WannaCry: Why this ransomware just won't die

As Honda and speed cameras in Australia have found out, WannaCry is still capable of infecting networks and could be for years to come - here's why.
Written by Danny Palmer, Senior Writer

The WannaCry ransomware epidemic hit hard: the malware to infect over 300,000 victims around the globe causing chaos.

Factories, the UK's National Health Service, the Russian postal service and even Chinese government agencies were amongst the victims of the indiscriminate WannaCry attack before the outbreak was brought under control - although not before costing billions in damages and lost productivity.

Microsoft issued patches and the initial scramble to secure systems the focus shifted towards working out who launched the attack, with both private cybersecurity firms and government agencies pointing towards North Korea as the culprit behind an incident.

But that wasn't the end. Over a month on from the initial outbreak, WannaCry is still claiming victims. On Sunday 18 June, car manufacturer Honda was forced to shut down one of its production facilities because systems were infected with WannaCry.

The Japanese firm temporarily halted production at its Sayama plant after it was discovered that the malware worm had infected networks across Japan, North America, China and more.

Located North West of Tokyo, the Sayama plant was the only manufacturing facility to have production impacted by the outbreak after being shut down on Monday, halting production of around 1,000 cars - the daily output of the facility.

No other production facilities were impacted in this way and work at the plant resumed as normal on Tuesday, the company told ZDNet, adding it will "take every step to further strengthen the security of the systems".

Just days later, WannaCry hit 55 speed cameras in Victoria, Australia, with the source of the infection thought to be as a result of human error when an infected USB was inserted by someone carrying out maintenance. Fortunately the offline nature of the devices means the ransomware couldn't spread to other networks.So why is WannaCry still causing problems for organisations over a month on from the initial epidemic?

Much of it comes down to worm-like properties of the ransomware, which uses EternalBlue, a leaked NSA tool which leverages a version of Windows' Server Message Block (SMB) networking protocol to spread itself.

And now the worm is out in the wild it is still attempting to find computers to infect - all while powered by some systems it infected in the first outbreak.

"This particular incarnation of WannaCry is a worm so it's propagating at random around the internet. So any systems which were infected and hadn't properly been cleaned still continued to propagate the worm," says Rafe Pilling, Senior Security Researcher at SecureWorks Counter Threat Unit.

"That can potentially lead to new infections in networks and environments which haven't applied the patch and let the worm in one way or the other".

It isn't even the first worm of this kind to remain a problem long after being first released; the Conficker worm - an SQL Slammer carried out distributed denial of service (DDoS) attacks - first appeared in 2003 and 14 years later it's still carrying out attacks, to such an extent it that in December, it was the most common form of malware attack.

"WannaCry is still out there similar to how worms like Conficker are still able to spread on the internet. Without regular patching, organisations are susceptible to different types of cyber attacks, including those like WannaCry," says Ronnie Tokazowski, Senior Malware Analyst at Flashpoint.

It's this failure to patch which is enabling the likes of WannaCry - and Conficker - to continue to be a purely opportunist threat when, in many instances, it could easily be stopped.

See also: How to defend yourself against the WannaCrypt global ransomware attack| Ransomware: An executive guide to one of the biggest menaces on the web

"Conficker has been around for years and there's absolutely no reason on this earth why we should still see this infection," says Mark James, Security Specialist at ESET. "

Another reason why WannaCry still survives is that many companies still rely on older machines and bespoke applications which either are no longer supported by patches- or just can't be patched in the first place. This sort of technology could still be vulnerable to the worm.

"It's quite common for those sort of systems to run older versions of operating systems which go unpatched, run old applications, used shared logins, that sort of stuff, all of which creates and environment which is more susceptible to this sort of thing," says Pilling.

"The problem with these older systems - Windows 7 mainly with WannaCry - is there may be instances where the actual SMB service is legitimately being used," says James.

And while organisations try to do all they can try to do all they can do protect systems with patches- it's simply the matter that it's hard to continually update old systems, especially when the manufacturers stop providing patches - but many organisations push on with this approach because the alternative involves spending large amounts of money on wholesale upgrades.

"The problem is if it's embedded and part of your production line, who is going to be the person who's going to say we need to discard this perfectly working £500,000 of machinery for another piece of system which has a new processor," James says.

So what can be done to avoid falling victim to WannaCry now it's out there and still looking for systems to infect?

"Network segregation plays a major role in defence," says Pilling. "Ideally nobody should have the ports necessary for this worm to propagate accessible to the internet or with outbound access to the internet - it's generally considered poor practice for the SMB port to be exposed to the internet, or to allow your systems to talk to that protocol".

Even if WannaCry continues to propagate itself around the web, occasionally causing disruption to factories and other organisations, in a way we're lucky that some of the code behind the ransomware was fairly amateur.

While prolific, as a ransomware attack, WannaCry can be deemed as unsuccessful as it failed to make much money from ransom payments, with just a tiny proportion of victims paying up, generating the attackers around $140,000 - and that figure is only that high due to a rise in the valuation of Bitcoin.

But there are lessons to be learned here, as the outbreak could've been much more disruptive if the ransomware was as advanced as the likes of Locky or Cerber, some of the ransomware variants most successful at exploiting payments from victims and helping the malware cost businesses over $1 billion during 2016.

Organisations which still find themselves at risk from worms using exploits to infect older operating systems must seriously consider the potential impact -- and what could go wrong if something worse than WannaCry arrived -- before it's too late.


Editorial standards