By now, we all know the story: The WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) attack has impacted over 200,000 computers across 150 countries around the world.
Is this the most large-scale malware attack the world has ever seen? A political propaganda of the deed rather than financially motivated cybercrime? Or, an otherwise unsophisticated exploit of a well-documented vulnerability that caught a perfect storm of media attention?
The New Normal – Commodity Ransomware
At TruSTAR, we’ve witnessed ransomware like WannaCry becoming increasingly commoditized and infrastructure being reused in multiple attack campaigns.
Earlier this year, we documented how RIG exploit kits were becoming the dominant delivery mechanism for commodity ransomware like Cerber and Locky, squatting on infrastructure previously associated with Angler and other past reigning champions of the exploit kit underworld.
Similarly, we’ve seen correlations from WannaCry IOCs to Dreambot malware (which is a variant of well-known Ursnif banking trojan) for example.
Ransomware is cyberspace’s great equalizer and we see it punish without prejudice for particular companies, sectors, or business models. In the past, exploits that hit healthcare might look different than those hitting financial services or the retail sector. But, if you think of it like a business, ransomware has minimal start-up costs, requires decreasing nuanced technical skill sets to deploy, and has a simple monetization strategy in a broad and often sector-agnostic addressable market.
WannaCry - Financial Let Down?
With WannaCry, however, the speed of the propagation, the total number of systems infected, and the widespread reporting is just as interesting as the relative lack of financial return for the attackers. A few days into the attack 200,000+ systems infected, with millions of hours of system downtime and lockout recorded, and hundreds of mainstream news articles, and we’re seeing a total bounty of only about $40,000 paid to the bitcoin addresses referenced for payment?
You don't have to have an MBA to recognize that there is a non-trivial gap between the supposed business impact here and the victim's willingness to pay.
So, why so low? Was the publicity around this attack creating a lot of bark without much actual business impact bite? Did the attackers just blow it and leave a bunch of money on the table? Did they care financial return at all or was it for political purposes? As these things go in cyber, the answer is probably somewhere in the murky middle.
In the history of cyber attack evolution ransomware is still quite young and attackers, just like defenders, are still learning how best to operate in this new normal. With WannaCry attackers asked for a payment of $300 to a bitcoin address to unlock the data with penalties that increased every three days.
But, bitcoin is not exactly mainstream yet and while we don’t exactly get to choose operating systems for our company, I have to think the venn diagram overlap is pretty minimal between those operating everyday on Windows XP or other outdated Miscrosoft operating systems and those fairly fluent in the cryptocurrency underworld. Likewise, the fact the attack occurred right before the weekend and with a three day grace period meant folks had time to implement the fix over the weekend that was widely available before the end of day on Friday.
What happens to those economics next time if the next WannaCry variation of ransomware includes some user-friendly step-by-step process to simplify the bitcoin payment payment for the users? Or, what happens to willingness to pay $300 when the next attacker shortens the time clock from three days to three hours?
Stop Fighting Alone.
For us at TruSTAR, the breadth of the spread of WannaCry is yet another chapter detailing the rise of commoditized ransomware that is as easy to deploy as it is to order a pizza. No matter what you think about the motives behind this particular attack - there will be more to come, and the next wave will learn from the impact we've seen (and not seen) here.
Most importantly, it's a brutal reminder that we have to break out of this mental model in cyber security that has been pounded into our heads by vendors for so long – that bad guys are singling you out for an attack, because you're so special. That mentality helps sell incrementally better mousetraps in the cyber security rat race. But, it also encourages us to build silos in our security operations.
As attackers iterate on TTPs using plug-and-play exploit kits over recycled command and control infrastructure, the companies and security teams that protect our valuable data cannot afford to operate in silos. At TruSTAR, we see 65% of events reported correlating across multiple companies, regardless of sector. That means it's really hard to be the singular victim of an attack and, naturally, the benefits of exchanging intelligence increase exponentially when there are others out there experiencing something similar.
If we're going to keep up in this new wave of cyber attacks, we have to continue to innovate in bringing secure information sharing and intelligence exchange into enterprise security operations.