As the world returned to work on Monday, businesses continued to pick up the pieces following a historic cyberattack that crippled Windows machines across the globe with WanaCrypt0r 2.0 ransomware.
Delivered via the backdoor malware DoublePulsar and the Microsoft exploit EternalBlue – tools allegedly created by the U.S. National Security Agency and subsequently leaked by The Shadow Brokers hacking group – the wormable ransomware has spread to more than 150 nations since the attack commenced on Friday, according to multiple news accounts citing Rob Wainwright, head of Europol. Meanwhile, Avast on Monday reported 213,000 detections of WannaCry in 112 countries.
Jonathan Sander, CTO at STEALTHbits Technologies, said that the ransomware, also known as WannaCry and WannaCrypt, is a “Frankenstein's monster of vulnerabilities with patches and exploits that were stolen from the NSA and published for all to see.”
The UK's National Healthcare System, one of the hardest hit institutions, issued an update on Monday, noting that a “small number of hospitals” are still cancelling patient appointments while IT workers scramble to recover resident computer systems.
“It is important to consider that our industry has seen self-propagating malware, and we have seen data destructive attacks. It is rare when you see the two together, "said Rich Barger, director of cyber research at Splunk. "The conditions which existed last week created an environment where the global impact could have been much worse than it was."
Indeed, the damage could have been worse, if not for the actions of a curious young security researcher and Microsoft Corporation itself.
The UK-based researcher, who refers to himself as MalwareTech, accidentally stopped the spread of WannaCry during his analysis after registering an unclaimed domain that the ransomware was attempting to query. Fortuitously, the ransomware was designed to spread as a worm only if it is unable to reach this domain.
“The reason which was suggested is that the domain is a 'kill switch' in case something goes wrong, but I now believe it to be a badly thought out anti-analysis,” wrote the researcher in a blog post on his fortuitous discovery. “I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they're in a sandbox the malware exits to prevent further analysis.”
For its part, Microsoft on Friday took the extraordinary step of issuing an emergency patch for its Windows XP, Windows 8 and Windows Server 2003 operating systems, which the company had already officially stopped supporting.
“This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind,” wrote Phillip Misner, Principal Security Group Manager at the Microsoft Security Response Center in a blog post on the day of the initial attack.
Companies using the defunct Windows systems were among those affected in the attack, along with users of current Windows systems who failed to install critical March 2017 updates that addressed the EternalBlue SMB exploit. Microsoft also released an update to its Windows Defender anti-malware service.
In a separate blog post on Sunday, Microsoft President and Chief Legal Officer Brad Smith implored customers to responsibly and swiftly apply patches when they are issued and railed against nation-states that hoard zero-day vulnerabilities instead of disclosing them.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”
Meanwhile, researchers continue to issue their latest findings and perspectives on the threat, which reportedly first infects endpoints via phishing scams or compromised remote desktop protocol settings, before spreading deeper into networks through backdoor access.
On Monday, Recorded Future issued a report citing three bitcoin wallets associated with WannaCry, which collectively have received close to $26,000 in transfers since the ransomware campaign started – “a small sum, considering the scope of damage,” the company stated in a blog post. In its own report, Check Point Software Technologies placed the sum slightly higher at $33,000. (The ransom demand during these attacks was $300.)
Moreover, the money does not appear to have been moved from the wallets – which suggests that Wannacry's distributors didn't necessarily intend to launch such a widespread attack. “Such unusual behavior suggests the current epidemic was never planned by criminals, and resulted from targeted attacks going horribly wrong,” Recorded Future states in its blog post.
The culprits may be laying low, fearing they've attracted too much heat from global authorities. Indeed, it appears they have: Reuters, citing a senior administration official, reported on Sunday that President Donald Trump ordered his homeland security adviser Tom Bossert to hold an emergency meeting to assess the Wannacry threat.