It's the Russians! No, wait, it's the North Koreans! No,wait…

It's been interesting to watch the so-called experts take suchauthoritative positions regarding the recent global ransomwarevirus with virtually zero evidence to support their arguments.

Last month, the WannaCry virus infected roughly 300,000 systemsin more than 150 nations, and demanded $300 in Bitcoins inexchange for the decryption of victim systems. If the victim didnot pay the ransom after three days, the demand doubled to $600. Ifthe ransom remained unpaid, then eventually the adversary wouldthreaten to delete the victim's data.

FedEx was among the American companies impacted along withRenault factories in France, the Interior Ministry of Russia,Telefonica in Spain, the Andhra Pradesh police department in India,PetroChina in China, and numerous and diverse globally distributedsystems.

But ultimately, only around 230 victims paid ransoms, whichtotaled approximately $70,000.

Related: WannaCry and the dawn of large-scale businessinterruption

The scale of the attack has incited some hasty widespreadspeculation that the malware originated in North Korea. But theseclaims are circumstantial at best. Speculation such as this, basedon a single piece of incidental and inconclusive evidence, detractsfrom real and meaningful conversations about inherent softwarevulnerabilities that result from:

• |
  • |
    • |
      • Manufacturers' refusal to incorporate security-by-design intosoftware development;
      • The failure of organizations worldwide to protect their systemsand client data according to their value and potential for harm;and
      • Governments' responsibility to manage, secure and disclosediscovered vulnerabilities.

How WannaCry spread so fast

The only advanced aspect of the WannaCry malware was theincorporation of the EternalBlue vulnerability in Microsoft WindowsSMB v1 (MS17-010). EternalBlue and DoublePulsar exploits utilizedin the malware were disclosed by The Shadow Brokers in April 2017.The hacker group claimed that the tools were pilfered from the NSA;however, those claims remain unverified.

Microsoft released a patch for the vulnerability exploited byEternalBlue on March 14, 2017. Users who updated their systems orwho automatically installed updates were already protected fromWannaCry by the time the virus was unleased in May. Thoseorganizations that were victimized by WannaCry found themselves inthat position because they were either operating outdated orillegitimate software or because they failed to update theirsystems in the months since Microsoft's release of the patch.

WannaCry infected an initial host (or patient zero) via spear-phishing, social engineering, or awatering-hole attack. Researchers have alleged that the malwarewas programmed in Chinese with machine-translated ransom demands.Before encrypting the victim's files, the malware checked whetheran obscure URL, which might be used as a kill-switch, remainedinactive. Then it mapped the system's file-sharing mechanisms.

The global self-proliferation of the WannaCry ransomware wormwas mostly due to EternalBlue's capacity to laterally compromiseadditional systems via shared networks, drives, folders and thelike.

Things could have been much worse

WannaCry was actually poorly designed compared to otherransomware. For starters, the success of a ransomware campaigndepends on inflicting damage on high-priority targets or oncoercing either a few victims into paying large ransoms or manyvictims into paying small ransoms. The WannaCry attack attractedvery high publicity and very high law-enforcement visibility whileinflicting arguably the least amount of damage a similar campaignthat size could cause and garnering profits lower than even themost rudimentary script kiddie attacks. Few if any major targetswere irreparably harmed. In fact, the spread of the malware appearsto indicate that no sector or victim demographic was particularlytargeted. At this time, infections appear coincidental. The codereportedly relied on four hardcoded Bitcoin addresses and lackedany mechanisms to identify which victims paid the ransom.

In contrast, even unsophisticated ransomware assigns a uniqueBitcoin address or identifier to each victim because if no victimfiles are decrypted upon the receipt of payment, then only aminimum of victims will pay the ransom. The assignment ofindividual identifiers is necessary if the attackers intend themalware to automatically decrypt files once a victim pays theransom. As a result of the poor design, the WannaCry threat actorswere likely overwhelmed by the task of identifying and decryptingthe files of even the 220 paying victims. Further, the malwarecontained what is believed to be an obfuscation and an anti-sandboxfeature that checked for the inactivity of a nonsensical URL. Theresult? A researcher was reportedly able to halt the global attackby purchasing the URL for a meager $10.69.

