By now, we all know the story: The WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) attack has impacted over 200,000 computers across 150 countries around the world. This is likely the most large-scale malware attack the world has ever seen.
While the WannaCry propagation is certainly unique, the TruSTAR team has seen little introspection about how security teams must change the way we think about categorizing significance in cyber attacks.
Examining The New Normal - Commodity Ransomware & Shared Infrastructure
At TruSTAR, we’ve witnessed ransomware like WannaCry becoming increasingly commoditized and infrastructure being reused in multiple attack campaigns. Companies should share indicators of compromise (IOCs), such as IP addresses and URLs associated with command and control infrastructure to see how that data correlates with other campaigns.
We've seen correlations from WannaCry IOCs to Dreambot malware (which is a variant of well-known Ursnif banking trojan) for example.
The increase in ransomware is tied to a couple key trends we have seen in the last few years.
Plug-and-Play Exploit Kits
EKs like ike RIG, widely available for purchase in the darker corners of the web makes it easy to deploy commoditized ransomware like Cerber or Locky and often using similar infrastructure. As you can see below, when the Angler exploit kit went down last year, cyber criminals began searching for a new go-to exploit kit, and in early September 2016 the RIG exploit kit became the predominant cybercriminals exploit kit.
A Sector-Specific Approach to Cybersecurity Is No Longer Sufficient.
Ransomware is cyberspace's great equalizer and we see it punish without prejudice for particular companies, sectors, or business models. In the past, exploits that hit healthcare might look different than those hitting financial services or the retail sector. But, if you think of it like a business, ransomware has minimal start-up costs, requires decreasing nuanced technical skill sets to deploy, and has a simple monetization strategy in a broad and often sector-agnostic addressable market.
In the history of cyber attack evolution, however, ransomware is still quite young and attackers and defenders are still learning. Take the WannaCry economics for example, a few days into the attack and 200,000+ systems infected with millions of hours of system downtime and lockout recorded, and we're seeing a total bounty of only about $40,000 paid to the bitcoin addresses. While the data is far from being conclusive on the actual impact of this kind of attack, it's safe to say there is some non-trivial gap between the business impact and the willingness to pay. What happens to those economics if WannaCry includes some infrastructure to simplify the bitcoin payment process or if the time period before payment increases shrinks from 3 days to 3 hours?
For us, the rise of ransomware is just yet another reason why we have to break out of this mental model in cyber security that has been pounded into our heads by vendors for so long - that we're being singled out for attacks. On the TruSTAR platform, we see 65% of events correlating across companies, regardless of sector. As attacks continue to be replicated with more ease, the private sector must not fight alone. Exchanging threat intelligence to identify trending campaigns and provide context to mitigate against these campaigns is the only way forward.