WannaCry: End of Year Retrospective

Last November marked the six-month anniversary of WannaCry, arguably the most impactful global cyberattack in history. The persisting WannaCry attack is a re-purposed ransomware strain amplified by (allegedly) leaked exploit code from the NSA. For previous details about the inner workings of WannaCry see our previous post.

Today, the United States declared North Korea responsible for the WannaCry attacks. This post will present analytical findings and perspective into just how wide these attacks have scaled, and how very little footprint is required to sustain a global security crisis.

Since our Vantage team sinkholed and subsequently nullified the WannaCry attack on May 12th, 2017, we have been monitoring and maintaining the domain known as the WannaCry killswitch. As a year end retrospective, we are providing the key findings of the historical data and providing organizations a way to determine if they are still at risk, If you’re interested you can sign-up to Telltale, our new victim notification service here.

Information From the Front Lines

Just over six months after the attack, the killswitch is still incredibly active. The total count of prevented attacks have grown substantially in volume since the initial attack; notably, WannaCry appears to continue propagating, maintaining and further increasing its foothold month after month. At the time of this writing, we count approximately 900 million cumulative thwarted attacks across millions of unique IP addresses.

We believe one of the most valuable efforts during the early moments of the WannaCry attacks were the ability to rapidly deploy safeguards and an information firehose using DevOps and collaborative providers like Amazon (computing), Google (storage buckets), and especially Cloudflare (DNS).

The result of this agile framework was information flow directly to information sharing collectives like FBI and National Cyber Security Centre (NCSC), a part of the GCHQ. Fortunately, existing relationships had already been in place from proactive information sharing with clients and other trusted providers.

The NCSC most graciously provided a quote for some of our contributions:

In a world where the capability of threat actors is rapidly increasing and the Internet of Things (IoT) is expanding the attack surface exponentially, the partnership between government and industry is absolutely vital to defending our national interest against cyber attacks, and increasing the resilience of our national security and economy. The UK branch of Kryptos Logic, through its participation in the NCSC’s Industry 100 scheme, is playing a vital role in this space and has made significant intelligence contributions to major threats in the past year, including the Mirai Botnet and WannaCry threats, as well as multi-sector DDoS threats against UK organisations. This ongoing fruitful partnership demonstrates the many benefits of industry and government working together, but also the value of Industry partners working closely together to solve hard threat intelligence problems, as Kryptos Logic has done through the Industry 100 scheme.

–NCSC London Head of Operations

Efforts like the Industry 100 were paramount in thwarting numerous attacks, many of which never came to fruition as a result of predictive and proactive efforts.

A Trend of Higher Magnitude

{% include six-months-later/charts/hits.html %}

Killswitch hits over time.

Observed in the graph above is the total activity of WannaCry infected system attempts to the killswitch. The total attack volume seemingly is increasing month over month. Although we can distinctly point out IP churn contributes to figures related to unique infected systems, it would not be responsible for the increased volume of total exploitation attempts.

There is no single pinpoint or exact reason for the increased activity, but the contributing factors we have observed and compiled amount to:

  • Windows images which were created before Microsoft included security patches are used to provision new systems (on premise or cloud). Freshly installed systems can become infected before Windows updates are installed if within an environment adjacent to actively infected systems;

  • Legacy deployments of Windows images within cloud infrastructure are still deployed, with a special emphasis in China;

  • A substantial amount of enterprises and organizations worldwide have yet to take the steps to remediate residual WannaCry infections, as well as upgrade and patch systems;

  • Sporadic outbreaks from the WannaCry Internet scanning capability which pierce never before affected networks. Typically, we observe large sporadic spikes in large enterprise such as Fortune 500 or Global 100 organizations;

  • Firewall changes or infrastructure changes, for instance, the spike observable in the graph above for July appears to source from a well known US-based cloud services provider. This registered 6 million killswitch hits within just two days;

  • Small and medium sized businesses contribute to new maintaining infections and remain unwittingly infected.

The Most Exploited Backdoor in History?

While the constructs and components of WannaCry are well-documented, to understand the representative figures and qualify what each killswitch connection actually represents, we need to focus attention to the behavior of the dropper.