If these developmental flaws were not present inthe ransomware, the attack could have spread to hundreds ofthousands more systems and could have reaped millions in victimransoms. But the early evidence indicates that WannaCry waslaunched by unsophisticated threat actors who luckily figured outhow to incorporate the EternalBlue vulnerability into theirransomware. The low ransom values and the failure to assign aunique victim identifier indicates that the threat actors wereeither unsophisticated or did not anticipate the significantproliferation of the malware.

Ultimately, only around 230 victims paid WannaCry ransoms,which totaled approximately $70,000. (Photo: iStock)

Premature blame

The Lazarus group is an advanced persistent threat (APT)allegedly responsible for cyber attacks against Sony, SWIFT, theBangladesh Bank, and Operation DarkSeoul. Lazarus is oftenattributed to North Korea or profiled as Chinese cyber mercenarieswho periodically operate on behalf of North Korea. On May 15, 2017,Google researcher Neel Mehta tweeted about similarities in codefrom a 2015 malware sample attributed to the Lazarus advancedpersistent threat (APT) group and a February 2017 sample of theWannaCry cryptor. Further, the two malware initially targeted thesame list of file extensions.

While it is possible that the Lazarus group is behind theWannaCry malware, the likelihood of that attribution provingcorrect is dubious because the evidence is circumstantial at best.It remains more probable that the authors of WannaCry borrowed codefrom Lazarus or a similar source. Script kiddies and otherunsophisticated threat actors (and even some sophisticated groups)often borrow code from other successful malware. The malware isthen either adapted or updated until it barely resembles itsoriginal source. The practice minimizes adversarial knowledgebarriers and resource expenditures while maximizing the likelihoodof successful compromises. The shared code was even removed from alater version of WannaCry, and the list of extensions targeted byWannaCry expanded.

Had North Korea launched the WannaCry attack, it likely wouldhave either attacked more strategic targets, or it would haveattempted to capture more significant profits. Given thegeopolitical landscape, it is unlikely that it would have hitRussia and China as heavily because they are some of North Korea'sonly strategic allies. China, upon which North Korea heavilydepends, may have been the greatest victim of the WannaCry attack,with an estimated 40,000 infected systems. Many of the systems inChina were compromised because they relied on illegitimate versionsof Windows and were therefore unable to download the patchesreleased by Microsoft.

The malware utilized by the Lazarus group has increased insophistication since their discovery in 2007, by incorporating newattack vectors, exploits and tools via a metaphorical "malware factory" of developers and third-partymercenaries. There is no logical rational defending the theory thatthe methodical group, known for targeted attacks with tailoredmalware, would suddenly launch a global campaign dependent onbarely functional ransomware. The obvious and likely conclusionfrom Neel Mehta's discovery is that the WannaCry actors, who areseparate from Lazarus and North Korea, briefly borrowed code froman outdated Lazarus sample before upgrading to more moderncode.

Theories abound

Others postulate that the WannaCry attack did not demand largeransoms or inflict significant harm because it was a false flagoperation intended to embarrass and embattle the NSA for allegedlydeveloping tools like EternalBlue. This theory is likewise devoidof merit considering that the Shadow Brokers very publiclydisclosed the vulnerability, it was already being exploited byother hackers, and that the vulnerability had already been patchedby Microsoft. While it is possible that this was a miscalculatedfalse flag operation, it seems implausible.

