Someone Failed to Contain WannaCry

As reports of the NSA officially connecting WannaCry to North Korea surface, experts are saying developers failed to contain the ransomware before it was ready for deployment.

Coding and implementation mistakes made by the WannaCry developers may have spared a good chunk of the world some grief on May 12, but they also lend credence to the theory that the ransomware wasn’t contained properly and spread before it was meant to be unleashed.

Malware expert Jake Williams, @MalwareJake on Twitter and founder of Rendition InfoSec, said there are “mind-blowing mistakes” in the ransomware code after an analysis of both the malware and the leaked NSA EternalBlue exploit used to spread the attack.

For starters, the developers used only three Bitcoin addresses for remittance where usually there is an address made available for each infection in order to correlate payments to victims. This makes the $140,000 USD in Bitcoin collected during the attack a moot point since the transactions would be relatively simple for law enforcement and security researchers to track.

“Normally you have a unique Bitcoin address per infection, or per small number of infections. That way they can come in and see whether you’ve paid or you haven’t,” Williams said. “That by itself is amateur hour.”

Amateurs, however, are allegedly not behind the WannaCry attack. A Washington Post report today cites an internal NSA assessment that connects, with “moderate confidence,” the North Korean government’s Reconnaissance General Bureau to WannaCry. The spy agency, the Post story says, built both versions of WannaCry and used it as a payload in the NSA exploit leaked by the ShadowBrokers.

North Korea has also been linked to WannaCry by researchers at Google, Kaspersky Lab, Symantec and others. Shared code samples were found in WannaCry that were also used in other attacks carried out by the Lazarus Group, which was allegedly behind the Sony Pictures Entertainment hack of 2014 and the SWIFT-related Bangladesh Bank heist where $81 million was stolen.

North Korea is unique among APTs in that it allegedly funds its operations through these types of thefts. At the Security Analyst Summit earlier this year, researchers from Kaspersky Lab, BAE Systems and SWIFT revealed that the Lazarus Group had splintered off a group of hackers, known as Bluenoroff, whose focus was steal money to fund the regime and such operations.

“We’ve never seen an APT group attempt to fund itself and its host nation through network exploitation and theft,” Williams said. “We’ve certainly seen Russian and Chinese operators moonlighting in credit card theft. But that’s not the same thing. That’s one man enriching himself versus a strategic, nation goal.”

Williams contends that the developers behind WannaCry failed to properly contain it and the EternalBlue exploit before it was ready to be fully deployed. He said the infamous killswitch domain is another indication that WannaCry as we know it was pre-release. Discovered by U.K. researcher Marcus Hutchins, the killswitch put a premature halt to the attack.

“The killswitch domain by itself—having a way to turn this off—I totally understand. It makes perfect sense to want to have that there,” Williams said. “But if you’re going to do that, the killswitch wouldn’t simply accept a 200 status code, basically a success that yes we connected to the domain.”

Instead, Williams would have expected to see some sort of cryptographic challenge-response in place. Other malware authors, including North Koreans, have cryptographically validated connections to command and control in the past; doing so prevents a researcher or law enforcement from registering such a domain, which is exactly what Hutchins did.

“Malware authors, including North Koreans, are well aware of this,” Williams said. “The idea they would have set up a killswitch without that is just … This is version 0.0 and never intended to be in the wild. I’m 100 percent sure of that.”

So it’s quiet likely this escaped a test environment hopping from an unpatched test machine to the public internet, and eventually more than 200,000 computers and servers in 150-plus countries.

“They failed to contain it,” Williams said. “When you build something like this, it’s like carrying around ebola. Pushing ebola out isn’t hard, it’s harder to keep something like that contained. I’m thinking the North Koreans don’t have a lot of experience with very virulent, worming malware and this is basically breaking out of where it was supposed to be.”

Suggested articles