WannaCry: The Evolution & Sophistication of Cyber Warfare

On May 12, 2017, a very sophisticated malware attack impacted over 200,000 computer systems spanning 150 countries across the globe. For many organizations, the impact of the WannaCry ransomware attack proved to be low. However, organizations such as FedEx, National Health Service hospitals in England and Scotland, and Spain’s Telefonica suffered moderate to heavy impacts to their ability to provide services.

The sophistication of the WannaCry attack leveraged a known SMB (Server Message Block) vulnerability and exploit, EternalBlue, to not only infect, but voraciously spread  among unpatched, and unsecured networked computer systems. Once embedded on the network, the payload anticipated typical mitigation and remediation steps and implement a kill-switch to trigger encryption and ransom of infected systems.  The ransomware then triggered a message demanding payment in the form of BitCoin, a widely popular and highly untraceable cryptocurrency.

What’s the significance of the WannaCry ransomware attack? How do we protect against its impact?  

Despite the perceived low impact on the success of the attack, the biggest concern for any organization should be future attacks. These future attacks could threaten vulnerable systems that have yet to be patched, or more importantly, forgotten systems residing on the network. The importance of knowing your assets was documented in 512 BC by the Chinese Strategist, Sun Tzu:

“…if you do not know your enemies nor yourself, you will be imperiled in every single battle”
– Sun Tzu, The Art of War

If an organization does not know what assets currently reside on their network, how do they know what their vulnerabilities are? An organization can’t protect assets they don’t know they have. Accurate inventory of current active assets on your network allows for better visibility and management of those assets, and better positions organizations to minimize the attack surface and vulnerabilities facing the organization. Admittedly, creating a comprehensive inventory is easier said than done – but imperative. Additionally, a well-defined process for identifying and remediating vulnerabilities is paramount for any organization. Unloading a salvo of patches into an environment can be just as catastrophic, if not more, than not patching altogether.  Software updates and patches must be managed just as any software deployment – in a prioritized, structured and tested environment. If a mirrored test environment is not available, starting with low-impact assets can minimize operational and mission essential impacts if errors occur.

How robust are our cyber defenses and response efforts?

Any organizations impacted by the WannaCry ransomware attack had their incident response measures tested in unprecedented fashion.  As the external payload or infection spread to internal organizational assets, the malware began looking for additional assets through internal network connections for further migration.  External traffic analysis from those infected machines reported periodic connection requests to an external domain/IP address.

Depending on the employed incident response measures by the organization, questionable traffic may be analyzed for continued activity or blocked at the firewall.  For environments where traffic was categorically blocked, WannaCry unleashed its encryption and delivered the ransom notification to all impacted systems. The malware’s inability to beacon back to the external domain/IP address triggered the ransomware payload and encrypted system files.  A controlled halt in traffic to one or two internal systems would contain any subsequent impact, and save widespread infection and encryption of numerous assets.

What lessons learned can we leverage from WannaCry?

While the WannaCry attack proved to be relatively low impact, decomposing the anatomy of the WannaCry attack methodology has illustrated the dynamic nature and increasing sophistication of emerging malware attacks. Malware is evolving into hybrid attacks based on knowledge of lax organizational asset inventory and sub-standard security patching plans. Throw in a working knowledge of common incident response actions, and Sun Tzu’s tactics from centuries ago still have relevance in today’s digital environment.  

Therefore, as malware attacks evolve and achieve greater levels of sophistication, efforts in the development, sustainment, and improvement in organizational security policies and postures must be constantly evolving to proactively combat against such attacks.

If you need help in prioritizing the security needs within your organization, please contact CyberVista for a free consultation.