The inevitable wave of WannaCry ransomware variants began in earnest over the weekend after bit of sleuthing from a U.K. researcher slowed down the initial global outbreak.
At least five new takes on the first attack, all still leveraging the NSA’s EternalBlue exploit and DoublePulsar rootkit, are spreading WannaCry. So far, the attackers aren’t exactly getting rich, collecting $54,894 as of this morning, despite as many as 200,000 infections in 150 countries, according to Europol’s estimates. But given the flexibility of the leaked NSA exploits, there’s nothing stopping criminals from spreading banking Trojans or other commodity malware in the same fashion, experts said.
“All types of different malware can worm out this way,” said Sean Dillon, a senior security analyst at RiskSense and one of the first researchers to reverse-engineer DoublePulsar after it was leaked by the ShadowBrokers. “Malware like [a banking Trojan] can easily use these same techniques, just plug in Eternal Blue and DoublePulsar—as well as any other exploits in the ShadowBrokers’ dump.”
WannaCry emerged on Friday, taking down large, critical businesses across England and Spain, and into Russia, India and Asia eventually. Large healthcare facilities, telecommunications providers and other services worldwide were left at a standstill as WannaCry wormed its way through Windows machines using the EternalBlue exploit targeting a vulnerability in SMBv1.
A researcher in the U.K. known as MalwareTech discovered the equivalent of a kill switch among the first wave of exploits on Friday. With an exploit sample shared by French researcher Kafeine, MalwareTech discovered the attack was querying a static, unregistered domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com), which he said he immediately registered. As it turned out, this was an evasion technique on the malware’s part; should the domain answer its query, then the malware would not execute, believing instead that it was talking to a sandbox and under forensic analysis. Since MalwareTech now owned the domain, none of the infections in the wild would execute.
“One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible,” MalwareTech wrote in a blog published Saturday.
He and others were correct. In short order, other variants emerged, some with a second killswitch. Researcher Matt Suiche registered one such domain, ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, preventing 10,000 machines, most in Russia, from spreading WannaCry further. Kaspersky Lab also found a second variant spreading Sunday that lacked a killswitch and contained a corrupted ransomware archive, rendering the payload benign.
“Copycat attackers have now figured out they you can simply hex-edit new Bitcoin addresses (for payment) and the self-destruct mechanism,” Dillon said. Some of the variants Dillon analyzed, however, are using the same payment system as the original attack but with new Bitcoin addresses. Since payments made through the attackers’ infrastructure are manually verified, it’s unlikely victims would receive the key to unlock their decrypted files since the payment went somewhere else.
It’s crucial that organizations apply the Microsoft patch from March (MS17-010) that fixes the vulnerability in SMBv1 that is being exploited by the weaponized NSA attacks. Late Friday night, Microsoft also released an update for unsupported versions of Windows, extending the sphere of protection to organizations still running legacy systems.
Enterprises should also not expose port 445 to the internet, a practice that was discouraged even before Friday’s outbreak.
“The only way 445 would be open to the internet is if you directly plug it into the internet or poke a hole in your firewall—which is not a good practice,” Dillon said. “If you needed SMB over the internet, you should set up a VPN, and connect to SMB from an internal network. Many organizations connect directly to the internet; either they don’t know (the risk) or thought it was convenient.”
Despite the availability of patches, there are still many gotchas in play, starting with the public availability and ease-of-use of the NSA exploits. The attacks are self-propagating, and can spread to unpatched machines inside a local network. Kaspersky Lab cautioned that WannaCry does not check for a proxy in the same way it checks for the killswitch domain.
“So it is likely that samples running inside of an organization will not be able to reach the killswitch domain, even if it’s already registered,” Kaspersky Lab said. “That means their files will continue to be encrypted.”
When the ShadowBrokers leaked the NSA exploits, they also leaked documentation and instruction manuals for using these weapons-grade attacks, greatly lowering the bar for using these in the wild.
“Most of the exploits are simply directory replay attacks,” Dillon said, affirming the alarming truth that the WannaCry attacks aren’t email or web-based as most ransomware attacks are. “There are no fancy tricks or manual calculations required. Attackers won’t need to reverse-engineer the exploits at all, just aim it at a test system, capture network traffic and replay it at whatever systems you want to infect.”
It could be close to impossible to write a universal decryptor for WannaCry infections the way some companies have written for other ransomware families. Dillon said the attackers upped their crypto game, using their private key to decrypt a private key stored on the victim’s machine.
“I’ve seen a lot of ransomware over the years where the authors didn’t know everything they needed to know about crypto and universal tools could be written,” Dillon said. “This malware uses strong cryptographic processes such that a universal tool cannot be written.”