WannaCry Ransomware & The Perils Shoddy Attribution:
It’s the Russians! No Wait, It’s the North Koreans!By James Scott, Sr. Fellow, ICIT
Baseless Attribution Discussions Distract From Meaningful Dialogue
It’s the Russians! No, wait, it’s the North Koreans! No, wait it’s…cyber mercenaries posing as PLA hackers moonlighting
as cyber mercenaries for the North Korean nation-state? It’s interesting to watch faux experts take such authoritative
positions in sinking sand arguments with virtually zero evidence. On May 12, 2017, the WannaCry ransomware infected an
over 200,000 systems, in more than 150 nations, and demanded $300 in Bitcoins in exchange for the decryption of victim
systems. WannaCry is also referred to as Wanna Decryptor, WannaCrypt, WCrypt, Wanacrypt0r, WCry, WnCry, and WannaCryptor
[1]. If the victim did not pay the ransom after three days, the demand would double to $600. If the ransom remained
unpaid, then eventually the adversary would threaten to delete the victim’s data [2]. FedEx in the U.S, ~48 NHS Trusts
in the U.K., Renault factories in France, the Interior Ministry of Russia, Telefonica in Spain, the Andhra Pradesh
police department in India, PetroChina in China, and numerous and diverse globally distributed systems, were affected by
the WannaCry malware. Nevertheless, as of May 17, 2017, only around 230 victims paid ransoms totally approximately
$70,000 [2]. The scale of the attack has incited some hasty widespread speculation that the malware originated in North
Korea. As discussed later, these claims are circumstantial at best and likely result from the combination of North
Korea’s recent media infamy and naïve attempts to correlate the scale of an attack with a nation-state adversary.
Speculation such as this, based on a single piece of incidental and inconclusive evidence, detracts from real and
meaningful conversations about inherent software vulnerabilities that result from manufacturers’ refusal to incorporate
security-by-design into software development, the failure of organizations all over the world to protect their systems
and client data according to their value and potential for harm, and governments’ responsibility to manage, secure, and
disclose discovered vulnerabilities.
WannaCry Spread Due to Luck and Negligence, Not Sophistication
The only advanced aspect of the WannaCry malware was the incorporation of the EternalBlue vulnerability in Microsoft
Windows SMB v1 (MS17-010). EternalBlue and DoublePulsar exploits utilized in the malware were disclosed by The Shadow
Brokers in April 2017. The hacker group claimed that the tools were pilfered from the NSA; however, those claims remain
unverified. Microsoft released a patch for the vulnerability exploited by EternalBlue on March 14, 2017, for systems
running Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 and
Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016 [3]. Users who updated their systems or who
automatically installed updates were already protected from WannaCry in May 2017. Organizations were only victimized by
WannaCry because they were either operating outdated or illegitimate software or because they failed to update their
systems in the months since Microsoft’s release of the patch [4].
WannaCry is not unique or overly sophisticated in its inclusion of EternalBlue. Hackers have been exploiting the
vulnerability since late April 2017; only, most have opted to pair it with the more profitable Monero cryptocurrency
mining software. For instance, around April 28, 2017, one campaign combined EternalBlue with CoinMiner and has since
launched hundreds to thousands of attacks per day in as many as 118 countries. Ironically, the attack blocked the 445
port exploited by EternalBlue and thereby prevented infection by WannaCry [5].
WannaCry infects an initial host (a patient zero) via spear-phishing, social engineering, or a watering-hole attack.
