Threat Intelligence Blog

Posted May 17, 2017

Last week’s WannaCry ransomware attack has created a media, market and vendor frenzy unlike any other recent cyber attack. Having watched this fiasco play out over the past week, I can’t help but squirm at the broader message this attack sends to the market, and more importantly, the prevalence of our global digital dependency.

From my perspective, the past week leaves a lot more questions than answers. While the industry is hell bent on providing answers, many of these “answers” are plagued by confirmation bias – the tendency to interpret new evidence as confirmation of one’s beliefs or theories. In addition, seeking attribution for damages is irrelevant unless it supports action by law enforcement. Attributing this action to North Korea or any other nation state does not address the real issue: the brittleness of our overall digital dependency. What we should be asking is why do companies and organizations still allow a communications protocol designed for internal network connections and sharing to access the Internet?

Regardless who is behind the attack, this incident should be a global wake-up call on the importance of simple blocking and tackling – patching and restricting access for specific protocols to the Internet.

What the industry seems to be glazing over is why there has been such a low monetary yield – estimates are south of $70k USD. I think this could be a mass suffering of confirmation bias. Just because something claims to be ransomware, and because we’ve seen ransomware in the past, doesn’t necessarily mean it is ransomware.

Ransomware is destructive because it renders the files on a system inaccessible. One theory that I have yet to see develop is that maybe the intent of this attack was not to generate income at all, but to simply be destructive. Unlike typical ransomware that we’ve previously observed, what sets WannaCry ransomware apart is the worm propagation of this particular strain, which contributed to the scale and pervasiveness of this outbreak. I see more similarities between WannaCry and Shamoon than I do WannaCry and other strains of ransomware. While Shamoon overwrote files, WannaCry’s encryption essentially did the same thing on a global and indiscriminate scale by making the file system inaccessible.

Another thing I find interesting, which could be purely coincidental, is the timing of the WannaCry attack. This outbreak occurred roughly a month and a half before the next Internet Corporation of Assigned Names and Numbers (ICANN) Policy Forum on June 26 – 29, 2017.

Why does this timing matter, and what significance would WannaCry have in such a policy forum? It all connects back to ongoing arguments by Russia, Iran, and China that the United States has too much influence over Internet governance. The fact that these leaked United States National Security Agency (NSA) exploits have fallen into the hands of the general Internet population could support these claims.

The last aspect of WannaCry that I find perplexing is the inclusion of the “kill switch.” While this artifact of the code was critical in limiting the overall effect of the outbreak, it simply makes no sense. WannaCry is not proxy aware, meaning that it would have never been able to reach the “kill switch” in most high or even rudimentary sophisticated security organizations, even if it was active. This begs the question, why would it even be there to begin with?  While there are a few theories floating around the industry, we simply don’t know why it was in the code. What this artifact, as well as the code snippet shared by malware created by the Lazarus Group, instantiates is that WannaCry was most likely a cobbling of old and new code.

In a world where cyber attackers can reap significant dividends from a successful ransomware attack, nothing about WannaCry seems to add up. It would be easy to categorize the outbreak as a simple ransomware campaign, or we can open our minds and aperture and realize things may not be what they seem. While we still don’t have clear answers about WannaCry, the biggest and most basic lesson to take away from the attack is that fundamental security best practices matter.

 This article is in no way meant to disrespectful of the work done by numerous researchers who quickly took action against this attack. Without their contribution, this outbreak may have wreaked even more global havoc.

Additional Posts

ICYMI: Three Cyber Stories You Missed While Everyone Was Talking About WannaCry

In a recent briefing, LookingGlass Threat Researcher Steven Weinstein half-jokingly referred to the ...

Weekly Threat Intelligence Brief: May 17, 2017

This weekly brief for May 17, 2017 highlights the latest threat intelligence news to provide ...