Every successful DOUBLEPULSAR exploitation results in an attempted connection to the killswitch, by means of remotely running the dropper:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
int WINAPI WinMain(HINSTANCE, HINSTANCE, LPSTR, int)
{
  char url[80] = {0};
  strcpy(url, "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com");
  HINTERNET hInternet = InternetOpenA(NULL, INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
  HINTERNET hInternetUrl = InternetOpenUrlA(hInternet, szUrl, NULL, 0, 
                           INTERNET_FLAG_RELOAD | INTERNET_FLAG_DONT_CACHE, NULL);
  if ( hInternetUrl ) {
    InternetCloseHandle(hInternet);
    InternetCloseHandle(hInternetUrl);
  } else {
    InternetCloseHandle(hInternet);
    InternetCloseHandle(hInternetUrl);
    InstallAndStartService();
  }
  return 0;
}

The dropper registers itself as a Windows service—mssecsvc2.0—and at each boot will check the killswitch (see above), and try to infect other machines while at it. This can be confirmed in mssecsvc2.0’s main function. Here we see that WannaCry will attempt to exploit systems which are vulnerable to ETERNALBLUE, regardless of preexisting infection:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SERVICE_STATUS_HANDLE g_hServiceStatus;
SERVICE_STATUS g_ServiceStatus;
// ...
VOID WINAPI ServiceMain(DWORD, LPTSTR *)
{
  g_ServiceStatus.dwServiceType = 32;
  g_ServiceStatus.dwCurrentState = 2;
  g_ServiceStatus.dwControlsAccepted = 1;
  g_ServiceStatus.dwWin32ExitCode = 0;
  g_ServiceStatus.dwServiceSpecificExitCode = 0;
  g_ServiceStatus.dwCheckPoint = 0;
  g_ServiceStatus.dwWaitHint = 0;
  g_hServiceStatus = RegisterServiceCtrlHandlerA("mssecsvc2.0", ServiceHandlerProc);
  if ( g_hServiceStatus )
  {
    g_ServiceStatus.dwCurrentState = 4;
    g_ServiceStatus.dwCheckPoint = 0;
    g_ServiceStatus.dwWaitHint = 0;
    SetServiceStatus(g_hServiceStatus, &g_ServiceStatus);
    InfectOthers(); // Scan for ETERNALBLUE / DOUBLEPULSAR victims
    Sleep(60*60*24*1000);
    ExitProcess(1);
  }
}

As a result, we have a lower bound on how many times the DOUBLEPULSAR backdoor (with or without initial ETERNALBLUE exploitation) has been successful: this value is rapidly approaching 1 billion successful measured attempts. Not included in this figure are exploitations for one reason or another which did not contact the killswitch. It is safe to assume a substantial number of attempts are masked behind corporate web proxies/filters and antivirus defenses.

It must be clarified that this figure does not measure the unique number of systems protected, but more the total volume of attempts; such details like reboots, reinfections, etc are not practical to accurately characterize.

The Attribution Game

In June, the NSA released a statement of “moderate” confidence they believed North Korea to be responsible for WannaCry. More recently in late October, a second affirmation from the UK intelligence stated, “This attack, we believe quite strongly that it came from a foreign state,” Ben Wallace, a junior minister for security, told BBC 4 Radio, adding intelligence was “as sure as possible” that nation was North Korea. Today, the US Government formally announced North Korea attribution to WannaCry.

It is often said that a rising tide raises all boats. Where there used to be a significant entry barrier required to match the capabilities of well-funded nation-states focused on socioeconomic topics and corporate espionage, we find ourselves in a disrupted landscape, defending against a new trend—wiper components—which is difficult to track, relatively low budget, and requires minimal resources to do damage on a global scale.

Given reports affirming North Korea is responsible, it would be a clear example of the possibility of the type of potential digital warfare we could anticipate in the future—attacks that are indiscriminate, impactful and reckless in nature, as the design intent of WannaCry indisputably perpetuates.

The consequences of cyber-attack attribution, when we speak of destructive attacks, inevitably circle back to the topic of “cyber war”. The reality is, there are no clearly defined rules of engagement or act of war for cyber-attacks. Microsoft’s Brad Smith has also called for a digital Geneva convention.

Unfortunately we have yet to solve the main problem: attribution is not easy and will only get harder as attacks get more sophisticated. Attacks can be masqueraded or “photoshopped” to appear as though they came from any other nation-state. Take for example, an actor stealing an existing backdoor toolkit or hacking a C&C staging server, and then starting an attack campaign with these stolen tools. There’s no better example than Mirai, the botnet that took large swaths of the Internet down. Speculated to be devised by a nation-state, its origins turned out to be far more pedestrian.

