In-brief: One week after the WannaCry ransomware knocked out hospitals in the UK and subway fare systems in Germany, the malware is as notable for who it didn’t affect for who it did. Among those spared WannaCry’s wrath: federal IT systems in the U.S. as well as consumers. But why?
The WannaCry ransomware that began spreading a week ago has dominated headlines for days, prompting cancellations of medical procedures in the UK and other disruptions in Asia and the EU. One week later, hospitals hit by WannaCry are still recovering and experiencing disruptions and patient cancellations, The Guardian reported Friday.
But one week later, one of the most vexing questions about WannaCry may be who or what it did not infect, rather than who it did. Among the WannaCry’s alleged missing victims: federal IT systems in the U.S. as well as consumer-owned systems: two massive buckets of users that often are hard hit in malware outbreaks.
Despite infecting an estimated 200,000 Windows systems globally, WannaCry did not infect any of the U.S. Government’s systems, according to White House homeland security advisor Thomas Bossert in a press briefing on May 15th. Speaking to the web site Cyberscoop, Kevin Cox, the Program Manager for the government’s Continuous Diagnostic and Monitoring (CDM) program may be responsible for keeping WannaCry at bay. “A number of agencies are at a level of maturity with already with the CDM tool deployment that they are able to use those tools to look across their [IT] environment to see if they’re vulnerable, if they have the right patch in place,” Cox said.
The Department of Homeland Security did not respond to a Security Ledger request for an update on the impact of WannaCry on federal systems. However, a zero percent infection rate would be a feat. The U.S. federal government manages millions of IT systems across the globe. And, sadly, many of them are old and out of date.
A 2017 budget of some $89 billion (with a ‘b’). And, as GAO noted, many of those are aging systems. In fact, 70% of the federal government’s investments are in operating and maintaining legacy equipment, rather than investing in new technology. A survey of 105 senior federal workers by the firm BeyondTrust corroborated this. There, 47 % of Federal agencies still use Windows XP. An overwhelming majority of Federal IT managers (81%) said that aging IT infrastructures have a “somewhat to extremely large” impact on their cybersecurity risk.
Government, broadly speaking, was among the most affected sectors, data suggests. An analysis by the firm BitSight, which analyzes the public presence of various organizations, found around 8% of government systems had the SMB service exploited by the WannaCry worm exposed – one of the highest ratios of exposed systems of any industry. Of government systems BitSight monitored, a little more than 1% showed evidence of having been infected by WannaCry, putting government among the top five industries affected by WannaCry.
That still doesn’t discount Mr. Bossert’s claim that the Federal Government escaped WannaCry’s wrath. Dan Dahlberg, a researcher at BitSight, told Security Ledger that systems with SMB exposed may still have been patched against the vulnerability triggered by “EternalBlue,” NSA exploit that was responsible for WannaCry’s spread. Also, BitSight’s “government/politics” bucket contains state and local municipalities, which account for many of the infections, Dahlberg said.
Equally puzzling is the shortage of consumers who were victimized by WannaCry. IBM X-Force researchers said on Monday that they also found no evidence of WannaCry in an analysis of more than 1 billion spam and phishing emails that landed in the company’s spam traps and honey pots since the beginning of March.
“We found no evidence, not a single e-mail in that massive sample of 1B e-mails that contained indicators of this attack,” Caleb Barlow, IBM Security’s Vice President of Threat Intelligence wrote.
While researchers long ago recognized that WannaCry was not spreading by phishing emails, the IBM data raises questions about how the attack was initially seeded and set up.
“We know how the malware propagated – thru a Microsoft Windows vulnerability but how was patient zero infected in each of these companies? And… why are we not seeing a flood of consumer infections,” Barlow wrote.
Experts note that WannaCry’s spread focused more in Asia and the EU than North America.
Data from Cisco’s Umbrella platform saw infections begin early Thursday from several machines with scanners hitting more heavily in the EU and Asia, said Craig Williams, a Senior Technical Leader at Cisco Security.
The ransomware was also poorly written: with a feature that caused the malware to stop propagating after 24 hours, and few anti-reverse engineering features, which made it easy for researchers to take the malware apart, analyze its workings and figure out how to stop it, Williams said.
Further, the malware’s critical payment module was fatally flawed, relying on manual processing of payments and distribution of decryption keys, and lacking any feature to connect specific payments to specific locked systems. That severely limited pay-outs to the hackers, who had garnered only $80,000 in payments to three Bitcoin wallets associated with the malware – out of a potential bonanza of $60 million.
With a narrow window during which to spread and a propagation module that relied solely on finding and exploiting publicly exposed SMB (service message block) interfaces, WannaCry landed its hardest punches in industries with distributed infrastructure and a propensity for running out of date systems, said Beau Woods of The Atlantic Council and the group I Am The Cavalry.
Telecommunications, Education, Utilities and Government were four of the top five industries affected by WannaCry, according to BitSight. In addition to National Health Service hospitals and facilities in the UK, Berlin’s S-Bahn saw ticket machines crippled by the ransomware.
With speculation that hackers affiliated with the government of North Korea authored the malicious software, the question is whether WannaCry is simply a manifestation of a lack of experience, or if those behind it had other motives.
Regardless, the outcome of the attack could have been far worse, said Williams of Cisco. “If we have an intelligent actor take over, we’re going to be in a lot of trouble,” he said.