Ransomware: WannaCry was basic, next time could be much worse

Some researchers suggest WannaCry was a straightforward piece of ransomware. What kind of damage could be done with more advanced code?
Written by Danny Palmer, Senior Writer

As organisations across the globe attempt to get back to normal in the messy aftermath of the huge WannaCry ransomware attack, cybersecurity professionals say it should act as a warning of the impact even basic malware can have.

Thanks to its worm-like features, the WannaCry ransomware was able to quickly spread itself across an infected network, taking advantage of a vulnerability in some versions of Windows. Microsoft even released an emergency patch for its long unsupported operating systems.

Authorities across the globe are now making efforts to identify the perpetrators -- but some cybersecurity researchers think the whole campaign could've been the result of a relatively amateur operation which got out of hand.

"This doesn't look like a very professional ransomware," said Orli Gan, product manager at security company Check Point, speaking at the company's CPX conference in Milan, Italy, just days after the beginning of the WannaCry epidemic.

It's now well known that much of the code that made WannaCry was built by the NSA to exploit the EternalBlue Windows vulnerability, and then leaked by the Shadow Brokers, meaning anyone could access it.

"What we see in the malware is actual evidence of the attackers just taking code from that Github page, so we can draw a direct line from the malware, back through to the NSA exploits," said Yaniv Balmas, ‎malware research team leader at Check Point.

However, those behind WannaCry have been haphazard in their bolting the ransomware onto the code, something researchers say organised, professional cybercriminal groups wouldn't do.

"The ransomware built on top of it is pretty amateur and also what you can see is the amount of money received is significantly lower than in other cases," said Gan. Only a few hundred ransom payments of $300 in Bitcoin have been paid to the attackers, who potentially can't even tell who has paid them.

"That also points to this not being a professional organisation," she added.

Russia is often cited as a major source of ransomware campaigns, and many forms of this malware ships with instructions not to infect Russian language machines -- but in the case of WannaCry, Russia has been badly impacted.

"Russia is actually one of the biggest targets of this campaign according to our statistics," said Balmas.

That could be another indicator of the more amateur nature of the perpetrators, as experienced ransomware developers will often instruct the malware not to infect certain countries or even demand different ransoms depending on target location. WannaCry doesn't do any of that.

"It lends testament to the fact that maybe nobody actually planned for it to go this far. Excluding countries is more of a professional trait," said Gan.

While WannaCry is far less advanced than the likes of Locky or Cerber, the fact that so many organisations around the world -- including a large proportion of UK's National Health Service hospitals and doctors' surgeries -- were hit by it goes to show that ransomware can be simple, but effective.

And it's likely that this won't be the last time that this sort of attack causes such damage.

"That's something that will keep happening in the future where people can copy and paste malware, copy the NSA code and that's what you get -- worldwide catastrophe. More and more things like that will happen," said Maya Horowitz, threat intelligence group manager at Check Point.

"Hackers can use these very strong tools for their goals, that's where we see the real impact of this," she added.

While the number of new WannaCry incidents appears to be slowly declining, the free availability of potent ransomware code will inevitably lead to future attacks -- especially if wannabe attackers are convinced they'll never be caught. That might change in the event the actor behind this attack is found, but it currently seems unlikely.

"If someone can put a name to a face behind this attack and show this person is being prosecuted for the damage they've caused, there will be an impact. But as long as long as people keep seeing the crime goes unpunished, this cyberthreat will [continue to] enter the real world," said Gan.

While WannaCry might be seen as a failed operation from a financial perspective for the attackers -- under 300 victims have paid and it has made less than $100,000 in a week -- the epidemic has raised the profile of ransomware; both to the general public and likely for the cybercriminal fraternity as well.

Ransomware has already experienced great success -- netting cybercriminals $1bn in 2016 alone -- because it simply works. People will pay ransom demands to get their encrypted files back.

"If people keep paying for ransomware, you're basically only paying for the next ransomware. If people stop paying for ransomware, it'll stop. So until you stop paying for it, you can expect to see more campaign," said Balmas.


Editorial standards