One Year After WannaCry: A Fundamentally Changed Threat Landscape

It’s been one year this week since the ransomware known as WannaCry infected more than 200,000 machines in 150 countries, causing billions of dollars in damages and grinding global business to a halt. The speed and scale of the attack – helped along by leaked National Security Agency hacking tools – was obviously notable, but it’s WannaCry’s legacy that resonates today. The cyber-landscape has fundamentally changed, with threat actors increasing almost exponentially in their capabilities, sophistication and ambition.

“WannaCry changed the cybersecurity game, not just through its outsized impact; it made waves because of its outsized influence on the cyber-threat landscape,” Check Point researchers said in a blog breaking down the implications. “Marking a turning point in the cybersecurity environment, we were looking at the first global-scaled, multi-vectored cyberattack powered by state-sponsored tools. WannaCry marked a new generation…of cyberattacks.”

In the year since WannaCry, ransomware has given way to cryptomining as the go-to payload for cybercriminals. Cryptojacking in fact increased 8,500 percent in the last quarter of 2017, and made up 16 percent of all online attacks, according to Juniper Networks analysis. But ransomware isn’t waning: Numbers from Avast show that since the original attack, there have been more than 176 million attempted new WannaCry attacks globally.

We talked to several security researchers about what’s changed in the past year.

Arms Race

So what does “fundamental change” actually mean? For one, the use of nation-state-developed hacking tools has become widespread. WannaCry was the direct result of the Shadow Brokers hacker group stealing and then leaking exploits developed by the NSA. One of them, EternalBlue, was used in WannaCry, and just six weeks after that, NotPetya used the same exploit in its infamous attack. The genie was out of the bottle, and quickly, too.

EternalBlue and additional weapons from the trove have cropped up everywhere since then, in multiple campaigns spreading banking trojans, other kinds of ransomware and, this year, cryptomining code. Just recently, the SamSam ransomware attack that shut down the city of Atlanta and cost it $5 million in damages and clean-up costs relied on DoublePulsar – another NSA-developed exploit in use now across the internet.

“In the past, cybercriminals traditionally used simplistic, homegrown tools for their hacking activities,” Check Point researchers noted. “WannaCry marked the shift toward using military-grade weapons, hacking tools that are powerful enough for a national cyber-defense agency to use on international cyber-warfare.”

Bigger, Multi-Vector Attacks

As befits the use of industrial-strength tools, WannaCry also demonstrated the potential for severe, large-scale cyber-attacks. Campaigns today go after ever-greater paydays, and the space is attracting well-funded criminal organizations looking to develop lucrative hacking operations. The surge in ransomware outlines this: Check Point analysis shows that in 2015, ransomware attacks caused $325 million in damage. Last year, attacks were up 15-fold, costing $5 billion in damages.

“Even the most sophisticated of these ransomware attacks emerging today are just the tip of the spear,” Derek Manky, global security strategist at Fortinet’s FortiGuard Labs, told Threatpost. “Cybercriminals are adopting new attack strategies, such as those used by Hajime and Hide-and-Seek, to accelerate both the scale and success of attacks.”

In tandem with this, there has been a sea-change in attack vectors. WannaCry established the concept of the “ransomworm” – code that’s able to spread through cloud networks, remote office servers and network endpoints alike, needing only one entry point in order to infect the entire system.

“This multi-level approach allowed WannaCry to easily overwhelm companies that followed the usual security strategy of picking their favorite product from different vendors for each entry point,” Check Point researchers said.

However, since then, there has been an evolution towards more sophisticated variations of this approach.

“These new variants are transitioning away from traditional ransomworm-based attacks, which require constant communication back to their controller, and replacing them with automated, self-learning strategies, potentially turning malicious ransomworms into ‘ransom-swarms’,” Manky said. “Future attacks are likely to leverage things like swarm intelligence to take humans out of the loop entirely in order to accelerate attacks to digital speeds.”

He added, “Cybercriminals have been using an attack-on-all-fronts strategy that has been especially effective.”

A Physical Threat

The stakes are higher than ever before as well: WannaCry demonstrated that cyberattacks can introduce real, physical risks into the equation. It famously hit Britain’s National Health Service (NHS), and attacked a wealth of medical devices, like medical imaging machines.

