In-brief: focusing on WannaCry, the ransomware delivered in last week’s attacks, misses the point. Organizations weren’t done in by the shoddy malware, but by a class-A offensive cyber weapon known as EternalBlue. Editor’s Note: this blog is cross posted from Digital Guardian’s Data Insider blog.
We learned a long time ago that giving names to fast-moving security threats is a great way to raise awareness and alarms. That virulent code exploiting holes in Microsoft SQL Server became “SQL Slammer.” The malicious code exploiting MS08-067? Just call it “Conficker” (or “Downadup” or “Kido”). This works even in the absence of specific threats. Slapping the name “Heartbleed” on an obscure hole in OpenSSL did wonders for its public image.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
The problem is that names can just as often draw attention away from the real problem (or problems) and to the thing that has the name. I worry that this is what is happening with the latest Internet contagion, which everyone has referred to as “WannaCry,” a friendly variation on “WanaCryptor,” the name of a piece of down market ransomware that was strapped to the rocket ship known as EternalBlue. EternalBlue was a highly effective exploit of a vulnerability in Microsoft’s implementation of Server Message Block (SMB), a key networking component of Windows, that allows attackers to execute arbitrary code on a target computer.
What difference does it make what we call the attack? A lot, actually.WannaCry was a poorly implemented ransomware hack with a trivial kill switch that security researchers discovered early and used to stop the spread of the malware in its tracks. The Wannacrypt ransomware lacked even a polished payment module, making it almost impossible for the cyber criminals to know who was paying them and sending a message to victims that paying the ransom probably wouldn’t bring their data back. The result? With an estimated 200,000 infections globally, the criminals behind WannaCry were in line to receive around $60 million in ransom if every victim paid the estimated $300 ransom. As of Thursday, three Bitcoin wallets tied to the malware have registered just under $83,000 in payments. And even that money may be out of reach for those behind the attacks.
“This has to be one of the most poorly thought-out ransomware attacks we’ve seen,” Craig Williams, the Senior Technical Leader a Cisco’s Talos told me.
But EternalBlue? That’s another story.
Read the full blog post here: WannaCry: What’s in a name? Confusion. | Digital Guardian