Security Blog

WannaCry - Continuous expansion and paradigm shift in malware requires new approaches

The malware outbreak of the malicious software "WannaCry", which occurred on 12th of May 2017, represents a significant evolution in the Ransomware industry. For the first time, a new kind of cyber virus was "bred" here, which can now independently spread without user interaction in computer networks.

The malware uses a vulnerability, which comes from the toolkit published from NSA in February. Specifically, a gap in the SMB protocol of Windows is exploited in order to execute malicious software on the affected system. This approach is contrary to the previously used method of spreading Ransomware over infected e-mails. Through this new kind of "worm" spread, a dangerous threat becomes much more aggressive.

As soon as the malware has penetrated into a company network via some weakness, it spreads rapidly and almost inexorably over vulnerable systems without current software status. A single computer is sufficient to infect many others and to start local encryption routines on each system and demand ransom in bitcoins.

While for the Windows operating systems a security update was already available in March, Windows XP and Server 2003, which were no longer supported, were also vulnerable. Due to the massive impact, Microsoft was forced to issue an emergency update for these systems as well.

Very interesting observations have been made in the last 10 days about WannaCry, and various theses, which point to a clear paradigm shift, have been presented.

A first special feature was a built-in kill switch in the code of the virus, which could accidentally be activated by a security researcher just a few hours after the outbreak. In this case, an external website was queried and the execution was terminated upon reaching it. With registration of the domain, a further spread could be prevented.

Contrary to the initial assumption, it is no longer certain whether this malware was distributed by e-mail at all. An exclusive distribution by the usage of the security gaps in the network is also not clear.
Only a few affected users have decided to pay. The Bitcoin accounts worth about $ 100,000 - quite little in relation to the extent of the spread. These and other hints are taken as a basis to derive possible motivations for the malware. suspects that North Korea has something to do with it. On is speculated that the Bitcoin popularity would increase with it. In fact, the Cryptocurrency has reached its new record over the last week.

What is certain is that this new development shows us: Cybersecurity is always a race between the attacker and the defender without a clear winner. It will never be possible to achieve a 100% protection. The security expert, Bruce Schneier, summarizes: "Criminals go where the money is, and cybercriminals are no exception". The rate of spread of such malware infections is immense. Basics such as a comprehensive patch management and also a well thought-out backup strategy are now essential. Continuous observation and further development on the basis of what is learned is important in order to meet possible future developments. Only this way it’s possible to recognize risks in time and to plan and implement countermeasures meaningfully.

© 2017 IKARUS Security Software GmbH