“Patients in the U.K. lost valuable medical response time (and it is very likely that one could honestly say WannaCry ended up causing mortal harm to some),” Bob Rudis, chief security data scientist at Rapid7, told Threatpost. Rapid7 research recently determined that WannaCry was still the sixth most-prevalent threat in the first quarter of 2018. “WannaCry and NotPetya both ended up causing hundreds of millions of dollars in damages to medical production lines and other business processes.”

The ability to issue an epic beat-down on connected devices beyond the PC has become part of the new normal thanks to WannaCry – a state of affairs that’s set to worsen. Brian NeSmith, CEO and co-founder at Arctic Wolf Networks, told us that, essentially, every company and every device is a target.

“For industries like healthcare, ransomware puts the lives of people at risk,” he said. “Ransomware is likely to evolve and expand to IoT devices and wreak even more havoc. Today, the focus is on PCs, but tomorrow, everything from machinery, power control systems, industrial sensors and even thermostats will be targets. In the case of machinery, it could impact the safety and well-being of workers, dramatically increasing the stakes beyond just the ransom money.”

Increased Awareness

WannaCry’s legacy is not all bad news: the event has also increased cyber-awareness, and that’s never a bad thing.

“The biggest impact WannaCry had (in the UK at least) was to take ransomware from the domain of IT and security professionals to the boardroom, the newsroom and Parliament,” Oscar Arean, technical operations manager at Databarracks, told us. “Particularly in small and medium-sized enterprises, there hasn’t been adequate investment in awareness, and there’s been a lax attitude to the risks of running systems beyond end-of-life. The benefit of WannaCry is that now, when an IT manager at a small business asks for budget for systems upgrades from their CFO and the board – they can point to the example of the NHS to justify the expense.”

Rishi Bhargava, co-founder at Demisto, told Threatpost that the awareness level was particularly raised in healthcare environments.

“WannaCry was unique because this was the first large ransomware attack targeted at the healthcare vertical and affected not only computers, but also many medical devices like MRI machines,” Bhargava said via email. “Overall, WannaCry did not fundamentally change the security tools or the approaches or people’s perception, but it did raise awareness of the best practices in healthcare organizations.”

As Much as Things Change…

Despite better awareness, poor security practices (including a lack of simple patch updates) continue to plague companies. Overall, a Check Point survey found that just 3 percent of U.S. organizations are prepared for another WannaCry-like attack.

“Companies need to make sure they are doing the basics,” NeSmith said. “Deploy patches, update antivirus clients and train employees on security best practices. The defense strategy needs to define how a ransomware infection will be contained and how it will be remediated. This will require a smooth process for detection, triage and execution of the remediation plan.”

Patching works, after all. “While WannaCry tore through organizations like the NHS, companies that kept their systems updated with the latest patches, performed backups and took proactive security measures emerged unscathed,” Ken Spinner, vice president of global field engineering at Arctic Wolf, told Threatpost. “Plenty of others heard the wake-up call but hit the ‘snooze’ button. Hope is not a strategy to prevent the next major cyberattack from hitting your company, yet some are mistaking good luck for sound preparation and effort.”

Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, laid out the basic best practices for us: patch; back up critical data and test your backups regularly; segment the network and make sure access to different segments is offered only on a business need; do not give admin privileges to all users if not needed; mount remote file systems on a system only if needed; and disable SMBv1 and make sure SMBv2 is not exposed to the internet. SMB, which is Microsoft’s file-sharing system, contains the vulnerability that EternalBlue, EternalRomance and other NSA tools exploit.

“Every board of directors should be asking its CISO about the company’s backup strategy,” Hahad told Threatpost, adding that there are also 2.3 million observable devices left out there with SMBv1 exposed to the internet. “A ransomware attack should be a blip on the radar that wastes people’s time to restore from backups, not a week-long debacle of trying to restore service and deciding whether to pay the ransom or not.”

He added, “The same mitigation techniques that have been recommended over and over again are still relevant and effective to minimize the impacts of a ransomware attack, but it comes down to actually implementing them.”