20 May 2017

WannaCry: Ransomware Catastrophe or Failure?

http://www.darkreading.com/attacks-breaches/wannacry-ransomware-catastrophe-or-failure/a/d-id/1328900?_mc=RSS_DR_EDT&utm_source=hs_email&utm_medium=email&utm_content=52144310&_hsenc=p2ANqtz-8qCT7813Cvp_od8uwOkfbtkhVuz0skg870GlbvVvcNyXd6taF39Huy2r8t3_K052Z5tsz92QTABbBwI75CtO8V72fugw&_hsmi=52144310

Using Bitcoin payments as a measure, the WannaCry attack is not nearly as profitable as the headlines suggest. But you should still patch your Windows systems and educate users.
Wannacry (or WannaCrypt) is being called the "worst cyberattack in history" or at least the "biggest ransomware offensive in history," but those headlines just don’t line up with reality.
Despite public reports that as many as 300,000 computers in 150 countries have been infected with the malware, the normally observable pattern of delivery, destruction, and payment associated with a ransomware attack are largely missing. Phishing emails have been the primary delivery method for almost all other ransomware attacks to date. With this attack, the delivery method is still under debate but the main spreading mechanism is through Server Message Block (SMB) which is a protocol used by Windows computers to share files between each other. By invoking a flaw in SMB, a single infected computer can infect every other vulnerable machine on the same network. But is the attack size being touted in the media accurate? And is this really about ransomware?  After some very frightening initial headlines, the story just doesn't hold up to deeper inspection.
This is partly because the malware was disabled by a 22-year-old British malware researcher. Malware authors try to detect researchers by checking to see if the malware is running in a simulated network environment. One test is for the malware to ask the computer it is running on: "Can you reach this non-existent website?" If it can, then the malware can be certain it is running in a simulated network, where researchers are routing every Internet request to monitoring stations they control. (For those who do malware analysis – think ApateDNS redirecting everything to iNetSim.)
Figure 1 - WannaCry code calling non-existent domain 
Source: PhishMe
Figure 1 - WannaCry code calling non-existent domain
Source: PhishMe
By registering the "non-existent" Internet address that malware was using for its test, now every Internet user can resolve the address, which made the malware believe that everyone was in a simulated network, so they should not be infected because they were likely researchers.
The researcher, who guards his anonymity fiercely because he routinely ruins the lives of criminals, shares his intelligence here and blogged about his discovery here
The high count of "infected" computers are actually the number of computers that are asked to try to reach the formerly non-existent domain. However, analysis of the code shows that if that domain is reached, the malware simply terminates itself and offers no further risk to the computer that tried to infect itself. Perhaps these would be better counted as malware attempts rather than malware infections.
Payments Don't Add Up
The over-reporting of the malware is further confirmed by looking at the payment method. As far as researchers know, there are only three primary bitcoin addresses:
  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
After reviewing hundreds of screen shots and talking to dozens of other researchers, no one has seen another bitcoin for malware since this round of the attack began on May 12th.
By pasting the addresses above at https://blockchain.info/ you can get a screen shot that will tell you how many payments and how many bitcoins have been made to each of the addresses. For example:
https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
(As of MAY 17, 2017 12:50 PM Eastern – 109  transactions totaling 16.75 bitcoins)
https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
(As of MAY 17, 2017@12: 50 PM ET- 95 transactions totaling 16 Bitcoins)
https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
(As of MAY 17, 2017 12:50 PM ET- 84 transactions totaling 11.17 bitcoins)
That’s only 288 payments totaling 43.92 bitcoins.
Bitcoin is currently trading at a near all-time high of $1,830 USDollars per BitCoin, which is about $80,000.  But if there were 300,000 victims … that wouldn’t make any sense. Certainly more than 1/10th of 1% of the victims would have paid the ransom! IBM claimed last year that 70% of companies admitted to paying ransom to get their files back.
So, $80,000 seems a bit shy of a ransomware catastrophe. Heck, Hollywood Presbyterian yielded 40 bitcoins just in a single ransomware instance in 2016. Want to discuss a ransomware catastrophe? Let's talk about Locky! Let's talk about Cerber! Let's talk about CryptoLocker! Remember that in Q1 2016 the FBI told CNN that ransomware had collected $209 million in ransom fees just that quarter.
WannaCry isn't even close. Sure, a handful of companies that didn't patch their Windows systems got hit hard, but organizations that were broadly impacted were, in many cases, using outdated, unsupported computers that were not patched.
Where are the ‘Mixers?’
The other interesting thing is that the criminals who steal money via Bitcoin normally immediately begin the process of laundering their Bitcoin by using online services called “mixers,” or by gambling with the money in Bitcoin casinos that also act as mixers. Bitcoin tracking services, such as Elliptic, a company that helps law enforcement de-anonymize Bitcoin, confirm that they can find no evidence of the Bitcoin received from ransomware victims being spent or cashed out.  It is likely that the criminals are too frightened to touch their ill-gotten gains knowing that there has never been closer scrutiny on a Bitcoin Wallet than there is right now.
Or is it possible that there is no financial criminal planning to make money from this attack? Could this be merely an attempt to discredit the U.S. intelligence agency, the NSA? Part of the drama about the attack is that, according to Russian security firm Kaspersky Lab, and confirmed by others, the ransomware spreads via an SMB exploit originally created by the NSA under the code name "EternalBlue" and leaked to the world by "Shadow Brokers" back on April 14th, a month after Microsoft patched the underlying vulnerability, known as MS17-010. Because Windows XP has gone through "end of life," security patches were no longer being created for XP, which is part of why XP systems have been said to be infected at a far greater rate than other Windows operating system versions. Microsoft has now issued an Emergency Patch for XP.
A Warning Shot
Whenever the entire world freaks about security, we have an opportunity as security practitioners. When every CEO, CSO, CISO, CIO and CRO on the planet is thinking about a cyberattack, there will certainly be questions asked such as, “Would this have impacted us?” or “Do you need anything to be safer?” This is not the time to go buy a new shiny toy to put on your shelf, but it is time to review your security practices.
In this situation, a March 14th 2017 patch would have saved your organization from a May 12th cyberattack. What is your timeline for implementing an urgent cybersecurity patch globally within your organization?  If it is less than two months, use this as an opportunity to improve that timeline.
In this situation, Windows XP within your network could have a devastating impact. Use this as a time to fight. Whatever reason someone has given to you that defended, "why we still must have XP" – fight them on it. Use this as an opportunity to insist that obsolete software be migrated away. If it’s a budgetary constraint, demand the budget. If it’s considered an irreplaceable piece of legacy special-purpose hardware, demand a replacement anyway, or a thorough penetration test to prove that your Windows XP is truly network-isolated from everything.
Remember that most of the ransomware that is actually being paid out is still being delivered by phishing email. Make sure that your employees know what to do when they see a suspicious email. If you don’t have a way to convert your employees from "the weak spot on the chain" to empowered "security sensors" feeding internal attack intelligence to your response teams then review your internal practices.

No comments: