As the WannaCry ransomware saga rumbles, we’ve seen the significant impact it has had on organisations all over the world. But has this attack, which targeted older versions of the Microsoft Windows operating system, bitten off more than it can chew?
We know that the malware has spread exponentially through worm-borne ransomware, but lacks scale in decryption and sophistication in ransom payment collections. Simply put, the attacker’s clever use of code has generated vast scale for infections, but they have shown poor business acumen for turning ransoms into profit.
Worming into unchartered territory
WannaCry is propagated through a worm that laterally spreads ransomware to other PCs within the infected network. It’s the first time we’ve seen this confluence of a single ‘worm-malware-ransomware’ exploit – typically ransomware is delivered covertly and landed through phishing emails, but this demands a high level of operational cost for the attacker. Using a worm-based delivery mechanism cuts out the middle-man and creates on the face of it, a more efficient business model for profiting from ransoms.
With WannaCry however, whilst the technical invention breaks new ground, the transactional components for securing the cash aren’t well thought through.
Taking aim at an accidental target
WannaCry’s decryption is a manual process, which means someone physically has to provide the decryption key for literally hundreds of thousands of ransoms (assuming anyone pays up of course). This makes it fundamentally at odds with the scalability of the worm-based propagation. Further, the ransom payments are required in Bitcoin, the most visible and the most traceable of all the cryptocurrency platforms and in this case designed with a few, not well hidden wallets collecting payments. With the trail of global devastation WannaCry has blazed, all eyes are on those Bitcoin wallets and payday may never be a possibility for the attackers.
So what’s the motivation behind WannaCry? We propose the attackers didn’t expect this exploit to spread as quickly as it did. Almost certainly intended to generate cash, with a built-in kill switch, we believe this ransomware exploit is a case of runaway infection success that has carpet-bombed its ability to deliver paid-up ransoms in the process.
Here’s a breakdown of our rationale:
- The malware is targeted at unmatched versions of Windows 7 to 10 operating systems – commonly in use on home computing environments. Most businesses have patching programs in place.
- Full patches for Windows 7 – 10 was released in March but critically no patches were available for Windows XP and Windows server 2003.
- The malware also impacts Windows XP which is already end-of-life and unsupported; not commonly used in corporate business. We suspect this caught the attackers by surprise.
- The inclusion of the kill switch code suggests planned requirement for the attackers to ‘switch off’ the attack
- There’s a lack of a proxy server in the kill switch code design – typically proxy servers are only used by corporate networks
- The manual process for decryption cannot operate at scale
- Using Bitcoin and a limited number of Bitcoin wallets makes transactions visible and traceable
- The scale of disruption is disproportionate to the return the attackers can effectively monetize
Combined, these points suggest the attack was intended to compromise individual home computing Windows users where patching is less likely to be in place. Corporate organisations, such as the NHS, are collateral targets impacted through use of older operating systems across their IT estate. Essentially, despite running older systems, any ransomware infection could be prevented through basic security hygiene and up-to-date frontline security.
For the attackers, WannaCry is a technical success; they have proved their concept for the worm delivery channel. With the enormous publicity and scale of infection achieved however, they will rue the day they failed to convert this opportunity into cold hard, real-world currency.