Researchers have alleged that the malware was programmed in Chinese with machine-translated ransom demands. Before
encrypting the victim’s files, the malware checks whether an obscure URL, that is used as a kill-switch, remains
inactive, and it maps the file-sharing mechanisms of the system. The global self-proliferation of the WannaCry
ransomware worm is mostly due to EternalBlue’s capacity to laterally compromise additional systems via shared networks,
drives, dropboxes, etc [6]. Compared to other ransomware, WannaCry was poorly designed. For starters, the success of a
ransomware campaign depends on inflicting damage on high-priority targets or on coercing either a few victims into
paying large ransoms or many victims into paying small ransoms. The WannaCry attack attracted very high publicity and
very high law-enforcement visibility while inflicting arguably the least amount of damage a similar campaign that size
could cause and garnering profits lower than even the most rudimentary script kiddie attacks. Few if any major targets
were irreparably harmed. In fact, the spread of the malware appears to indicate that no sector or victim demographic was
particularly targeted. At this time, infections appear coincidental. The code reportedly relied on four hardcoded
Bitcoin addresses and lacked any mechanisms to identify which victims paid the ransom [7]. In contrast, even
unsophisticated ransomware assigns a unique Bitcoin address or identifier to each victim because if no victim files are
decrypted upon the receipt of payment, then only a minimum of victims will pay the ransom. The assignment of individual
identifiers is necessary if the attackers intend the malware to automatically decrypt files if the victim pays the
ransom. As a result of the poor design, the WannaCry threat actors were likely overwhelmed by the task of identifying
and decrypting the files of even the 220 paying victims. Further, the malware contained what is believed to be an
obfuscation and an anti-sandbox feature that checked for the inactivity of a nonsensical URL [8]. A researcher was
reportedly able to halt the global attack by purchasing the URL for a meager $10.69 [9]. If these developmental flaws
were not present in the ransomware, the attack could have spread to hundreds of thousands more systems and could have
reaped millions in victim ransoms [10]. Evidence at this time indicates that the WannaCry attack was launched by
unsophisticated threat actors who luckily figured out how to incorporate the EternalBlue vulnerability into their
ransomware. The low ransom values and the failure to assign a unique victim identifier indicates that the threat actors
were either unsophisticated or did not anticipate the significant proliferation of the malware.
Attribution to North Korea is Premature and Likely False
The Lazarus group is an advanced persistent threat group (APT) allegedly responsible for cyber-attacks against Sony,
compromise of the SWIFT system of the Bangladesh Bank, and Operation DarkSeoul. Lazarus is often attributed to North
Korea or profiled as Chinese cyber-mercenaries who periodically operate on behalf of North Korea. On May 15, 2017,
Google researcher Neel Mehta tweeted about similarities in code from a 2015 malware sample attributed to the Lazarus
advanced persistent threat (APT) group and a February 2017 sample of the WannaCry cryptor. Further, the two malware
initially targeted the same list of file extensions. While it is possible that the Lazarus group is behind the WannaCry
malware, the likelihood of that attribution proving correct is dubious because the evidence is circumstantial at best.
It remains more probable that the authors of WannaCry borrowed code from Lazarus or a similar source [11]. Script
kiddies and other unsophisticated threat actors (and even some sophisticated groups) often borrow code from other
successful malware. The malware is then either adapted or updated until it barely resembles its original source. The
practice minimizes adversarial knowledge barriers and resource expenditures while maximizing the likelihood of
successful compromises. The shared code was even removed from a later version of WannaCry, and the list of extensions
targeted by WannaCry was expanded prior to the May attacks [11].
Had North Korea launched the WannaCry attack, it likely would have either attacked more strategic targets, or it would
have attempted to capture more significant profits. Given the geopolitical landscape, it is unlikely that it would have
hit Russia and China as heavily because they are some of North Korea’s only strategic allies. China, upon which North
Korea heavily depends, may have been the greatest victim of the WannaCry attack, with an estimated 40,000 infected
systems. Many of the systems in China were compromised because they relied on illegitimate versions of Windows and were
therefore unable to download the patches released by Microsoft [4]. Lazarus demonstrated sophistication in their alleged
Bangladesh Bank heist and in other campaigns. The malware utilized by the Lazarus group has increased in sophistication
since their discovery in 2007, by incorporating new attack vectors, exploits, and tools via a metaphorical “malware
factory” of developers and third-party mercenaries. There is no logical rational defending the theory that the
methodical group, known for targeted attacks with tailored malware, would suddenly launch a global campaign dependent on
barely functional ransomware. The obvious and likely conclusion from Neel Mehta’s discovery is that the WannaCry actors,
who are separate from Lazarus and North Korea, briefly borrowed code from an outdated Lazarus sample before upgrading to
more modern code.
Others postulate that the WannaCry attack did not demand large ransoms or inflict significant harm because it was a
false flag operation intended to embarrass and embattle the NSA for allegedly developing tools like EternalBlue. This
theory is likewise devoid of merit considering that the Shadow Brokers very publicly disclosed the vulnerability, it was
already being exploited by other hackers, and that the vulnerability had already been patched by Microsoft. While it is
possible that this was a miscalculated false flag operation, it seems implausible [11].
