WannaCry Ransomware & The Perils of Shoddy Attribution: It’s the Russians! No Wait, It’s the North Koreans!

By James Scott, Sr. Fellow, ICIT

Baseless Attribution Discussions Distract From Meaningful Dialogue
It’s the Russians! No, wait, it’s the North Koreans! No, wait it’s…cyber mercenaries posing as PLA hackers moonlighting as cyber mercenaries for the North Korean nation-state? It’s interesting to watch faux experts take such authoritative positions in sinking sand arguments with virtually zero evidence. On May 12, 2017, the WannaCry ransomware infected an over 200,000 systems, in more than 150 nations, and demanded $300 in Bitcoins in exchange for the decryption of victim systems. WannaCry is also referred to as Wanna Decryptor, WannaCrypt, WCrypt, Wanacrypt0r, WCry, WnCry, and WannaCryptor [1]. If the victim did not pay the ransom after three days, the demand would double to $600. If the ransom remained unpaid, then eventually the adversary would threaten to delete the victim’s data [2]. FedEx in the U.S, ~48 NHS Trusts in the U.K., Renault factories in France, the Interior Ministry of Russia, Telefonica in Spain, the Andhra Pradesh police department in India, PetroChina in China, and numerous and diverse globally distributed systems, were affected by the WannaCry malware. Nevertheless, as of May 17, 2017, only around 230 victims paid ransoms totally approximately $70,000 [2]. The scale of the attack has incited some hasty widespread speculation that the malware originated in North Korea. As discussed later, these claims are circumstantial at best and likely result from the combination of North Korea’s recent media infamy and naïve attempts to correlate the scale of an attack with a nation-state adversary. Speculation such as this, based on a single piece of incidental and inconclusive evidence, detracts from real and meaningful conversations about inherent software vulnerabilities that result from manufacturers’ refusal to incorporate security-by-design into software development, the failure of organizations all over the world to protect their systems and client data according to their value and potential for harm, and governments’ responsibility to manage, secure, and disclose discovered vulnerabilities.
WannaCry Spread Due to Luck and Negligence, Not Sophistication
The only advanced aspect of the WannaCry malware was the incorporation of the EternalBlue vulnerability in Microsoft Windows SMB v1 (MS17-010). EternalBlue and DoublePulsar exploits utilized in the malware were disclosed by The Shadow Brokers in April 2017. The hacker group claimed that the tools were pilfered from the NSA; however, those claims remain unverified. Microsoft released a patch for the vulnerability exploited by EternalBlue on March 14, 2017, for systems running Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016 [3]. Users who updated their systems or who automatically installed updates were already protected from WannaCry in May 2017. Organizations were only victimized by WannaCry because they were either operating outdated or illegitimate software or because they failed to update their systems in the months since Microsoft’s release of the patch [4].
WannaCry is not unique or overly sophisticated in its inclusion of EternalBlue. Hackers have been exploiting the vulnerability since late April 2017; only, most have opted to pair it with the more profitable Monero cryptocurrency mining software. For instance, around April 28, 2017, one campaign combined EternalBlue with CoinMiner and has since launched hundreds to thousands of attacks per day in as many as 118 countries. Ironically, the attack blocked the 445 port exploited by EternalBlue and thereby prevented infection by WannaCry [5].
WannaCry infects an initial host (a patient zero) via spear-phishing, social engineering, or a watering-hole attack. Researchers have alleged that the malware was programmed in Chinese with machine-translated ransom demands. Before encrypting the victim’s files, the malware checks whether an obscure URL, that is used as a kill-switch, remains inactive, and it maps the file-sharing mechanisms of the system. The global self-proliferation of the WannaCry ransomware worm is mostly due to EternalBlue’s capacity to laterally compromise additional systems via shared networks, drives, dropboxes, etc [6]. Compared to other ransomware, WannaCry was poorly designed. For starters, the success of a ransomware campaign depends on inflicting damage on high-priority targets or on coercing either a few victims into paying large ransoms or many victims into paying small ransoms. The WannaCry attack attracted very high publicity and very high law-enforcement visibility while inflicting arguably the least amount of damage a similar campaign that size could cause and garnering profits lower than even the most rudimentary script kiddie attacks. Few if any major targets were irreparably harmed. In fact, the spread of the malware appears to indicate that no sector or victim demographic was particularly targeted. At this time, infections appear coincidental. The code reportedly relied on four hardcoded Bitcoin addresses and lacked any mechanisms to identify which victims paid the ransom [7]. In contrast, even unsophisticated ransomware assigns a unique Bitcoin address or identifier to each victim because if no victim files are decrypted upon the receipt of payment, then only a minimum of victims will pay the ransom. The assignment of individual identifiers is necessary if the attackers intend the malware to automatically decrypt files if the victim pays the ransom. As a result of the poor design, the WannaCry threat actors were likely overwhelmed by the task of identifying and decrypting the files of even the 220 paying victims. Further, the malware contained what is believed to be an obfuscation and an anti-sandbox feature that checked for the inactivity of a nonsensical URL [8]. A researcher was reportedly able to halt the global attack by purchasing the URL for a meager $10.69 [9]. If these developmental flaws were not present in the ransomware, the attack could have spread to hundreds of thousands more systems and could have reaped millions in victim ransoms [10]. Evidence at this time indicates that the WannaCry attack was launched by unsophisticated threat actors who luckily figured out how to incorporate the EternalBlue vulnerability into their ransomware. The low ransom values and the failure to assign a unique victim identifier indicates that the threat actors were either unsophisticated or did not anticipate the significant proliferation of the malware.
Attribution to North Korea is Premature and Likely False
The Lazarus group is an advanced persistent threat group (APT) allegedly responsible for cyber-attacks against Sony, compromise of the SWIFT system of the Bangladesh Bank, and Operation DarkSeoul. Lazarus is often attributed to North Korea or profiled as Chinese cyber-mercenaries who periodically operate on behalf of North Korea. On May 15, 2017, Google researcher Neel Mehta tweeted about similarities in code from a 2015 malware sample attributed to the Lazarus advanced persistent threat (APT) group and a February 2017 sample of the WannaCry cryptor. Further, the two malware initially targeted the same list of file extensions. While it is possible that the Lazarus group is behind the WannaCry malware, the likelihood of that attribution proving correct is dubious because the evidence is circumstantial at best. It remains more probable that the authors of WannaCry borrowed code from Lazarus or a similar source [11]. Script kiddies and other unsophisticated threat actors (and even some sophisticated groups) often borrow code from other successful malware. The malware is then either adapted or updated until it barely resembles its original source. The practice minimizes adversarial knowledge barriers and resource expenditures while maximizing the likelihood of successful compromises. The shared code was even removed from a later version of WannaCry, and the list of extensions targeted by WannaCry was expanded prior to the May attacks [11].
Had North Korea launched the WannaCry attack, it likely would have either attacked more strategic targets, or it would have attempted to capture more significant profits. Given the geopolitical landscape, it is unlikely that it would have hit Russia and China as heavily because they are some of North Korea’s only strategic allies. China, upon which North Korea heavily depends, may have been the greatest victim of the WannaCry attack, with an estimated 40,000 infected systems. Many of the systems in China were compromised because they relied on illegitimate versions of Windows and were therefore unable to download the patches released by Microsoft [4]. Lazarus demonstrated sophistication in their alleged Bangladesh Bank heist and in other campaigns. The malware utilized by the Lazarus group has increased in sophistication since their discovery in 2007, by incorporating new attack vectors, exploits, and tools via a metaphorical “malware factory” of developers and third-party mercenaries. There is no logical rational defending the theory that the methodical group, known for targeted attacks with tailored malware, would suddenly launch a global campaign dependent on barely functional ransomware. The obvious and likely conclusion from Neel Mehta’s discovery is that the WannaCry actors, who are separate from Lazarus and North Korea, briefly borrowed code from an outdated Lazarus sample before upgrading to more modern code.
Others postulate that the WannaCry attack did not demand large ransoms or inflict significant harm because it was a false flag operation intended to embarrass and embattle the NSA for allegedly developing tools like EternalBlue. This theory is likewise devoid of merit considering that the Shadow Brokers very publicly disclosed the vulnerability, it was already being exploited by other hackers, and that the vulnerability had already been patched by Microsoft. While it is possible that this was a miscalculated false flag operation, it seems implausible [11].
There are More Important Discussions than Attribution and Blame
