WannaCry ransomware: Here are the 10 most puzzling questions raised by the attack

There is a complex chain of actors that resulted in the attack, and there are denials or confusing claims made at each link in that chain.

In mid May this year, WannaCry ransomware attacks affected computer systems in over a hundred and fifty countries around the world, exposing the risks lingering in unpatched operating systems.

The attack was good business for cyber security companies, with investors actually rushing to buy stock in them. Affected organisations scrambled to secure their systems and used innovative ways to recover losses, including using kidnap insurance policies. There are some bizarre aspects to the attack, we have listed ten of the strangest ones.

10. Security researchers noticed odd network activity before the attacks

The actual ransomware attack on an infected machine is the end of a long chain of events. First, the malware has to scan the computers for possible vulnerabilities, it then has to spread through the system, install a backdoor and allow for the malicious code for encrypting the data to be loaded by communicating with command and control servers. All of this activity, especially the communication to command and control servers, can be detected before the attack itself.

Martin Korec, Lead Analyst at GreyCortex says, “detection of WannaCry and other similar ransomware is easy and fast through the use of advanced behavioral methods. In the case of the WannaCry infection, detailed visibility into network traffic is absolutely crucial. From there, it is possible to quickly analyze the extent of the infection, to isolate infected devices, and to keep critical systems running.”

GreyCortex uses a combination of network traffic analysis along with artificial intelligence and machine learning to keep enterprises secure from malware attacks. Although the actual attacks showed up in May, the backdoor, DoublePulsar was appearing on systems since April 2017, according to a report by Check Point.

Image: Check Point

Image: Check Point

09. The National Security Agency of the United States is the source of the exploits

One of the major problems with the whole episode is that the National Security Agency (NSA) of the United States chose to hoard security holes in major operating systems. The right thing to do in the interest of the security of systems around the world, was to have informed Microsoft of the security holes, so that they could be patched. The NSA has been criticized for such activity.

Microsoft Corp President Brad Smith wrote in a blog post that “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”

Russian President Vladimir Putin also criticized the approach used by the United States and NSA in collecting security holes to develop their own offensive cyber capabilities. “As regards the source of these threats, I believe that the leadership of Microsoft have announced this plainly, that the initial source of the virus is the intelligence services of the US. Once they are let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators,” Putin said.

The NSA headquarters at Fort Meade in Maryland, US.

The NSA headquarters at Fort Meade in Maryland, US.

08. Microsoft had patched the security hole a month before the exploits were leaked, two months before the attacks

When the Shadow Brokers dumped the tools publicly, Microsoft announced that a number of vulnerabilities used by the exploits to compromise the systems had already been patched. The earliest of these patches took place in 2009, while the latest was in March, just a month prior to the public release of the tools. The “zero-days” are security holes in systems that are not disclosed, and the NSA could make the tools because it did not disclose the vulnerabilities in the operating system to Microsoft.

The question here is how Microsoft managed to get hold of the exploits. Did some kind of back channel communication between the NSA and Microsoft take place, so that Microsoft could issue patches before the tools were leaked publicly?

Image: Reuters/Charles Platiau/File Photo

Image: Reuters/Charles Platiau/File Photo

07. The attack used a combination of publicly available tools

There was nothing new in what the attackers who created the ransomware did. Analysis of the code shows that the ransomware was created using code copied from other software, and included mistakes made by amateur software engineers. The manner in which the bitcoin was demanded from the victims of the attack was not sophisticated, according to a report in NPR.

It is likely that the attackers partially used “ransomware kits” peddled on the dark web. The exploit used was an NSA tool known as “EternalBlue”, the backdoor to gain access to the system was known as “DoublePulsar”, both of which were sophisticated. However, the actual “ransom” component of the malware was shoddily executed, according to a report in Wired.


06. The ransomware was stopped in its tracks after the most basic steps to understand it

A 22 year old security researcher and blogger, Marcus Hutchins, was tracking the spread of the ransomware. A standard part of his job procedure was to capture malicious traffic from expired or unregistered domains, gather evidence on the scale of the infection, and take down the malware. All three of these steps were accomplished by just pointing the traffic generated by the malware to a sinkhole server. It took him less than $10 to accidentally stop the spread of the malware in its tracks.

A screenshot of an infected computer.

A screenshot of an infected computer.

05. The Shadow Brokers have leaked sophisticated tools, but appear to be amateurs

The cache of tools leaked by the Shadow Brokers are pretty sophisticated. However, the group uses horrible English in their communication. This is a sample of the language they used, while the group initially introduced a selection of the hacked NSA exploits.

“How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!!”

Even more confusing is their political motives. The group claims to be from the United States, does not appreciate the “elites”, are supporters of Donald Trump, but have criticized him for a number of decisions and called him a betrayer of the American people. The group could not have done a better job if they wanted to deliberately cloak their intentions and motives.

04. Nobody really knows who the Shadow Brokers are and what motive they had to leak the exploits.

Unlike the leaks by Snowden or WikiLeaks, there does not seem to be an obvious political motive behind the leaks by the Shadow Brokers. There is no care taken to mask sensitive information.

