The Wannacry ransomware has been keeping us busy for several days now. This software has infected systems worldwide by exploiting an older (already patched) Windows vulnerability. Though many may wonder how a vulnerability that has been patched can still infect so many systems worldwide, it appears that the attack hasn’t brought in much money yet. Considering the attack and the errors made by the criminals, I wonder if this attack hasn’t been a first test or a general rehearsal for a much bigger attack.
It is generally agreed upon within our industry that the criminals in charge of this attack have made some striking errors. To start with: the timing of the attack. If you want your attack to have the highest possible impact, it is not a good idea to launch it right before the weekend. This leaves organizations and security vendors with plenty of time to take appropriate measures to minimize the impact.
Additionally, it is very unusual to use just a limited number of BitCoin addresses, and to hard-code them in the malicious code. This is remarkable because now all eyes are set on these addresses, and all transactions moving from or to these addresses. It is much more likely, then, that the criminals’ anonymity will not last, on the track of bitcoin exchanges between the virtual world and the real world.
The built-in killswitch may well serve another purpose: to detect sandboxes. A sandbox is an isolated environment that simulates the client environment and scans for malicious code. Unlike a regular system, a sandbox environment will react to an internet request, even though the domain is not registered. That’s how malicious code can find out that it has ended up in a sandbox environment. Consequently, the malicious code will not be activated and can therefore not be analyzed. This technique enables malware to prevent detection by sandbox technology. An anti-antivirus test, so to speak.
By actually activating the domain specified in the request by the malicious code, this malware is fooled into thinking it is still within a sandbox environment and will therefore not execute. A next version of this ransomware will most like not specify one unique domain but rather a random domain, in order to detect a sandbox environment. This means it will not be as easy to stop the malware as it was this time.
Victims who have decided to cough up the money, may well end up as double victims. Offering keys to unlock systems and data could become very challenging for these cybercriminals, as they need to generate unique keys for each paying victim, which can be very time-consuming. If they don’t feel like spending their time to providing these keys, the victims end up losing both money and data.
The Windows vulnerability that has been exploited by Wannacry, was known for quite a while. It was part of a large array of vulnerabilities that have been stolen from the NSA and made public a month ago. Wannacry is just one of the many vulnerabilities that have thus been made publicly available for everyone. Up to now, it is unclear who has launched this attack. But whether it was state-funded or organized by one individual cybercriminal, this outbreak may turn out to be the first test or general rehearsal for a bigger attack using different weapons. If nothing else, it will inspire other criminals’ creativity, who will attempt a similar attack, but this time without the ‘small errors’ made in last weekend’s attack.