In the case of Lazarus (North Korea), it appears attribution comes from a number of contributing factors, whether code nuances, correlation of previous Tactics, Techniques, and Procedures (TTPs), signal intelligence, or even potentially with crash log information. Microsoft being a contributing source to the US Government’s assessment of WannaCry attribution to North Korea, presumably there might be unpublished crash logs or patient zero debug information; we have seen such information from Microsoft in the past to thwart threats very similar to ETERNALBLUE, where Microsoft utilized Watson crash logs to trace attack victims and origins. Additionally, we also know that the NSA had crash log access without needing Microsoft’s approval.

While the WannaCry dataset alone isn’t enough for attribution, below we provide a view into WannaCry infections sourced from known North Korean IP addresses.

{% include six-months-later/charts/nk.html %}

Assessing the Impact of Attacks like WannaCry

In July of this year one of the most well known courier services, FedEx, stated on June 28, 2017 that their operations had been significantly affected by the cyber-attack known as Petya/NotPetya. The isolated incident was contained to TNT which operates in Ukraine. It is currently estimated at least $300 million can be attributed to the financial impact incurred as direct result of the attack.

Maersk, the largest container shipping line in the world, reported its shipping services were disrupted with estimated damages between $200 and $300 million. Global pharmaceutical giant Merck reported NotPetya cost $135 million in revenue loss. WannaCry itself is widely believed to have been responsible for billions in damages.

Some of the main common denominators in these events are

  • The ETERNALBLUE exploit;
  • Intent to damage using system wipers/“ransom” components;
  • Velocity of damage inflicted, most claims were the result of a relatively short attack window.

The visualization below is one the few and recent datasets which adequately measures a global cyberattack and is an important feature to understanding their ability maintain a foothold and continued residual impact over longer periods of time. With the exception to a few corner cases, one noticable key trend is the most infected organizations are cyclic and remain infected with thousands to millions of killswitch connection attempts month over month. Just a few infections can persist propogation efforts in a vulnerable environment indefinitely.

{% include six-months-later/charts/orgs.html %}

Killswitch hits over time, by organization.

Using some of this dataset we have attempted to estimate the financial cost of a global attack scenario through qualitative reasoning, we believe there is now more pragmatic information from the WannaCry dataset to suggest just how significant the financial impact of an attack like WannaCry or NotPetya would achieve if not thwarted.

With data analytics and some quantitative analysis, as well as sampling financial disclosures related the aforementioned attacks, we can start to consider a lower bound to some potential liabilities for future attacks.

  • We have conservatively enumerated at least 250 organizations with a then market cap over 1 billion USD, each registering more than 1000 total hits to the killswitch.
  • There is a minimum of at least 3300 organizations according to Whois IP registrations with at least 5000 cumulative killswitch hits. It is worth noting that many of these organizations are telecoms, e.g. Verizon, and so there could be tens of thousands of businesses veiled under a single registered entity;
  • At least 100 million total hits occur each month from a mix of new and repeating organizations;
  • The killswitch data is indicative of a “standstill” picture of the attack.

In the absence of the killswitch, the damage footprint would have been unprecedented, and it is no stretch to estimate that, at a global scale, the financial impact could have easily reached tens of billions of dollars, with current estimates now estimated in the billions for the first few hours of its unmitigated propagation, the short window prior to the activation of the killswitch.

Perhaps the most frightening scenario is if WannaCry was released when it was stolen from the presumable NSA trove, as an unpatched 0-day vulnerability. The next big cyber attack can easily reach tens of billions of dollars damages.

Information Sharing is Caring

It is critical that we develop and safeguard our security researcher resources and take steps to weigh the value of parochial law enforcement efforts (concentrating on alleged cybercrime or immaterial financial harm) against macro harm to our national security. When federal law enforcement is detached from the mission of national security and focuses (perhaps shortsightedly) on criminalizing certain benign behaviors, a chilling response from the security community will develop, and an even greater divide between law enforcement and the security community will unfold.

This divide will ultimately stifle security innovation and may actively deter “good Samaritans” from taking risks that will benefit the public good (as was the case in WannaCry). To this end, law enforcement and national security missions, while both critical, are not mutually exclusive and should be harmonized at an appropriate level within the government.