Updated: Fatal Flaw Slows WannaCry Ransomware Spread, but Threats Remain

In-brief: A fatal flaw in its design slowed the spread of WannaCry, a virulent ransomware program that has infected more than 100,000 organizations and individuals globally.

A fatal flaw in its design slowed the spread of WannaCry, a virulent ransomware program that has infected more than 100,000 organizations and individuals globally. But security experts warn that the threat of future intrusions remain for organizations infected with the malicious software.

As of Monday, more 186,000 infections had been recorded globally, with most occurring in Russia, Ukraine, the European Union and Taiwan according to the security firm MacKeeper data from the firm MalwareTech, which tracked WannaCry installations. But security experts say that the spread of the ransomware was halted due to a flaw in the design of the malware and the actions of an astute UK-based security researcher who identified and exploited the flaw.

After spreading rapidly on Friday, the rate of new infections slowed over the weekend. The SANS Institute’s Internet Storm Center said that it expected to return to a “green” Infocon threat level on Monday, after elevating the threat level to “Yellow” over the weekend in response to the WannaCry outbreak.

The slowing of the outbreak was attributed to fast action by a UK researcher, who noticed that a hard-coded domain in the malware had not been registered and promptly purchased it and set up a web server on the domain.  Once live, the web site at the hard coded domain acted like a kill switch: causing hosts infected with WannaCry to stop attempting to identify and infect other machines.

A visualization of infections linked to the WannaCry ransomware. (Image courtesy of MalwareTech.com)

The purpose of the “sinkhole” domain isn’t clear, although one theory is that was a crude attempt to defeat malware “sandboxing” features, many of which automatically resolve all web requests. Whatever the case, the kill switch domain greatly limited the reach of WannaCry, despite its use of a potent exploit of a known Microsoft Windows vulnerability extracted from hacking tools used by U.S. intelligence agencies.

Additionally, Microsoft moved on Friday to issue emergency patches for unsupported Windows systems including versions of Windows XP, Windows 2003 and Windows 8 (vs 8.1) that close the hole exploited by WannaCry.

Experts warned that the start of business on Monday could see a spike in new infections, as workers return to the office and turn on vulnerable Windows machines. But with most infections the result of scanning and exploitation of vulnerable Windows systems, the fact that WannaCry infected systems no longer scan for new victims makes even that threat remote.

The early demise of WannaCry also appears to have limited the payday for the cyber criminals behind the incident. As of Monday, just 171 payments had been observed in three Bitcoin wallets tied to the malware, amounting to just $47,510, according to @actual_ransom, a Twitter account that monitors payments to the bitcoin wallets associated with the WannaCry ransomware.

The low number of payouts may also reflect uncertainty that paying the ransom will restore their access to encrypted files. Security researchers echo that uncertainty, noting that the WannaCry ransomware relies on human operators to send victims the decryption key manually, rather than allowing for automated provisioning of the decryption key, which is the norm in other large-scale ransomware families.  Paying the ransom doesn’t guarantee that the WannaCry ransomed files will be restored.

Security experts breathed a sigh of relief, noting that the combination of ransomware with highly effective and remotely exploitable Windows vulnerabilities like ETERNALBLUE set the stage for what could have been a massive, global ransomware infection.

“ETERNALBLUE is a highly reliable exploit,” said Sean Dillon of the firm RiskSense told The Security Ledger. “It doesn’t crash the system under most circumstances which is pretty unique when you’re talking about a remote kernel exploit,” he said.

It also works on a lot of systems. Around 1.7 million publicly discoverable Internet connected systems are vulnerable to exploit by ETERNALBLUE and DOUBLEPULSAR. Many times more than number vulnerable, but hidden behind corporate firewalls, Harris said.  Around 10% of those are already compromised in some form, he said.

That means organizations are not out of the woods even if they dodged the WannaCry bullet. Systems infected by the WannaCry ransomware also are loaded with DOUBLEPULSAR, a persistent backdoor application that was part of the Vault 7 offensive hacking toolkit leaked by the Shadow Brokers hacking crew. DOUBLEPULSAR “is generally used to access and execute code on previously compromised systems (that) allows for the installation and activation of additional software, such as malware,” according to analysis by Cisco Talos.

Harris said that new malware variants and exploits are so common that they barely get noticed. But that may have made the public, not to mention corporations and other organizations blasé when confronted from a truly dangerous threat. “It’s basically the industry crying wolf for so long. There’s a lot of FUD (fear, uncertainty and doubt) in the security industry,” Harris said. “Just going back to Heartbleed, that’s a user land arbitrary memory read, which is nice and all… but (ETERNALBLUE) is a complete ring zero back door on Windows systems,” he said.

“Generally the defaults on Windows systems aren’t the best and a lot of people don’t harden their systems,” said Harris, who conducts penetration tests on corporate networks. “If you get on one Windows box in a system you can get on them all. That’s what I do every week – which is get on them all. There are just so many avenues.”

Organizations should ensure that devices running Windows are fully patched and make sure that SMB ports (139, 445) are blocked from all externally accessible hosts, Cisco and other experts. Internally, organizations need to stay on top of patching and manage other vulnerabilities, like weak passwords, that allow malicious actors to spread.

“This won’t be the last. We’re going to be dealing with this cleanup and all the malware that use it for some time, I think,” Harris said.



Comments are closed.