WannaCry: Is Ransomware Diversifying?

What can the largest ever ransomware campaign tell us about the potential direction of future malware?

Credit: Marcus Spiske

As the dust settles around the initial outbreak of WannaCry, threat researchers have begun to tear their eyes away from the internal workings of the malware and to argue about the wider implications of the weekend’s events. As of Sunday, some 223,000 computers had their hard-drive encrypted by the malware across the globe. Victims included the NHS, Russia’s Internal Ministry, and various Chinese Universities . Russia and East Asia have appeared to been most affected, due to prevalence of Windows XP, but the graph below shows the truly global spread of the malware.

WannaCry Infection Map (credit:Matt Suiche, https://twitter.com/msuiche/status/863723072746074112)

Initial forensic evaluations of WannaCry have produced largely the same conclusion: WannaCry is an unremarkable piece of ransomware spread in an incredibly effective manner. To explain, a quick overview of the history of ransomware will be useful.

What is Ransomware?

Ransomware is a type of malware which focuses on preventing a victim from using a specific feature of their computer unless they pay their attacker. The form closely resembles a real-world hostage situation. WannaCry is a type of ‘crypto-ransomware’ meaning that it creates a hostage situation by encrypting a victim’s data and offering the decryption key in exchange for money. The ransom is typically demanded in Bitcoin to enable a level of anonymity for the attacker. This method is incredibly effective since modern encryption is fast and strong — decryption without a key is so difficult, even with powerful computers, as to be functionally impossible. This is perfect for criminals, who can posit themselves as the only way which their victim can regain their data.

Does WannaCry innovate as a ransomware?

No. Early forensic reports into the technical workings of WannaCry have shown that the malware largely follows the same methodologies which are common to most modern ransomwares. When a computer is infected, the malware will gain the required permissions to access the maximum number of files, install the payment method (a TOR client) and begin encrypting a wide variety of files.

This method is standard for ransomware since the task is relatively simple; take the data hostage and tell the victim where to send money. This method has been in use since 2013 and marked the point at which ransomware, specifically crypto-ransomware, became a tangible threat to users worldwide. Whilst ransomwares have existed since 1989’s AIDS Trojan, previous methods employed clumsier methods such as disabling keyboards and mice or displaying fake law enforcement messages. Since 2013, all the dominant ransomwares (such as CryptoWall, Locky, Cerber) have utilised encryption to gain leverage over their victims. In 2016, the F.B.I. estimated that the global income from crypto-ransomware crime totalled $1 Billion a year.

Whilst other ransomwares have sought to distinguish themselves by using encryption in innovative ways, WannaCry does not mark a significant departure from other encryption methods. This is of crucial importance in understanding the weekend’s events. Crypto-ransomware has been a significant problem for law enforcement for some years now and WannaCry is clearly a product of already-established ransomware methodologies.

What makes WannaCry so effective?

Most ransomwares seek to spread as widely as possible. Since their methods are relatively easy to prevent, if not remedy, then campaigns have tended to favour a high numbers approach. This has generally meant that ransomwares have been spread via email spam or installed by exploit kits downloaded inadvertently from insecure websites.

It is here that WannaCry breaks the mould. WannaCry is spread via a Worm malware. This malware has a simple aim; gain access to more computers. Firstly, the worm scans the Internet and connected network devices for a specific SMB port, 445. The worm then checks whether these ports are vulnerable to an exploit, allegedly developed by the NSA and codenamed ETERNALBLUE, which allows the worm to install itself on other computers running an unpatched version of Windows XP. As this worm spreads, it installs and executes the WannaCry malware responsible for the ransomware attack.

This utilisation of a complex, and highly effective, exploit makes WannaCry a remarkable piece of malware. ETERNALBLUE has allowed WannaCry to spread worldwide rapidly and, crucially, gain access to computers which would generally have a limited attack surface for typical ransomware campaigns. Whilst WannaCry exhibits a higher level of complexity than ransomware campaigns based around email phishing there are already exploit kits and worms which spread via scanning systems for vulnerabilities to exploit. In this context, ETERNALBLUE stands out as a simply more powerful version of an established methodology.

However, these types of exploits are rare and ETERNALBLUE is doubly so. An exploit of this level being leaked onto the open Internet is an uncommon event and ETERNALBLUE is of remarkable utility for malware.

What are the implications of WannaCry for future ransomwares?

Limited, but important. It is unlikely that a ransomware will be developed utilising an unrelated exploit of this magnitude in the immediate future. This is because these exploits rely upon vulnerabilities which are incredibly difficult to discover. Without an exploit of this strength, WannaCry would be a very low-level piece of ransomware amongst many. Since CryptoWall began to dominate the ransomware market in 2014 (with a one-time dominance of 59% of all ransomware attacks), ransomware criminals have needed to diversify to produce a significant profit and avoid the increasingly effective tools developed by AV companies.

For this reason, recent years have seen ransomwares which seek to modify existing methodologies slightly to create a niche where their malware can specialise. In certain situations, this has meant adding extra incentive to pay — Chimera threatens to post data to the internet if not paid whilst Jigsaw actively deletes files over time. Other times, this has involved adding extra virulence to the campaign — Cerber adds infected computers to a botnet used to spread spam emails containing the ransomware. SamSam ransomware displays a willingness to abandon the high-volume method totally by manually targeting and infiltrating a high-value victim and maintaining stealth whilst encrypting data over a period of months.

WannaCry exists within this increasingly-diverse and competitive market and highlights a few crucial considerations for the future threat landscape. Ransomware has been established as an effective cornerstone of cyber-crime and is certainly not going anywhere, at least in its general form. As 2016 saw ransomware dominate cyber-crime, 2017 will likely see an increased emphasis upon developing new variations on the form. WannaCry represents one element of this development, yet it is likely future ransomwares will seek to focus on different areas than exploiting specific technical vulnerabilities. For example, WannaCry represents a remarkably effective malware at infiltrating many machines. Yet other ransomwares may focus on ensuring a smaller number pay the ransom by exerting a firmer grip over the hostage (via encrypting cloud storage), by applying greater pressure to the victim (deleting files or posting embarrassing content online), or even by simply relying on more effective code which lacks any exploitable vulnerabilities or easily-detectible methodologies.

Ransomware will be a dynamic and long-term problem which will see criminals seek to utilise technical and non-technical methods to obtain ransom payments. Its greatest strength lies in the value attributed to data by users which turns this seemingly technical crime into a psychological endeavour of manipulating victims. WannaCry exists within this spectrum but observers would be wise to understand the diversity of modern ransomwares.

Meanwhile in Russia, an Orthodox priest prays to fend off the Ransomware (link)