What happened when? A look back at WannaCryptor and those involved

You’ve no doubt heard about WannaCryptor, aka WannaCry or WCrypt, many times before, but there may still be things that have escaped you in the general hubbub of daily life. Here are a few tidbits that helped make WannaCryptor – and, indeed, the people involved with it in a good or bad way – stand out.

No need to play ball

First, unlike many of its malicious peers and contrary to initial reports, WannaCryptor did not rely on duping the target into clicking on a link in, or attachment to, a malicious email. Instead, the malware leveraged a software exploit known as EternalBlue. This tool, allegedly developed by the United States’ National Security Agency (NSA) and then stolen and dumped online by the Shadow Brokers hacking group, targeted a critical flaw in an outdated version of Microsoft’s Server Message Block (SMB) implementation, which is used mainly for file- and printer-sharing in corporate networks.

Having scanned the internet for machines with port 445 (conventionally associated with SMB) open, the attackers exploited the SMB flaw and went on to install another tool, DoublePulsar, thought to have been stolen from the NSA. This backdoor paved the way for the main payload that, once implanted and executed, encrypted the files.

Importantly, Microsoft released a critical security update for this vulnerability a full 59 days before the global outbreak. Furthermore, ports associated with any of the three SMB versions should never be exposed to the internet. In addition, Microsoft had advised a long time before the attack that the first version of SMB (SMBv1), which is some three decades old and for which the patch had also been released, should no longer be used. The bottom line? A compromise by WannaCryptor was completely avoidable even in the absence of an installed patch, simply by applying some basic security configurations. This, in fact, applies to measures against malware in general, as it often targets open ports and then exploits known software flaws.

Writhing worm and old’s cool

WannaCryptor’s worm-esque functionality had some eerie echoes of techniques from the days of yore (in computer terms, anyway). In fact, security folks had expected that ransomware would come to be paired with self-propagating worms to greatly aid and abet the main payload’s spread. Much like old-school worms – think Code Red in 2001, SQL Slammer in 2003, Sasser in 2004, and Conficker in 2008 – WannaCryptor, too, traversed vulnerable corporate networks voraciously, feeding off a security loophole for which a patch had been available for quite a while. This time, the malware packed a particularly powerful punch in that its main payload was ransomware that completely incapacitated the affected machines. "History doesn't repeat itself, but it often rhymes", as Mark Twain is sometimes believed to have said.

Once in a machine, WannaCryptor leveraged its worm functionality to feed on other vulnerable devices within the local network and on the open internet. As soon as another exposed machine was found and compromised courtesy of the same unpatched SMB loophole, it was abused for “paying it forward”, continuing the vicious cycle of compromising computers, encrypting files, and demanding ransom.

The “deal” gone awry

Speaking of the main payload, ESET Senior Research Fellow David Harley recently pointed out that the malware’s operators were very unlikely to keep their side of the bargain even if the victims held up theirs. To elaborate on that point – there was no automated or practicable way for the attackers to know which victim had paid up and which had not. How can you possibly share an unlock code if you can’t ascertain if the victim has paid up?

In fact, the money side of things failed precipitously for the attackers considering the extent of the campaign and the damage it wrought – some 300,000 machines compromised, each in potential exchange for $300 (or, after three days, $600) for the decryption key. When the dust settled, the operators of the three Bitcoin wallets associated with WannaCryptor – to date unknown, by the way – emptied them in late July and early August, moving around some 52 bitcoin, worth US$140,000 at that time. If the attackers were indeed cashing out, it was hardly a windfall given the scale of the attack and the fact that many other ransomware campaigns rake in millions in profits with much less brouhaha and far fewer victims.

This, combined with some other quirks of WannaCryptor, has prompted many security practitioners to believe that the malware was never intended to be a money-grubbing machine. Instead, it has been called an elaborate disk trasher, or it may have been planned as a small operation that ended up getting out of hand.

Ten bucks

It’s not only in the Matrix that “everything that has a beginning has an end” (I left out “Neo” on purpose here). How did the WannaCryptor outbreak stop – for the most part, anyway? In a most anti-climactic fashion – with a “switch“.

As WannaCryptor was being foisted on users throughout the world, a 22-year-old malware analyst from England dived into samples of the code, noticing something peculiar about its behavior. The researcher, a Marcus Hutchins aka MalwareTech, saw that the malware tried to connect to a gibberish – and unregistered – domain.

Then, doing what those who track botnets for a living often do, he took possession of the domain for the sake of further insight into, and ultimately to stop, the attackers’ shenanigans. Except that this time, first, there was no botnet involved and, second, Hutchins apparently had no clue that, by buying the domain (for less than US$10) and making it “live”, the malware’s “kill switch” would be turned on. Thereafter, whenever WannaCryptor connected to the domain, the malware simply shut down, rather than starting its spreading and disk-encrypting routines. This was instrumental in slowing WannaCryptor’s propagation to a trickle within a few hours, earning Hutchins the possibly undeserved designation “[accidental] hero”.

In an odd twist – and much to the astonishment of many members of the security community – Hutchins was arrested at the Las Vegas airport in early August on charges that he had helped develop and spread a banking Trojan called Kronos (detected by ESET as Win32/Agent.QMH) in 2014 and 2015. The next month, security journalist Brian Krebs published a long piece, connecting Hutchins to several possibly unsavory online personas. Hutchins, who is now on bail pending trial and denies any wrongdoing, may face 40 years in jail.

On set

With WannaCryptor firmly in the rearview mirror, let’s hope … er, no, let's not. “Hope is not a strategy,” as some prominent people, including film director James Cameron, have averred. Instead, let’s learn the lessons offered by the outbreak unless we want to provide fodder for a disaster movie. As far as I’m concerned, the tale of the WannaCryptor outbreak and much of what happened in its wake has all the makings of a Hollywood script.