As malware attacks go, the WannaCry ransomware worm was only partly successful. By the time it was only a few days old, the attack was effectively blocked when an alert security researcher noticed that the worm was searching for a specific site on the internet.
The researcher registered the site to take control of it which caused WannaCry infections to slow down and stop.
But in other ways, WannaCry was very effective. First it demonstrated that a worm combined with ransomware will really work. In addition, it was able to raise around $100,000 before it was stopped.
But in the world of cyber-crime, $100,000 isn’t a lot of money. This means that the perpetrators will want to build on their successes and create a new ransomware worm that avoids the pitfalls of WannaCry. This means that we can expect new attempts to crack seize control of computers, encrypt data and hold it for cash ransoms.
“The ransomware payload wasn’t all that novel,” said Jack Danahy, CTO of Barkly Protects, a company that provides enterprise anti-malware defenses. “What they did used a new technique to spread itself using an exploit called Eternal Blue which was revealed by ShadowBrokers.”
Danahy pointed out that the recommendation for defeating the WannaCry attack was simply to apply the patch released by Microsoft in March to close the vulnerability. He said that even if the malware writers removed the kill switch that ended the spread of WannaCry, a new version wouldn’t be particularly effective, because so many users will have patched their versions of Windows.
“There were other exploits in that dump that the ShadowBrokers released,” Danahy said. He said that ShadowBrokers have now promised to release a new round of exploits each month. “If they release a wave of new ransomware every month, we may see a type of ransomware that’s propagated more broadly when it’s released.”
Danahy said that such a monthly release schedule may effectively force the hands of IT departments to update their systems and apply patches more rigorously. He said that the amount of attention that WannaCry generated will also play a role in encouraging the malware writers to try new things. “It’s kind of the perfect crime,” Danahy said, “Profitable, simple and anonymous.”
But Danahy thinks the nature of the ransomware may change so that more victims will actually pay up. He said that his company recently found in a survey that only about 5 percent of victims actually pay the ransom.
This is partly because victims have learned to have backups in place so that they don’t need to pay the ransom, but also said that there’s a growing lack of trust among victims that cyber-criminals will decrypt their data even if they paying the ransom.
“As people begin to have less trust, it’ll cause a fundamental business change,” he said.
Danahy said that one method of forcing victims to pay the ransom is to threaten to publicly expose the encrypted data. For some organizations such as law firms, this could be significant. While there are ways to make it difficult or impossible to expose such data, not many organizations have the capability to accomplish that.
For many organizations, the important question is now how to protect the data from the near-certain attacks that will use unpatched exploits. In this situation, it’s not enough to tell people not to click on email links, because the malware can be triggered simply by arriving on the victim’s computer.
Adding to the complexity of dealing with these ransomware campaigns is the fact that the malware writers can use the released exploits to quickly reduce their costs and raise the effectiveness of their malware. “We’re going to see new exploits that reassert the virality of new ransomware campaigns,” Danahy said.
While prompt and aggressive flaw patching can reduce the risks of getting hit by a ransomware attack, some businesses are now dealing with the shortsighted decisions they made years ago when they didn’t design custom software they developed to easily handle regular updates. Those shortcomings can be overcome in the future with better programming practices.
But for now, potential victims (meaning nearly everyone) can protect themselves by good network hygiene and by making sure that they have backups that they know can be recovered.
Good behavior-based anti-malware software such as Barkly or Malwarebytes can help reduce the risk. An anti-encryption product such as Cybereason, which can detect when ransomware is about to begin encrypting files and then stop it in its tracks can also prove critical.
What we don’t know for sure is whether the next attack will be ransomware or something else. While WannaCry surely got a lot of public attention, it didn’t generate a lot of profits to cyber-criminals. It’s possible that cyber-criminals will decide that the established ransomware model no longer pays and that it’s time to develop a new attack method.
What might that next attack look like? It’s impossible to say for sure. But it’s possible that a type of ransomware that skips the encryption and all of its overhead and uses simpler tactics such as large scale data extraction with the threat of exposure might do the trick against some victims. Think about what a wholesale release of your company’s private data do to your business? It’s worse than data encryption that you can remedy by restoring a backup, isn’t it?