There are More Important Discussions than Attribution and Blame
Microsoft was quick to blame the success of the WannaCry campaign on the NSA, alleging that the agency should never have
developed EternalBlue and that the vulnerability should have been disclosed sooner [12]. Even if the Shadow Brokers
claims were true, the liability and responsibility for the risk remain with Microsoft for developing inherently flawed
Operating Systems that failed to minimize exploitable vulnerabilities by incorporating security-by-design throughout the
developmental lifecycle of the software according to NIST 800-160. Instead, Microsoft, like the vast majority of
software and technology manufacturers, rushed their product to market with the intent to actively use consumers as
“crash test dummies” for vulnerability discoveries. This systemic cultural fault in software development endangers users
daily and enables the efforts of cyber-adversaries. The result of these practices is the necessity for the constant
release of patches and upgrades that repair old vulnerabilities while introducing new ones. Further, many of the large
organizations impacted by WannaCry may not have patched their systems because they did not want to pay Microsoft for the
privilege [12]. While irresponsible, the response is understandable. To them, the fees likely felt like a choice to
either pay a ransom to an unknown adversary or to pay a ransom to Microsoft. An organization, or any user that already
paid for a product, should not have to pay additional fees to repair inherent vulnerabilities in that code; especially,
if those flaws could have been mitigated or remediated prior to release if the manufacturer had incorporated
security-by-design throughout development.
Aside from the injustices of the economics of software licensing, organizations had no justifiable excuse for their
failure to mitigate the EternalBlue vulnerability prior to exploitation. The patch has been available since March for
most modern operating systems. Organizations around the world demonstrated that they either rely on antiquated systems
or that over the course of two months, they could not find the time or resources to update and patch their systems.
Profits and continuous operation superseded risks to consumers, sensitive data, critical infrastructure, and national
security.
Meanwhile, the stockpiling of vulnerabilities and the planting of exploits within systems and applications by
governments is a serious concern. System backdoors and implanted software defects will inevitably be discovered and
exploited by nefarious threat actors. The Shadow Brokers allege populations need to hold the NSA accountable; however,
whether or not those allegations are true, evidence suggests that foreign governments are doing the same practices. The
Chinese government liaison at every organization operating in China has the capability to alter code or plant
vulnerabilities in software and technology that can be later exploited by nation-state sponsored APT groups. The Hacking
Team allegedly marketed tools and exploits to Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Oman,
Saudi Arabia, Sudan, and others [13]. Governments must begin to recognize that by including or insinuating
vulnerabilities into popular software with the intent of later garnering some geopolitical advantage, they are only
putting their people and the national security of their nation at risk of compromise by script kiddies, hacktivists,
cyber-criminals, hail-mary threats, cyber-terrorists, cyber-mercenaries, and nation-state sponsored APT groups.
Global Attacks are the New Normal
At least as early as 2013, Advanced Persistent Threat groups demonstrated that a single entity can compromise systems
across the globe and thereby simultaneously threaten numerous targets in multiple nations. Inevitably, less
sophisticated threat actors have emulated their prolific attacks and have adapted and developed methodologies to launch
attacks on the global theater. In the face of APTs like the Dukes, Deep Panda, BlackEnergy, Patchwork Elephant, and
hundreds of others, organizations have continued to refuse to modernize their systems or to adopt layered defenses that
incorporate bleeding-edge technologies such as artificial intelligence. Even when ransomware began to return in 2015,
the entrenched ideologies and profit centric focus of corporations and agencies still outweighed concerns for national
security, consumer well-being, or the defense of critical infrastructure. Late Fall, Mirai demonstrated that even an
unsophisticated threat actor now had the capability to launch massive attack campaigns with global impacts. The most
significant lesson from the May 12, 2017, WannaCry attacks is that organizations across the world remain vulnerable in
the face of overwhelming incentives to secure their systems with comprehensive layered defenses, robust cyber-hygiene,
and bleeding-edge technologies. Victims of WannaCry were lucky that a more sophisticated threat actor did not integrate
EternalBlue into more powerful malware, sooner. That said, every script kiddie and more sophisticated adversary on the
planet saw the widespread compromise of over 200,000 systems via a self-propagating malware and a publically available
exploit. Imitators are emerging, and innovators are improving on the methodology and success of WannaCry and more
sophisticated malware, in complex, multi-vector attack campaigns [5]. Manufacturers need to begin to incorporate
security-by-design into their software and the public, regulators, and legislators, need to ensure that they do so.
