The ransomware landscape has evolved considerably since WannaCry dramatically drove home the potential severity of the threat five years ago on May 12. What has changed somewhat less over the same period is enterprise preparedness in the face of ransomware attacks.
Ransomware emerged and has remained entrenched as one of the most difficult security issues for organizations across sectors in the past few years. WannaCry itself, while nowhere near as widespread as it was initially, remains a potent threat and even figured in some vendor lists of top malware threats as recently as last November.
By most accounts, enterprise organizations have gotten better at remediating vulnerabilities and updating obsolete and outdated software. Even so, the vulnerable version of the Server Message Block (SMB) protocol that WannaCry used to spread like wildfire remains in widespread use across organizations and regions. Most attacks against the SMB protocol still attempt to exploit EternalBlue, the exploit that was used in the WannaCry attacks. Patching and vulnerability management programs continue to pose challenges, as do practices such as threat detection, remediation, and response.
Meanwhile, ransomware and the manner in which it is used has changed. Many ransomware attacks these days are highly targeted and involve hands-on tactics for maximum effectiveness. Tools are increasingly becoming multiplatform, meaning they can be used to attack different operating systems. Examples of these tools include Conti, BlackCat, and Deadbolt.
And the proliferation of ransomware-as-a-service offerings has lowered the barrier to entry for common cybercriminals, even as it has fostered increasingly businesslike hierarchies and processes within the criminal industry. A high percentage of ransomware attacks these days also involve data theft and denial-of-service attacks as additional forms of extortion.
Alive and Kicking
“WannaCry, though not nearly as prevalent of a threat as it once was, is still alive and kicking,” says Tessa Mishoe, senior threat analyst at LogicHub. Over the time between its first attacks and now, the ransomware industry has learned from WannaCry’s efforts and the responses to it — whether it be new tactics such as auctioning data and blackmailing customers or new techniques like more complex virtual machine escapes and persistence. “Ransomware’s increase in market share should be a good indicator of how WannaCry launched more intrigue into ransomware,” Mishoe says.
WannaCry surfaced on May 12, 2017, and in a matter of days spread to some 300,000 computers worldwide. Though many have described it as ransomware, one of its main functions was to wipe data clean from infected systems.
Numerous organizations were affected in the outbreak, including FedEx, Nissan, and, perhaps most notably, the United Kingdom’s National Health Service. The US Department of Justice and numerous others have attributed the malware and the attacks to North Korea’s Lazarus Group. Over the years, researchers have estimated damages associated with the malware to be more than $1 billion dollars.
The malware spread via a publicly leaked, US National Security Agency (NSA)-developed exploit called EternalBlue that targeted a critical remote code execution vulnerability (MS17-010) in Microsoft’s Server Message Block 1.0 (SMBv1) file-sharing protocol. Once installed on a system, WannaCry quickly spread to other devices running a vulnerable SMB version. Most of these were older Windows systems, such as those running on Windows Vista, Windows 7, and Windows 8.1.
Though Microsoft had issued a patch for the SMB flaw more than a month before WannaCry, millions of computers were unpatched against the problem when the malware hit.
A Continuing Threat
Five years later, attackers are continuing to use the EternalBlue exploit to deploy WannaCry and other malware on enterprise systems.
A recent analysis conducted by Barracuda Networks of attacks over a three-month period shows a staggering 92% of all attacks on SMB port 445 involve attempts to use the EternalBlue exploit.
“There are still machines out there that have never been patched against these sorts of exploits and likely won’t ever be,” says Jonathan Tanner, senior security researcher at Barracuda. “So, it’s not a lot of work on the attackers’ part to try to find and exploit these systems.”
Much of this also is due to continued delays in organizations updating their infrastructures. A survey of 500 IT decision-makers by vendor ExtraHop found 68% of respondents admitting to still running SMBv1, even though newer, more secure versions of the file-sharing protocol have been around for years.
SMBv1 has been deprecated since 2014, notes Jeff Costlow, ExtraHop’s CISO. “I wish it was surprising that 68% of organizations are still running SMBv1, but I see example after example of organizations running outdated, insecure, or unencrypted protocols — either knowingly or unknowingly,” he says. The risk is huge, he adds. “SMBv1 doesn’t need to be installed on every device in the environment to be used to launch a catastrophic attack. It only needs to be on one.”
Brian Donahue, principal information security specialist at Red Canary, says that, for the most part, organizations are less vulnerable to WannaCry now than they were before. Even so, many organizations still have not updated to MS17-010 and their SMB installations remain susceptible to the EternalBlue exploit, he says.
“More generally, enterprise patch-adoption lags behind vendor updates, and organizations will always struggle to keep up to date with new software releases,” he notes.
A Dominant and Evolving Threat
Donahue says ransomware was one of the most dominant threats in 2017 and remains a major threat in 2022. Worm-like ransomware threats have transitioned from being an emergent threat to the de facto standard for ransomware campaigns. Even more than that, the adoption of exfiltration techniques to perform double extortion was uncommon in 2017, but it’s extremely common now.
The ransomware industry has evolved in other ways as well since the WannaCry outbreak. Researchers at Bishop Fox who analyzed the threat space recently spotted a trend toward the use of ransomware as a decoy
in state-sponsored attacks, cyber warfare, and criminal activity. They noted how WannaCry, NotPetya, and WhisperGate were disk wipers disguised as ransomware that tricked victims into believing they could get their data back if they paid a ransom.
In the same manner, attackers are using ransomware to distract victims from an attacker’s true motives, according to Bishop Fox.
Today’s ransomware attacks are also a lot more tailored and customized compared to WannaCry, which spread indiscriminately in automated fashion, says Trevin Edgeworth, red-team practice director at Bishop Fox. He points to DarkSide, the ransomware that hit Colonial Pipeline, as an example of ransomware that is being largely human-deployed and aimed at specific organizations.
“Whether it is patient information that a healthcare provider maintains, or the continued operation of systems critical to a manufacturing company, today’s attacks are tailored and customized to each targeted organization and what is critical to them,” he says.
In a report this week, Kaspersky said it had identified recent instances of ransomware groups taking sides in geopolitical conflicts — such as that involving Russia’s war in Ukraine. Groups behind the Conti ransomware family, for instance, have allied themselves with Russian interests, while others such as the IT Army of Ukraine are on the opposite side. That alignment could have an impact on targeted organizations.
WannaCry was a wake-up call for many organizations around their patching practices, and it did foster stronger vulnerability management programs. However, many organizations continue to prioritize operating system patching over patching key applications such as Java, Office, and Adobe products that are installed ubiquitously throughout their environment, Edgeworth says.
“Ransomware preparedness starts first with excelling at basic security hygiene, such as secure network architecture, reducing unnecessary attack surfaces, and enforcing least privilege around Active Directory and ‘crown jewels’ systems,” Edgeworth says. “Organizations must have a plan in advance on how to respond to a ransomware attack.”