Microsoft was quick to blame the success of the WannaCry campaign on the NSA, alleging that the agency should never have developed EternalBlue and that the vulnerability should have been disclosed sooner [12]. Even if the Shadow Brokers claims were true, the liability and responsibility for the risk remain with Microsoft for developing inherently flawed Operating Systems that failed to minimize exploitable vulnerabilities by incorporating security-by-design throughout the developmental lifecycle of the software according to NIST 800-160. Instead, Microsoft, like the vast majority of software and technology manufacturers, rushed their product to market with the intent to actively use consumers as “crash test dummies” for vulnerability discoveries. This systemic cultural fault in software development endangers users daily and enables the efforts of cyber-adversaries. The result of these practices is the necessity for the constant release of patches and upgrades that repair old vulnerabilities while introducing new ones. Further, many of the large organizations impacted by WannaCry may not have patched their systems because they did not want to pay Microsoft for the privilege [12]. While irresponsible, the response is understandable. To them, the fees likely felt like a choice to either pay a ransom to an unknown adversary or to pay a ransom to Microsoft. An organization, or any user that already paid for a product, should not have to pay additional fees to repair inherent vulnerabilities in that code; especially, if those flaws could have been mitigated or remediated prior to release if the manufacturer had incorporated security-by-design throughout development.
Aside from the injustices of the economics of software licensing, organizations had no justifiable excuse for their failure to mitigate the EternalBlue vulnerability prior to exploitation. The patch has been available since March for most modern operating systems. Organizations around the world demonstrated that they either rely on antiquated systems or that over the course of two months, they could not find the time or resources to update and patch their systems. Profits and continuous operation superseded risks to consumers, sensitive data, critical infrastructure, and national security.
Meanwhile, the stockpiling of vulnerabilities and the planting of exploits within systems and applications by governments is a serious concern. System backdoors and implanted software defects will inevitably be discovered and exploited by nefarious threat actors. The Shadow Brokers allege populations need to hold the NSA accountable; however, whether or not those allegations are true, evidence suggests that foreign governments are doing the same practices. The Chinese government liaison at every organization operating in China has the capability to alter code or plant vulnerabilities in software and technology that can be later exploited by nation-state sponsored APT groups. The Hacking Team allegedly marketed tools and exploits to Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Oman, Saudi Arabia, Sudan, and others [13]. Governments must begin to recognize that by including or insinuating vulnerabilities into popular software with the intent of later garnering some geopolitical advantage, they are only putting their people and the national security of their nation at risk of compromise by script kiddies, hacktivists, cyber-criminals, hail-mary threats, cyber-terrorists, cyber-mercenaries, and nation-state sponsored APT groups.
Global Attacks are the New Normal
At least as early as 2013, Advanced Persistent Threat groups demonstrated that a single entity can compromise systems across the globe and thereby simultaneously threaten numerous targets in multiple nations. Inevitably, less sophisticated threat actors have emulated their prolific attacks and have adapted and developed methodologies to launch attacks on the global theater. In the face of APTs like the Dukes, Deep Panda, BlackEnergy, Patchwork Elephant, and hundreds of others, organizations have continued to refuse to modernize their systems or to adopt layered defenses that incorporate bleeding-edge technologies such as artificial intelligence. Even when ransomware began to return in 2015, the entrenched ideologies and profit centric focus of corporations and agencies still outweighed concerns for national security, consumer well-being, or the defense of critical infrastructure. Late Fall, Mirai demonstrated that even an unsophisticated threat actor now had the capability to launch massive attack campaigns with global impacts. The most significant lesson from the May 12, 2017, WannaCry attacks is that organizations across the world remain vulnerable in the face of overwhelming incentives to secure their systems with comprehensive layered defenses, robust cyber-hygiene, and bleeding-edge technologies. Victims of WannaCry were lucky that a more sophisticated threat actor did not integrate EternalBlue into more powerful malware, sooner. That said, every script kiddie and more sophisticated adversary on the planet saw the widespread compromise of over 200,000 systems via a self-propagating malware and a publically available exploit. Imitators are emerging, and innovators are improving on the methodology and success of WannaCry and more sophisticated malware, in complex, multi-vector attack campaigns [5]. Manufacturers need to begin to incorporate security-by-design into their software and the public, regulators, and legislators, need to ensure that they do so. Organizations must protect data and systems according to their value and potential for impact or harm, by adopting layered defenses, by promoting cyber-hygiene best practices, and by developing and investing in bleeding-edge technologies such as artificial intelligence solutions. Finally, organizations and associated geopolitical entities should consider the potential impact on users and businesses before inserting software backdoors or before concealing knowledge of software vulnerabilities that will inexorably be exploited by malicious cyber adversaries to inflict immeasurable harm on civilians, businesses, and critical infrastructure organizations.




