 24 hours of its outbreak, WannaCry impacted more than 200,000 individuals in over 150 countries. Unlike its costlier counterparts, this ransomware demanded a relatively small ransom sum between 300-600 USD (via Bitcoin) to decrypt the data. However, the requested ransom wasn’t the most disruptive part of WannaCry; disruption to business continuity and the ensuing chaos generated by an unprecedented cyber attack really made the WannaCry campaign one for the history books.
Mapping MITRE ATT&CK to WannaCry
MITRE ATT&CK is an invaluable knowledge database for organizations seeking a better understanding of the threats they may be exposed to. Digital Shadows (now ReliaQuest) recently launched a new Threat Intelligence library in SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) with mapping to MITRE ATT&CK and features to operationalize threat intelligence. Applying MITRE ATT&CK to your CTI program can provide crucial tools to security teams with a consistent shared understanding of threats, actors, and mitigation strategies. Let’s dive into WannaCry’s Tactics, Techniques, and Procedures (TTPs) without further ado.
T1595 – Active Scanning
According to the 2018 Department of Justice (DOJ) indictment, WannaCry “contained separate functions to identify and infect computers vulnerable to the [EternalBlue] exploit on the computer Local Area Network (LAN), as well as computers accessible over the internet.” The malware then attempted to connect to each IP address in the LAN to determine whether a computer located at that address would be vulnerable to infection.
At the time of the WannaCry outbreak, Windows had already released a security update to patch that vulnerability. However, many hospitals, businesses, and computers at home failed to update their operating system in time, which automatically led WannaCry with the upper hand to self-propagate and infect thousands of computers.
T1587.001 – Develop capabilities: Malware
Soon after WannaCry’s outbreak, researchers discovered that an earlier version of the ransomware had been circulating in the wild for quite some time. The striking difference between these two versions resided in how the malware was built to be spread out. WannaCry’s infamous second version used the SMB exploit described above, which “was able to spread to any unpatched computer on the internet that was allowing inbound connections via vulnerable SMB versions, or to computers that were connected to a network in which another computer was allowing the same.” Therefore, developing the malware capability to self-propagate via the EternalBlue exploit significantly increased the threat posed by WannaCry.
T1190 – Exploit Public-Facing Application
SMB protocol is typically intended for internal network use only; consequently, when organizations adopt public-facing ones, they risk exposing themselves to malicious activity. By exploiting vulnerable SMB network protocols, WannaCry was able to access the targeted device. Particularly, WannaCry would send SMB requests checking for vulnerable devices. This request would ultimately determine whether the contacted machine had been already compromised or if it represented another occasion for infection.
T1083 – File and Directory Discovery
Once inside the computer, WannaCry would begin searching user files for encryption and categorizing them by file extension. Later, WannaCry would primarily target “file extensions associated with productivity and database applications, compressed archives, and multimedia formats” for the encryption process.
T1018 – Remote System Discovery
Once WannaCry had accessed the victim computer, it would then proceed to discover further potential victims and begin the encryption process. As stated by MITRE, “WannaCry scans its local network segment for remote systems to try to exploit and copy itself to.”
T1210 – Exploitation of Remote Services
As aforementioned, WannaCry exploited a vulnerability in Windows’ Server Message Block network protocol to gain unauthorized access and move laterally within the system. The exploitation of vulnerable remote services is a common technique within cybercriminals and threat actors. For this reason, a few months ago, Digital Shadows (now ReliaQuest) also published a blog mapping MITRE ATT&CK to compromised RDP sales as part of our Initial Access Brokers (IAB) research.
Command and Control
T1573.002 – Encrypted Channel: Asymmetric Cryptography
WannaCry contained a list of TOR addresses to communicate with a remote Command and Control (C2) server. WannaCry would use a custom asymmetric encryption algorithm to conceal traffic and ensure that only the appropriate recipient can read the encrypted message.
T1486 – Data Encrypted for Impact
With WannaCry being a ransomware, it would inevitably encrypt data on target systems to request a specific ransom. The requested sum for WannaCry was usually between USD 300 and USD 600 – a lot less than what ransomware threat groups are asking right now – with the consequence that disruption to the availability of system and network resources was often the most costly result.
Most security experts often discourage ransomware victims from paying cybercriminals for two main reasons. First, there’s no guarantee that you will get your data back, and second, you will also likely fund further criminal activity. This was proven true for WannaCry, as many victims claimed that they never got their data restored after having paid the ransom.
What’s the lesson four years later?
WannaCry’s 2017 outbreak proved once again the importance of having updated operating systems and patched vulnerabilities to avoid catastrophic events. WannaCry was far from using a zero-day exploit in May 2017 because Microsoft had already provided the relevant patching tools well in advance.
WannaCry ransomware thrived because many individuals and organizations were using end-of-life operating systems such as Windows XP (for which Microsoft provided a rare patch). Unfortunately, four years later, these issues are far from being solved and still constitute one of the adversaries’ popular entry points. End-of-life operating systems continue as compiling a thorough asset inventory can be a daunting task for organizations that have been through several mergers and acquisitions (M&A). Additionally, granting business continuity can sometimes have a more significant financial impact in the short term than ensuring a high-security level for the IT infrastructure, with the likely result of postponing (often indefinitely) the update of the relevant systems.
Another interesting analysis point stemming from the WannaCry campaign came directly from Windows President Brad Smith in a press release addressing this massive incident soon after its outbreak. In this note, he raised awareness on the issue linked with EternalBlue and DoublePulsar by stating that “this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem”.
Ultimately, although WannaCry had a tremendous impact on individuals and organizations worldwide, it wasn’t a perfect piece of malware and it was relatively short-lived as security researcher Marcus Hutchins found its kill switch just days after the virus outbreak. Given ransomware evolution in the past four years, it is easy to imagine how profound the impact of such a widespread campaign could be right now. Let’s hope we’ll never find out!
To learn more about malware threats relevant to your industry sector and geography, Digital Shadows (now ReliaQuest) offers a test drive of our Threat Intelligence library which can save hundreds of hours in analyst investigation on research, combing, analyzing, and reporting on TTP’s and threat actors across open, closed, and technical sources.
Alternatively, to view our previous intelligence on MITRE ATT&CK, check out our
- Mapping MITRE ATT&CK To The Microsoft Exchange Zero-Day Exploits
- Mapping MITRE ATT&CK to the DPRK Financial Crime Indictment
- Mapping MITRE ATT&CK To Compromised RDP Sales
- Mapping MITRE ATT&CK To SandWorm APT’s Global Campaign
- Mitre ATT&CK™ And The Mueller GRU Indictment: Lessons For Organizations
- ANU Breach Report: Mapping To Mitre ATT&CK Framework
- The 2017 FSB Indictment And Mitre ATT&CK™