Experts believe the next WannaCry may go up for sale this summer

Ransomware became a billion-dollar industry in 2016. The likes of Locky, Cryptowall, CryptXXX, and Cerber—which infect a network, often via email, then encrypt files or devices before demanding a ransom—each brought in over $50 million each last year.

And this trend has only sped up in the last few years. There was a threefold increase in the number of ransomware attacks between 2015 and 2016, according to Kaspersky.

Why? The attacks are easy to create—it’s now fairly simple to find low quality, customisable ransomware kits on the dark web—low effort, and offer a high reward. A new study from Citrix found UK businesses, for example, where willing to pay average of £136,000 ($172,000) to regain access to IP or business critical data, and increase of more than 360% on the previous year’s study.

WannaCry: Lucky amateurs or nation-state actors?

The WannaCry Ransomware—which uses a Windows kernel zero-day exploit originally found but not publicly revealed by the NSA—gains entry via the network, not the traditional phishing email, and demands $300 in bitcoin payments. Those who have paid have reportedly had their files decrypted, which is not always a guarantee with such attacks.

There were a reported 200,000 victims across 150 countries, including the UK’s National Health Service. The total ransom paid has reached $141,000, but as yet no money has left the account. In an effort to further prevent fresh infections, Microsoft—which had already released patches for the vulnerabilities in question for extended support customers—issued general patches for Windows XP, Windows 8, and Windows Server 2003, systems the company no longer officially supports.

“I think we were very fortunate that there was a delta between when Microsoft patched and when the WannaCrypt attack actually happened,” says Malwarebytes CEO, Marcin Kleczynski. “That delta was about 30 days, had that lag been shorter, or if it was a true zero-day before the actual patch came out, we’d be in different shape I think.”

Despite the disruption, there is a sense that the wider world got away with things. All three agree that while the WannaCry attack itself was fairly basic, the exploit it was based on was sophisticated.

“They didn’t have a good payment channel. They didn’t realise that a sandbox detection routine would accidentally become a kill switch,” says James Lyne, Global Head of Security Research, Sophos.

“[Wannacry] was a really serious bug that could have been used in an even more surreptitious and nasty way. What happens if that bug turns up in one of these [holds up an iPhone] devices?”

But who was behind the attack? No one is sure. Some argue established cybercrime gangs are responsible, others point to a state-sponsored attack from the likes of North Korea, others suggest amateurs who got lucky on the first try.

“I firmly believe that this was a randomised attack,” says Kleczynski. “This was not North Korea, the Lazarus Group, this was not China, this was not Russia.”

He asserts it was likely “two guys our age [Poland-born Kleczynski is 27 years old] coding something together in a basement. It was amateurish, it had a kill switch and it had the encryption keys still stored in memory, which are two rookie mistakes.”

While Lyne is equally assured that the attack was amateurish in execution, he refuses to bet on the culprits. “I’ve seen theories that it was a botched early release, where they were optimising and improving and accidentally released it. I’ve seen theories that it was a nation-state that don’t know how to cybercrime. I’ve seen all of these different theories including that they did it on purpose. Could be, we’ll probably never know.”

Ransomware: What is the future?

Although it hit the mainstream worldwide headlines in the way that ransomware has never done previously, WannaCry was pretty average in its abilities. While the scope of the attack could have been much worse, even for those who were affected, decryption tools were quickly released to the public. But relying on mistakes by criminals is a poor prevent strategy.

“A lot of people have grown used to decryption tools being available [and] that someone will come along and find a way to scrape the (decryption) keys out of memory, like happened with WannaCry,” says Lyne. “But from a technical implementation perspective that’s far from a guarantee, and I think we’ll start to see cyber criminals start to perfect their game.”

The likes of Locky, Cerber, CryptoLocker, these are all more sophisticated and potentially harmful, yet never made it out of the tech press, and the capability of such attacks only ever grows. “Ransomware has been the great love of cyber criminals, we’ve seen that it can hit headlines. But that ransomware is actually very average, they’re often successful in spite of themselves. There’s a lot of ransomware with terrible crypto, embedded passwords, really bad payment channels, half arsed social engineering.”

He warns that the trend is one of greater numbers, of continuous improvement, and with the rises of ransomware as a service, homogenisation of technical capability. “The ransomware as a service model means we’re at the beginning of a wave of more capable ransomware: You download it, change the password, change the look and feel, put in custom dollar values, change the payment channel, hit build. You’ve got your own piece of ransomware.”

Shadow Brokers: Could it be right next time too?

WannaCry was based on an exploit leaked by a group known as the Shadow Brokers. The group appeared towards the latter end of last year, promising that they had exploits to sell, stolen from the NSA. However, their offering generated little attention, and even less profit. The group released a set of exploits in April for free, but even then what was revealed was reported to be of little concern by security experts.

“It represented an obvious failure in their go-to market model,” says Rik Ferguson, VP of security research at Trend Micro. “They hadn’t considered that if they were selling something completely invisible that nobody had been able to verify, that nobody would be willing to part with their money to get it.”

After WannaCry hit, however, and their credibility was verified in the most public way possible, the world stood up and took notice. The Shadow Brokers resurfaced promising more leaks over the summer, but that they would be released through an online subscription model which would cost 100 Zcash (an alternative cryptocurrency to bitcoin equal to around $30,000 at the time of writing).

“They were apparently telling the truth from day one, but were not very credible at the time. Now, having proof that they do have stuff for sale, apparently, they get to sell it as many times as they want if they go to that subscription model.”