Organizations must protect data and systems according to their value and potential for impact or harm, by adopting
layered defenses, by promoting cyber-hygiene best practices, and by developing and investing in bleeding-edge
technologies such as artificial intelligence solutions. Finally, organizations and associated geopolitical entities
should consider the potential impact on users and businesses before inserting software backdoors or before concealing
knowledge of software vulnerabilities that will inexorably be exploited by malicious cyber adversaries to inflict
immeasurable harm on civilians, businesses, and critical infrastructure organizations.
Sources
[1] “Wanna Cry Some More? Ransomware Roundup Special Edition – Malwarebytes Labs”. Malwarebytes Labs. N.p., 2017. Web. 17 May 2017. https://blog.malwarebytes.com/cybercrime/2017/05/wanna-cry-some-more-ransomware-roundup-special-edition/
[2] Sherr, Ian. “Wannacry Ransomware: Everything You Need To Know”. CNET. N.p., 2017. Web. 17 May 2017. https://www.cnet.com/news/wannacry-wannacrypt-uiwix-ransomware-everything-you-need-to-know/
[3] “Microsoft Security Bulletin MS17-010 – Critical”. Technet.microsoft.com. N.p., 2017. Web. 17 May 2017. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
[4] Moon, Mariella. “Pirated Windows Led To Wannacry’s Spread In China And Russia”. Engadget. N.p., 2017. Web. 17 May 2017. https://www.engadget.com/2017/05/15/pirated-windows-china-russia-wannacry/
[5] Kubovič, Ondrej. “Wannacryptor, Aka Wannacry, Wasn’T The First To Use Eternalblue: Miners Misused It Days After
Shadow Brokers Leak”. WeLiveSecurity. N.p., 2017. Web. 17 May 2017. https://www.welivesecurity.com/2017/05/17/wannacryptor-wasnt-the-first-to-use-eternalblue/
[6] Clark, Zammis. “The Worm That Spreads Wanacrypt0r – Malwarebytes Labs”. Malwarebytes Labs. N.p., 2017. Web. 17 May 2017. https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/
[7] Wagstaff, Jeremy. “Oddities In Wannacry Ransomware Puzzle Cybersecurity Researchers”. Reuters. N.p., 2017. Web. 17 May 2017. http://www.reuters.com/article/us-cyber-attack-puzzle-idUSKCN18C12S
[8] Higgins, Kelly. “Wannacry’s ‘Kill Switch’ May Have Been A Sandbox-Evasion Tool”. Dark Reading. N.p., 2017. Web. 17 May 2017. http://www.darkreading.com/threat-intelligence/wannacrys-kill-switch-may-have-been-a-sandbox-evasion-tool/d/d-id/1328892
[9] Booth, Robert. “Surf Fan Who Loves Pizza: Anonymous Hero Who Halted Cyber-Attack”. the Guardian. N.p., 2017. Web. 17 May 2017. https://www.theguardian.com/technology/2017/may/14/malware-tech-cyber-attack-surf-fan-loves-pizza-anonymous-hero-who-halted
[10] Kaste, Martin. “From Kill Switch To Bitcoin, ‘Wannacry’ Showing Signs Of Amateur Flaws”. NPR.org. N.p., 2017. Web.
17 May 2017. http://www.npr.org/sections/alltechconsidered/2017/05/16/528570788/from-kill-switch-to-bitcoin-wannacry-showing-signs-of-amateur-flaws
[11] “Wannacry And Lazarus Group – The Missing Link? – Securelist”. Securelist.com. N.p., 2017. Web. 17 May 2017. https://securelist.com/blog/research/78431/wannacry-and-lazarus-group-the-missing-link/
[12] Gapper, John”Microsoft Will Make The Most From Wannacry”. Ft.com. N.p., 2017. Web. 17 May 2017. https://www.ft.com/content/b25e5c5e-3a34-11e7-821a-6027b8a20f23
[13] Greenberg, Andy. “Hacking Team Breach Shows A Global Spying Firm Run Amok”. Wired.com. N.p., 2017. Web. 17 May 2017. https://www.wired.com/2015/07/hacking-team-breach-shows-global-spying-firm-run-amok/