According to a report in The Atlantic, the timing of the leaks does not make sense if the leaks were politically or ethically motivated. A whistleblower would not sit on the tools for three years before publicly releasing them. Cybercriminals could stand to benefit more by using the exploits themselves, instead of selling them. The clues point to a state sponsored actor. There are few countries with the capability to hack the NSA, as well as publishing the tools. According to The Atlantic, these two countries are Russia and China, with the latter being more possible.

In the wake of the WannaCry ransomware attacks, the Shadow Brokers announced a subscription based “Data Dump of the Month” club. “In June, TheShadowBrokers is announcing "TheShadowBrokers Data Dump of the Month" service. TheShadowBrokers is launching a new monthly subscription model. Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members.”

lul, wat?

lul, wat?

03. There is speculation of a second, “hidden Snowden”

Another unanswered question leading to a lot of speculation is how the Shadow Brokers got access to the cache of tools developed by the NSA. Taken at face value, the explanation of the Shadow Brokers is that they tracked the servers used by a secretive NSA related threat actor known as the Equation Group, which is known for using a number of hi-tech approaches for spying in countries around the world.

One of the secret servers around the world used by the NSA apparently was hacked by the Shadow Brokers. Other theories suggest that an insider leaked the tools to the cyber criminals, a second, “hidden” Snowden. According to a report in The Daily Beast, there could be a mole in the NSA, or the CIA, or both, providing sensitive information to both the US and Russia.

Another possibility is an NSA employee who illegally collected and stored the tools on private computer systems, which were then subsequently hacked by the Shadow Brokers. An NSA contractor was in fact arrested in Boston, according to a report in The Washington Post. The arrest took place almost as soon as the Shadow Brokers listed some of the tools for auction, and leaked a sample of the tools. However, no direct and obvious connection was made between the contractor and the Shadow Brokers.

Former CIA employee, Edward Snowden, revealed numerous surveillance programs by the NSA.

Former CIA employee, Edward Snowden, revealed numerous surveillance programs by the NSA.

02. North Korea is suspected to be behind the ransomware attacks

According to security researchers who have analysed the code of the ransomware, there are some similarities with code previously known to be used by Unit 180, a part of the Reconnaissance General Bureau (RGB), the main overseas intelligence agency of North Korea. Unit 180 is believed to be behind the SWIFT banking attack in Bangladesh, as well as the Sony Pictures hack.

The code used in WannaCry is similar to code used by a group known as “Lazarus”, according to a blog post by Symantec. Lazarus is a group believed to be based in North Korea, but the operatives travel to locations with reliable internet connections to execute attacks, and to be able to deny its own involvement in the attacks. However, Symantec goes on to note that “Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign.”

North Korea has denied that it is linked to the ransomware attack, and has called the allegations, “a dirty and despicable smear campaign.”

Sony downplayed reports that North Korea was behind a brazen attack. Image: AFP

Sony downplayed reports that North Korea was behind a brazen attack. Image: AFP

01. The intent appeared to be business disruption rather than collecting the ransom

The ransomware affected telecom operators in Spain, train services in Germany, health services in the United Kingdom and a car manufacturer in France. Schools, factories, and organizations were targeted instead of individuals.

Further, the attack exploited old, unpatched systems. As previously pointed out, the ransomware used a combination of publicly available tools and amateurishly written code. The parts of the malware responsible for ransom and collection of bitcoin were the components with amateur mistakes.

Additionally, the malware did not have the sophistication usually associated with such attacks. The malware did not try to encrypt backup systems, or infect network drives, two approaches typically used by ransomware. All these clues point to the possibility that the actual intention of the attackers was to disrupt regular activity, and not to actually profit from the attack.

Samil Neino, 32, chief executive of Los Angeles-based Kryptos Logic told Reuters that “What really makes the magnitude of this attack so much greater than any other is that the intent has changed from information stealing to business disruption”

Countries initially affected by the attack. Image: Wikipedia

Countries initially affected by the attack. Image: Wikipedia, based on information sourced from The BBC

Zero Day

There is a complex chain of actors that resulted in the attack, and there are denials or confusing claims made at each link in that chain. The NSA has not admitted that tools it has developed have been stolen. The Shadow Brokers are claiming responsibility, and that they are based in the US. The attackers behind WannaCry do not have a public presence beyond easily traceable Bitcoin wallets. North Korea has denied being associated with the attack.

Security experts warn of more attacks similar to WannaCry. The old, unpatched operating systems are being attacked by other malware, including a cryptocurrency miner known as Adylkuss, and another ransomware known as UIWIX. EternalRocks is a malware with unknown intent that is using seven of the leaked NSA exploits, while WannaCry used only two.

Recently, a vulnerability similar to the one used by WannaCry in Windows was found in the commonly used networking software for Linux systems, known as Samba.

Ransomware attacks emerged as the biggest cyber security threat this year because of the WannaCry attack.

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.