The worst of WannaCry is yet to come, warn experts
The massive scale of the recent WannaCry ransomware attack has exposed some significant weaknesses in global IT systems, and we are likely to see more attacks leveraging similar techniques, and doing even more damage, security experts say.
WannaCry infected hundreds of thousands of machines in more than 150 countries, with direct ransom costs estimated at around $10 million (€8.98 million), according to Cyence. But that is just the start. Business interruption costs will add up to about $8 billion (€7.18 billion), according to George Ng, co-founder and CTO at Cyence—up from the company’s $4 billion (€3.6 billion) estimate as of Sunday.
“We do not know if these attacks will be modified over time to have data breach implications triggering notification laws and cyber-policies,” Arvind Parthasarathi, Cyence
And cyberinsurance may or may not cover all of these costs, due to deductibles or coverage limits, said Cyence CEO Arvind Parthasarathi. Plus, the next variant of the malware could be worse.
“It doesn’t appear that the WannaCry malware is exfiltrating data from infected hosts at this time,” he said. “But we do not know if these attacks will be modified over time to have data breach implications triggering notification laws and cyber-policies.”
Several security experts pointed out that WannaCry was not as deadly as it could have been.
“WannaCry is an extremely simple piece of malware, written carelessly—or purposely—with a kill switch,” said Alex Vaystikh, CTO at SecBI. “In other words, if the attackers had wanted, they could’ve written a very silent, slow-moving malware, and achieved much more.”
In addition, the variants of WannaCry that have come out so far have not made full use of evasion techniques, said Lenny Zeltser, vice president of products at Minerva Labs.
“As a result, baseline antivirus products were generally able to block the malware at the onset of the attack,” he said.
In the future, WannaCry variants could include sandbox avoidance, memory injection and other evasive techniques.
The first evolution of WannaCry has already hit, said Brian Hussey, vice president of cyber threat detection and response at Trustwave Holdings. There is a variant out now in the wild without the kill switch.
“If the security researchers identify reliable methods to disable the malware, then expect the attackers to overcome that with a new version,” he added.
Attackers have already begun to morph their delivery vectors to evade detection, said Deepen Desai, director of security research at Zscaler.
“Yesterday morning, the Zscaler ThreatLabZ team identified a new attack vector used by WannaCry that utilises the basic web HTTP protocol to attack systems,” he said. “We believe that there is a possibility that these first two variants will combine to produce an attack that will be even more devastating. It could use a combination of standard open ports and protocols such as 80 and 443 which are essential in doing business to initially infect and then move laterally.”
Viral by default
Malware writers are also likely to shift towards more “viral by default” attack designs with the potential for massive-scale infections, said Casey Ellis, CEO at Bugcrowd.
“The technique allows hackers to get a bigger payday from minimal effort,” he said.
Another area where attackers are likely to improve is the income potential of their attacks.
“Wannacry was really focused on mass destruction and less on revenue generation with some major flaws in its tool kit,” said Chad Holmes, principal and chief technology, innovation and strategy officer for the cybersecurity practice at Ernst & Young. “Now, since it is open to the public, what we will see in the next few rounds is the removal of these flaws and new versions will be leveraged more broadly for financial gain.”
This fast evolution is possible because of the modular nature of WannaCry’s design, said Diana Kelley, global executive security adviser at IBM Security.
For example, attackers could expand beyond ransomware, she said. “Other malware operators could borrow pieces of this code to execute other malware—password stealing, remote monitoring/access, keystroke logging, and more.”
Attackers could also build on the self-propagating features of the WannaCry campaign and add on several features designed for maximum business disruption.
That would be a worst-case scenario, said Scott Scheferman, director of consulting at Cylance.
“Imagine the same world-wide spread,” he said, “But multiply the business impact and risk to human safety of a worm that effectively locks out every user in the domain over the course of the same weekend, making containment and eradication nearly impossible and also manages to exfiltrate the most sensitive information of each organisation, and then exits with a last-hurrah ransom module to make some extra money on the way out.”
Tough to fight
The problem is that it’s difficult to instantly patch all vulnerable systems, and we now have more vulnerable systems connected to public or internal networks than ever before, making them targets for self-propagating malware like WannaCry.
“It’s very easy to for us to say, go patch your systems, but often the reality is that it’s difficult for organisations to do,” said Steven Malone, director of security product management at Mimecast.
In addition to organisational complexity, there are also deeply embedded systems that are hard to update, and regulations that can make updates very onerous for certain industries.
“While it would be great to say that those regulations need to change to accommodate those kinds of security checks, realistically, that’s going to be slow moving,” he said. “Organisations need to look at how best to segment those machines from the rest of the network and even from human interaction.”
Most immediately, enterprises with vulnerable machines need to close the specific ports that WannaCry took advantage of.
“I expect organisations will take a look at internal firewalling off the port 445 which was how the attack propagated,” said Chris Wysopal, CTO and cofounder at Veracode. “It should absolutely be firewalled from the internet but organisation may take a look at also blocking it between partner networks or within different departments.”