Microsoft was quick to blame the success of the WannaCry campaign on the NSA, alleging thatthe agency should never have developed EternalBlue and that thevulnerability should have been disclosed sooner. Even if the ShadowBrokers claims were true, the liability and responsibility for therisk remain with Microsoft for developing inherently flawedOperating Systems that failed to minimize exploitablevulnerabilities by incorporating security-by-design throughout thedevelopmental lifecycle of the software according to NIST800-160.

Instead, Microsoft, like the vast majority of software andtechnology manufacturers, rushed their product to market with theintent to actively use consumers as "crash test dummies" forvulnerability discoveries. This systemic cultural fault in softwaredevelopment endangers users daily and enables the efforts of cyberadversaries. The result of these practices is the necessity for theconstant release of patches and upgrades that repair oldvulnerabilities while introducing new ones. Further, many of thelarge organizations impacted by WannaCry may not have patched theirsystems because they did not want to pay Microsoft for theprivilege.

Although irresponsible, the response was understandable. Tothem, the fees likely felt like a choice to either pay a ransom toan unknown adversary or to pay a ransom to Microsoft. Anorganization, or any user that already paid for a product, shouldnot have to pay additional fees to repair inherent vulnerabilitiesin that code; especially, if those flaws could have been mitigatedor remediated prior to release if the manufacturer had incorporatedsecurity-by-design throughout development.

Timing was key

Aside from the injustices of the economics of softwarelicensing, organizations had no justifiable excuse for theirfailure to mitigate the EternalBlue vulnerability prior toexploitation. The patch has been available since March for mostmodern operating systems. Organizations around the worlddemonstrated that they either rely on antiquated systems or thatover the course of two months, they could not find the time orresources to update and patch their systems. Profits and continuousoperation superseded risks to consumers, sensitive data, criticalinfrastructure, and national security.

Meanwhile, the stockpiling of vulnerabilities and the plantingof exploits within systems and applications by governments is aserious concern. As early as 2013, hacker organizations demonstrated that a singleentity can compromise systems across the globe and therebysimultaneously threaten numerous targets in multiple nations.Inevitably, less sophisticated threat actors have emulated theirprolific attacks and have adapted and developed methodologies tolaunch attacks on the global theater. In the face of these threats,organizations have continued to refuse to modernize their systemsor to adopt layered defenses that incorporate bleeding-edgetechnologies such as artificial intelligence. Even when ransomwarebegan to return in 2015, the entrenched ideologies and profitcentric focus of corporations and agencies still outweighedconcerns for national security, consumer well-being, or the defenseof critical infrastructure.

See also: Data breaches in 2017: No relief insight

What's the solution?

Victims of WannaCry were lucky that a moresophisticated threat actor did not integrate EternalBlue into morepowerful malware, sooner. That said, every script kiddie and moresophisticated adversary on the planet saw the widespread compromiseof over 200,000 systems via a self-propagating malware and apublically available exploit. Imitators are emerging, andinnovators are improving on the methodology and success of WannaCryand more sophisticated malware, in complex, multi-vector attackcampaigns.

Manufacturers need to begin to incorporate security-by-designinto their software while the public, regulators and legislatorsneed to ensure that they do so. Organizations must protect data andsystems according to their value and potential for impact or harm,by adopting layered defenses, by promoting cyber-hygiene bestpractices, and by developing and investing in bleeding-edgetechnologies such as artificial intelligence solutions. Finally,organizations and associated geopolitical entities should considerthe potential impact on users and businesses before insertingsoftware backdoors or before concealing knowledge of softwarevulnerabilities that will inexorably be exploited by maliciouscyber adversaries to inflict immeasurable harm on civilians,businesses, and critical infrastructure organizations.

James Scott is a senior fellow with the Institute forCritical Infrastructure Technology. This is an abridged version ofa blog post that originally published on ICIT'swebsite. The opinions expressed here are the writer's own. Hecan be reached at [email protected].

See also:

AIG ranks financial services as most vulnerable tomega-cyberattack

5 key takeaways from NTT Security's 2017 GlobalThreat Intelligence Report