WannaCry’s global impact may have captured the headlines, but the exploit’s methodology is counter-intuitive to any covert ability to actually collect the ransom. Could it be the WannaCry attack for all it’s devastation is actually a proof-of-concept strategy Or perhaps, a diversionary tactic?
In this light, the threat from ransomware can only exacerbate. Previously, we’ve looked at the WannaCry decryption process and the lack of business acumen shown in actually turning the ransoms into profit. But what if the attack wasn’t actually designed as a ‘money-maker’?
WannaCry could well be a live fire exercise instead – the equivalent of missile testing in cyber space. With a number of contradictions on the scale of the WannaCry outbreak versus the nature of the ransomware transaction sophistication, a possible motivation of the attackers could be to test this type of converged threat rather than generate huge profits.
The unbalanced scale of attack
As an intentional ransomware exploit, WannaCry’s impact is disproportionate to the business case. It’s akin to kidnapping someone then inviting the world to watch the exchange. This either suggests the attack’s effectiveness got out of control, or the attacker’s motivation is more in line with a live fire exercise – a practice drill before the real play.
The existence of the kill switch, built into the code, supports this theory:
- The existence of the kill-switch shows intent to disable the malware, perhaps once enough profit has been achieved
- The malware also establishes a back door, in addition to demanding a decryption ransom, so the attackers could return at any stage – a possible second phase of attack may be launched
It’s time to clean up your act
Considering the success this ransomware attack has had, it should be taken as a sign of things to come. New strains of the malware are expected and you can be sure these will be designed to cash in on the ransom. Even worse, they might not have a kill switch. Organisations need to address security concerns before it’s too late or prepare to pay.
As previously discussed, ransomware is an attack mechanism that’s not going away. It’s time to get ahead of the curve. Legacy operating systems, such as Windows Vista and Windows XP, must be replaced. The NHS is a prime example of security naivety over end of life systems with around 20% of NHS organisations relying on Windows XP as their primary operating system and around 90% are thought to run at least something on it in the organisation. The Met police also still use Windows XP as their primary operations system.
Basic security hygiene is essential to counter newly found vulnerabilities and means patches are regularly updated. Given that the primary distribution mechanism for Ransomware is phishing emails, employees must be further educated to be wary of emails, especially those containing links or attachments. Macros should be disabled unless specifically needed and lastly, best practice ensures data is backed up, meaning the attackers don’t have any leverage. If the storm is indeed coming, organisations need to get security smart and make sure they have at least the basics well covered.