WannaCry has been one of the most widespread malware attacks in recent times. And of course everyone seems to be having a view on prevention, detection and response. In the last few days I have read through some really insightful analyses and some hilariously flawed ones. I have seen organizations shutting down production servers, blocking random IP addresses, and disconnecting internet as preventive measures. All in three days’ time.
However this attack has left me and my threat intelligence team with more questions than answers. Over the last three days, we reversed hundreds of samples, setup unpatched and patched honeypots, and developed very sharp rules for detection. However after three days and significant decline in activity, as we step back and analyze; we realize:
- WannaCry attackers have made only 45.3 BTC. Which roughly translates to USD 100,000. A pittance for the scale of attacks
- Of the thousands of infected computers – 296 people had paid the attackers until the time of writing this.
- Our malware analysts have captured different samples with 4 differing sinkhole domains. The last two samples contain following strings
- LMAO – which seem so be quite intentional – as a joke
- Lazarus – this sample seems to have popped up only after someone mentioned the attribution due to code similarities with Lazarus code. This sample first discovered only on 16th May IST past midnight (our honeypots caught it at 2 AM)
Now that we are past the crisis situation, the questions which come to my mind are:
- The kill switch was too obvious – it was almost meant to be discovered. If not then – maybe a little later. Why? Was it a genuine mistake that they did not use a randomized unique domains instead of a fixed one? They could generate random IP addresses to infect. Domain generating algo are common knowledge. So is this a genuine mistake?
- If the attackers changed the killswitch (at least one time on 15th May) – they could have removed the kill switch altogether. But they did not. Why?
- If more than one group was involved – they did not change the bitcoin address. Don’t they want money in their account? Surprising??
- The attribution of code by some was to Larazrus (due to similarities to code of Bangladesh heist) – well – this entire malware is patchwork of number of codes. NOT surprising. But if it is Lazarus behind the attack – why create a killswitch domain with the string Lazarus? There is no history of Lazarus advertising themselves in such a manner. Or is it a negative clue? – a means of mocking the analysts? (coupled with LMAO)
- There are better ways to use the weaponized exploit. (e.g. Adylkuzz.which makes your computer into a blockchain currency mine and uses SMB exploit. It also patches the computer to prevent re-exploitation by others) One can make a lot more money – in stealth. In fact – one could do a lot of things – including mining bitcoins, leaking data, stealing secrets, and stealing financial data etc. Why create a campaign such as this – which gives least financial gains?
The motive and attribution is are really perplexing. Neither does the modus operandi make too much sense nor was a lot of money made.
Were the attackers trying to make a point? I don’t know. Still lot to be answered.