The first wave of WannaCry was just the beginning. What’s next?

carson sweet / 05.16.17

WannaCry was one of the most impactful cyberattacks the industry has seen in a decade. With hundreds of thousands of computers affected, many of them related to healthcare and business, the potential impact was already significant – but it was the tip of the iceberg. More waves of WannaCry and variants are coming, and we should expect worse.

Even so, basic security practices can easily prevent becoming a victim of WannaCry. That means there’s no excuse for letting that happen.

Why WannaCry should be a concern

The exploits used in WannaCry are not particularly novel and malware-based attacks happen all the time, so what’s all the buzz about?

The worm-like distribution behavior of WannaCry certainly sets this exploit apart from other malware-based campaigns. Much like the Mirai botnet, every system infected with WannaCry goes to work trying to infect other systems. And like Mirai, the WannaCry exploit did not require human intervention to execute. This is a big departure from malware that employs phishing attacks or clickbait – essentially, you don’t have to trick a user into doing anything. If the needed vulnerabilities exist, the attack executes.

Its worm distribution behavior coupled with ransomware payload gives WannaCry and its derivatives a very high potential for destruction. WannaCry’s operators were actually quite sloppy when it came to collecting the ransoms for data that it encrypted, but the potential impact is clear – data that’s encrypted using strong ciphers simply is not recoverable without the key. That means the data is, for all intents and purposes, gone forever. If this type of exploit were weaponized for the purposes of damage, not financial gain, the data loss impact would be immense.

The third characteristic, although subtle, gives a strong hint as to the goals of the WannaCry developers: go for the large data stores on servers and workloads. The malware is explicitly coded to look for Microsoft SQL Server and Microsoft Exchange processes and kill them. This ostensibly allows the attackers to deny access to those services once their data stores become hostages to encryption.

This means the attackers absolutely intended to hit servers and workloads that contain large amounts of data… not just user workstations. The implications are staggering when one considers the kinds of medical and critical infrastructure applications hosted on such servers.

This is yet another reminder of the criticality of patching critical vulnerabilities. There are no excuses that will ever explain away how critical data was permanently lost because system managers didn’t take the time to discover and patch vulnerabilities.

So what’s next?

Copycats and variations.

Just because the primary spread of WannaCry has been subdued doesn’t mean this attack is close to being over. Variations are already being detected, and a lateral spread of WannaCry is still occurring within infected organizations thanks to its worm behavior. Given its effectiveness, it will be in high demand for those with more sinister intent. We shouldn’t be surprised to see this malware and/or derivatives delivered “as-a-service.” Some industrious cybercriminal will almost certainly turn WannaCry into a money-making service, using techniques similar to those used to design Mirai as a multi-tenant botnet-as-a-service.

And while a ransomware attack is no walk in the park, a huge concern that warrants repeating is WannaCry being adapted to encrypt files and destroy the keys.

What’s next for potential victims?

For the smart ones, nothing. It also warrants repeating – there’s no excuse for not being aware of where vulnerabilities exist and applying the patches. Given the level of information, automation and support available, it’s hard to think of a good reason why Windows systems would not already be updated.

Final thoughts

As I’ve written about before, we’re seeing exploits become more automated and sophisticated, with greater impact. Unfortunately, we also continue to see simple inattention to basics like patching creating senseless risks.

The threat landscape isn’t going to get any less complex, and technology environments will just continue to become more complex and dynamic. If there’s a silver lining to WannaCry, it’s the wake-up call that it delivered.

That wake-up call?

To paraphrase my colleague Andras Cser… automate or die.