Now that we’re almost a month past the WannaCry ransomware attack, it seems like a good time to reflect on it and examine some of the bigger-picture takeaways this attack may be signaling. I want to say upfront this is not meant to be a conspiracy theory or doomsday post. But with that said, WannaCry and some of the other more recent attacks show that the ingenuity and resourcefulness of cybercriminals continue to grow. And as far as ransomware goes, the WannaCry attack is the King of the Hill (at least for now); it will be fingered as the harbinger should a larger, more damaging attack be waiting in the wings.
In putting this post together, I wanted to get a little hypothetical and take a look at what would happen if we altered some of the variables of a ransomware attack. How might the scenario shift if we changed some of the motivations behind an attack or took some relatively small evolutionary steps? It’s worthwhile to consider these possibilities because if we’ve learned anything from history, it’s that cybercriminals don’t work in a vacuum; they evolve their attacks based on current defenses and learn from each other, employing techniques that have been proven successful.
Let’s start by looking at the motivation behind a ransomware attack. As the name suggests, ransomware is at its heart an extortion tool. So far, this has typically been about getting money — in most cases Bitcoin — from an individual or organization. In this type of scenario, the attacker is generally incentivized to hold up his side of the bargain and return your files or access once a ransom is paid. After all, if no one got their data back after paying a ransom, then no one would pay in the future, and the scheme would fall apart.
But what if a ransomware attack wasn’t financially motivated? Monetary exchanges — painful though they may be — are relatively straightforward. What would happen if an attacker’s demands were societal or political in nature? This would be a much harder ransom to pay. Think, for example, of the attack on the San Francisco rail system, which demonstrated that infrastructure and other public services are vulnerable to this type of malware. If a group decided to hold a utility or metro system hostage in order to force a change, would we be ready to combat that? Would we know how to?
Next I wanted to take a look at how these attacks are executed. In its simplest form, a user receives an email with either an infected attachment or a link to a site that carries the ransomware payload. Once executed, the user’s system is locked or files are encrypted, and the user is instructed they have a certain timeframe to pay.
We’ve seen two changes to this roadmap recently, though. First, we’ve begun to see ransomware that doesn’t trigger immediately (like Cerber and Locky, which have used scheduled tasks to execute post-infection in order to bypass traditional sandbox detection). One of most common remediation strategies for ransomware is to have reliable offsite backups — which is certainly sound advice. However, what would happen if the ransomware were to lie dormant on a user’s machine, and become part of the backups? You could restore the system to yesterday (or even last week), but end up getting the ransomware along with that restore.
Advanced persistent threats (APTs), in general, represented a shift in mindset; criminals moved from perpetrating attacks in a matter of days, to be willing to spend months or even years to reach a target. It’s not out of the realm of possibility that ransomware attacks will evolve and embrace this mindset. Rather than hitting you immediately, we could start to see ransomware that lies dormant for days or weeks (or even longer). This would allow an attacker to slowly infect systems, and potentially trigger these infections all at once.
A second concerning trend was seen in how WannaCry distributed itself. Reports have varied with respect to how patient zero was compromised, but it’s clear that once that system was infected, WannaCry behaved like a worm, searching for other systems vulnerable to the EternalBlue exploit and leveraging it to infect them. This is a concerning departure because, for the most part, the attack showed we weren’t really prepared for this kind of behavior.
Now imagine pairing this up with the potential time bomb mentioned above; you’d end up with a self-replicating attack that could lie dormant, with the possibility of igniting in one, giant, coordinated explosion. Similar to an APT, this approach has the potential to hide in the noise of everyday network traffic and avoid detection. We typically don’t plan for these kinds of catastrophes, but perhaps it’s time to start considering the ramifications; after all, it’s a real possibility that an attacker utilizing this strategy could take out 25%, 50%, or even 75% of a company’s assets at once.
We can help you teach your end users to avoid ransomware attacks.
When you put all of these scenarios together you get some pretty scary possibilities. What if an attacker who was not motivated by money were to unleash a slowly replicating worm that would lie dormant for months, infecting tens of thousands of machines across multiple cities and targeting one or more kinds of infrastructure via a network of compromised IoT devices? What would happen if not one, but all of the hospitals, utilities, or banks in a metropolitan area were hit at once? For the most part, ransomware attacks have been more of an annoyance, but with the WannaCry infections that hit medical and transportation systems, we see the very real impact these cyberattacks can have on critical infrastructure.
With that said, the likelihood of someone combining all of these elements together and evolving the attack this much in one step is essentially unprecedented — though WannaCry did certain hint at the potential. Only certain groups would have the level of sophistication and coordination necessary to carry out an attack at the level we’re hinting at here. Nonetheless, it is certainly possible, if not probable — and it would fit the common criteria of a black swan cyberattack (i.e., the probability of occurrence is low; the impact if it happened would be high; and, in retrospect, we could explain how it could happen). The reality is that history is littered with these kinds of events, and the past teaches us that once-improbable scenarios eventually do happen.
So how can we prepare for something like this? One positive to the type of attack described above is that time is on our side. If an attacker would want to keep a ransomware infection concealed within the noise of everyday life, it would need to move slowly. And though, ultimately, many organizations are connected to one other, to make a dispersed but coordinated attack happen, the ransomware would likely have to be distributed via both social engineering channels (phishing emails, infected USBs, smishing messages, etc.) and worm for it to have the highest chance of success. Which would mean that it would have to evade a lot of eyes over time.
This is why employee security awareness training can play a key part in prevention; end users would most certainly be the targets on the social engineering side, and they would be the ones to raise a red flag if something seemed wrong. Better patch management procedures also play a role, because closing off known vulnerabilities would force the ransomware to mutate and leverage other vulnerabilities. Finally, it’s critical that you apply risk management practices, and have a playbook ready if a disaster like this were to strike, which would help you recover faster and help eliminate the possibility of compounding the problem with further mistakes.
Stay tuned for a future post, in which I will discuss some lessons we can learn from agile development that could help increase the speed of patching.
Posted by Kurt Wescoe on 06.06.17
Posted by Kurt Wescoe on 06.06.17
Posted by Kurt Wescoe on 06.06.17