[1] “Wanna Cry Some More? Ransomware Roundup Special Edition – Malwarebytes Labs”. Malwarebytes Labs. N.p., 2017. Web. 17 May 2017. https://blog.malwarebytes.com/cybercrime/2017/05/wanna-cry-some-more-ransomware-roundup-special-edition/

[2] Sherr, Ian. “Wannacry Ransomware: Everything You Need To Know”. CNET. N.p., 2017. Web. 17 May 2017. https://www.cnet.com/news/wannacry-wannacrypt-uiwix-ransomware-everything-you-need-to-know/

[3] “Microsoft Security Bulletin MS17-010 – Critical”. Technet.microsoft.com. N.p., 2017. Web. 17 May 2017. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

[4] Moon, Mariella. “Pirated Windows Led To Wannacry’s Spread In China And Russia”. Engadget. N.p., 2017. Web. 17 May 2017. https://www.engadget.com/2017/05/15/pirated-windows-china-russia-wannacry/

[5] Kubovič, Ondrej. “Wannacryptor, Aka Wannacry, Wasn’T The First To Use Eternalblue: Miners Misused It Days After Shadow Brokers Leak”. WeLiveSecurity. N.p., 2017. Web. 17 May 2017. https://www.welivesecurity.com/2017/05/17/wannacryptor-wasnt-the-first-to-use-eternalblue/

[6] Clark, Zammis. “The Worm That Spreads Wanacrypt0r – Malwarebytes Labs”. Malwarebytes Labs. N.p., 2017. Web. 17 May 2017. https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/

[7] Wagstaff, Jeremy. “Oddities In Wannacry Ransomware Puzzle Cybersecurity Researchers”. Reuters. N.p., 2017. Web. 17 May 2017. http://www.reuters.com/article/us-cyber-attack-puzzle-idUSKCN18C12S

[8] Higgins, Kelly. “Wannacry’s ‘Kill Switch’ May Have Been A Sandbox-Evasion Tool”. Dark Reading. N.p., 2017. Web. 17 May 2017. http://www.darkreading.com/threat-intelligence/wannacrys-kill-switch-may-have-been-a-sandbox-evasion-tool/d/d-id/1328892

[9] Booth, Robert. “Surf Fan Who Loves Pizza: Anonymous Hero Who Halted Cyber-Attack”. the Guardian. N.p., 2017. Web. 17 May 2017. https://www.theguardian.com/technology/2017/may/14/malware-tech-cyber-attack-surf-fan-loves-pizza-anonymous-hero-who-halted

[10] Kaste, Martin. “From Kill Switch To Bitcoin, ‘Wannacry’ Showing Signs Of Amateur Flaws”. NPR.org. N.p., 2017. Web. 17 May 2017. http://www.npr.org/sections/alltechconsidered/2017/05/16/528570788/from-kill-switch-to-bitcoin-wannacry-showing-signs-of-amateur-flaws

[11] “Wannacry And Lazarus Group – The Missing Link? – Securelist”. Securelist.com. N.p., 2017. Web. 17 May 2017. https://securelist.com/blog/research/78431/wannacry-and-lazarus-group-the-missing-link/

[12] Gapper, John”Microsoft Will Make The Most From Wannacry”. Ft.com. N.p., 2017. Web. 17 May 2017. https://www.ft.com/content/b25e5c5e-3a34-11e7-821a-6027b8a20f23

[13] Greenberg, Andy. “Hacking Team Breach Shows A Global Spying Firm Run Amok”. Wired.com. N.p., 2017. Web. 17 May 2017.  https://www.wired.com/2015/07/hacking-team-breach-shows-global-spying-firm-run-amok/

Leave a Reply