Limor Kessem
Limor Kessem

Since the morning of Friday, May 12, 2017, ransomware known as "WannaCry" has lived up to its name, wreaking havoc across the globe in industries ranging from hospitals to telecommunications and distribution/supply chain services around the world. The speed and scale at which WannaCry spread sent both companies and security research teams scrambling to put together the pieces of what is believed to be the largest attack of its kind ever recorded - hitting over 200,000 endpoints in more than 100 countries within a span of 48 hours. 

What makes WannaCry particularly unique and damaging was its ability to take advantage of systems using a previously disclosed and patched flaw in the Windows Operating System, and to spread virally across networks, without the level of human interaction commonly involved in the execution of malware of this type. By combining advanced exploitation techniques which appear to be borrowed from the Shadow Brokers leak, WannaCry targets the SMB application-layer protocol which allows it to spread with great speed across shared network resources. 

While research teams across the globe continue to share information to shed more light on this peculiar and damaging attack, IBM X-Force researchers are amongst those working around the clock to better understand WannaCry's attack methods, infection rates, and motives, working with clients and law enforcement to gather critical intelligence. Several observations from our research team have brought new light onto this breed of ransomware; for instance: 

  • Based on IBM X-Force analysis of over a billion spam e-mails, we tend to think the initial victims of the WannaCry ransomware did not get infected by opening a malicious e-mail or attachments. This means that criminals might have compromised systems by other means. IBM X-Force is actively working with clients and law enforcement to confirm their investigations.
  • Given the widespread propagation of the WannaCry ransomware in Eastern Europe and Asia, our research team suggests that these regions may be using older Microsoft OS versions that are no longer supported or pirated.
  • The malware's architecture is modular; a feature known to be used in legitimate software, but also in complex malware projects like banking Trojans. Most ransomware is not modular, but rather simplistic, and carries out its tasks without any modularity. This means is that the authors behind Wcry are more likely to be a group of collaborators, more than just one developer, and of varying skillsets. New mutations are likely being spread by copycat actors.

Some questions about WannaCry still remain, including details on its origin and intent. Yet one thing that this attack brings into stark exposure is extensive resistance to OS patching across industries. The wildfire spread of this attack could have been massively reduced if critical Microsoft Windows updates/patches had been applied in time and OS upgrades heeded. Hopefully, most organizations will recover by using proper system backups.

The Wcry outbreak is also a resounding reminder to those inside and outside of the security industry that in 2017, security basics and hygiene are not “nice to have”, they are critical business risk factors. In an ever evolving threat landscape, the risk of ransomware demands an urgent update from any organization that has not yet refreshed its risk formulas to re-evaluate the probability factor of an attack that can paralyze the business for an unknown amount of time. 

IBM has shared a full write up on WannaCry via our Security Intelligence blog, and will continue to share updates as more intelligence comes to light; you can read the full write up at https://ibm.co/2qkGf9g.