WaNNaCry RANs0MWaRe is A j0k3

Everyone is talking about this WannaCry ransomware like it’s the biggest threat in history while, honestly, it is one of the easiest to mitigate and prevent — just patch for goodness sake!

Ransomware, in most cases, is just bold evidence that people have not prioritized security or are not working with the right partners. If you take this WannaCry example, everyone knew about these SMB/RDP vulnerabilities over a month ago, and still more than 200k computers got infected.

You can check out Javelin Networks’ coverage of this NSA leak — http://bit.ly/ShadowBrokers-NSA

This ransomware did not even try to evade. It was just an opportunistic malware spread to whoever had poor patching practices.

You might think that this WannaCry ransomware is the only one so far using methods from the NSA leak, but other adversaries are already using the leak info to open doors and increase their presence (except they won’t monetize it using ransomware). They are lurking under the surface of networks around the world. Ransomware is kind — it tells you, “here I am”. Attackers using other methods are not so kind, and dwell times are in the hundreds of days, sometimes years, while data is stolen and espionage is active.

1t Could b3 muCh wor23

Any advanced adversaries who have an opportunity to open a backdoor like this would not go the ransomware path. Instead, they would use it only for their first entrance. From there, they would go after the real crown jewel of the company — Active Directory — red-team style.

As far as ransomware monetization, they could have achieved a much higher ROI. Instead of scanning the network to find available nearby computers, they should target the Active Directory to fetch domain admins and computers. Armed with this information and high-privileged network access, they can easily encrypt the entire network. Then, they demand a million dollar ransom like SAMAS Ransomware: http://bit.ly/2qnJGOj.

Ransomware has grown out of its adolescence. It has evolved and matured. And it will only become more dangerous.


Feel free to reach out — Almog@javelin-networks.com

https://twitter.com/md5session

http://javelin-networks.com