So, what could the group have? All three experts agree it could be nothing, but all three also say it could be potentially massive: The Shadow Brokers managed to access at least one state-level exploit, and where one existed there could well have been more in that same repository.

“Every other country that has offensive cyber security capabilities, they probably have a lot of these,” says Kleczynski. “There’s probably some overlap, but one can assume if this one got released, how many more can they [Shadow Brokers] be sitting on.”

Ferguson agrees: “It wouldn’t surprise me at all if there is more extremely harmful stuff waiting to be shared. We know the kinds of vulnerabilities nation states trade in – whether they researched, or bought them from vulnerability and exploit vendors – they’re interested in expensive, top-level, ones that remain zero-day.”

“However, just because someone has discovered a vulnerability, doesn’t mean somebody else isn’t going to or already has discovered the exact same one. So the fact Shadow Brokers or NSA or whoever know about vulnerabilities X,Y, and Z, doesn’t mean they can’t be or haven’t already been discovered by Microsoft, Trend Micro, whoever.”

Sophos’ Lyne goes further, warning that we could see something major, such as a complete bricking of a certain version of Android or iPhone. “Could that be what happens with the Shadow Brokers group in the coming weeks? They found and released a kernel-level exploit that had been there since the dark ages of Windows kernel. Is it implausible that they’re sitting on something that smashes hundreds of thousands of these [iPhone] devices? No, it could happen.”

None of the three say whether their companies would be subscribing to the service, but it would be hard to imagine at least a few companies—security and otherwise—not signing up, if nothing else to see whether their systems have been compromised. “You better believe for at least the first couple of months, many companies are going to sign up,” says Malwarebyte’s Kleczynski.

The moral question exists, however, whether companies should sign up to the service?

“It’s an interesting argument,” muses Ferguson. “I absolutely can see the reason why every major security company would want that data, and nominally the only way to get it is to subscribe. But, in doing so, you are funding cybercrime and rewarding criminal activity.

“However, the other counterpoint when it comes to that moral consideration is you might be funding it in the short-term, but [only] in order that anybody else who funds it will not benefit from it because you’ve closed down those vulnerabilities. However, third point, there’s no guarantee that the stuff you’d get on your subscription will be the same as the stuff that someone else would get on their subscription.”

NSA: At fault, one way or another?

While one can argue all day about whether Intelligence agencies should find, develop, or buy high-impact zero-day vulnerabilities—such as the Windows exploit used as the base for WannaCry—even the die-hards have a hard time defending the fact the NSA lost them. Microsoft’s Chief Legal Officer Brad Smith likened the loss to “the US military having some of its Tomahawk missiles stolen.”

There is meant to be a whole process, the Vulnerabilities Equities Process (VEP), designed to manage the trade-off of the value of exploits vs the harm if they’re unveiled (or lost).

“There are tough questions being asked now in industry and government, about that process,” says Sophos’ Lyne. “Because it’s supposed to regulate and prevent scenarios like this, and it didn’t. In this case, a thermonuclear warhead has been lost, picked up by criminals, and used by a ransomware gang.”

Before WannaCry hit, there was a draft bill proposed in the US to make the VEP more transparent and accountable, but what comes next?

“That process needs to be reviewed, it needs to be scrutinised. And there’s a harsh lesson there, even when patches are available, there is a lag time, a substantial one, to mitigate that in the real world,” adds Lyne. “Governments have to realise that this lag exists if they’re going to develop these kinds of weapons, and you can’t go losing nuclear bombs.”

Bitcoins: Should companies stockpile them?

The rise of cryptocurrencies such as bitcoin is partly behind the increase in ransomware: it’s relative anonymity makes being caught less likely, because even if you can trace the route of the payment, working out who is behind the bitcoin wallet that’s being paid into is almost impossible.

Another attractive proposition of bitcoins is the interest it’s been accruing of late. The price per coin against the dollar recently hit a record high of $3,000, up a staggering $2,100 from the start of the year.

“The price has surged in the last couple of weeks, and you better believe ransomware has something to do how quickly that’s gone up,” says Malwarebytes’ Kleczynski.

But with the surging price, the growth of ransomware, and the general difficulty of procuring them, should companies have bitcoins on hand as a backup strategy just to be safe?

“I thought that was a rumour,” says Kleczynski. “But at a CISO event I asked the question: Do you hold bitcoin that’s ready to deploy? Every single one of them raised their hands, and it’s substantial amounts. This is actually happening. They have bitcoin wallets ready to go.”

The FBI and most cyber experts advise that companies shouldn’t pay the ransom. Much like with the rest of the technology landscape, however, best practise and reality don’t always match up. Even the FBI has occasionally advised companies to pay up if the ransomware is too good.

“We’ve seen many instances where it’s just easier to decrypt the files on disk than to try to redeploy a backup,” says Kleczynski.

“I don’t get the stigma around paying the ransom. I wouldn’t, but I don’t get the stigma. Let’s put some humanity into this: you’re a student who has no backups, you’ve been working on your PhD, your thesis, for two years, and that’s your only option. The FBI says don’t. What do you do?”

The previously mentioned Citrix study found that 42% of UK companies apparently have a stockpile of digital currencies, averaging 23 bitcoins (valued at around $69,000). A third of those companies hoarding have more than 30 bitcoins (valued at around $90,000) in hand. Interestingly, the study also suggested companies with between 250-500 employees were more likely to have a cryptocurrency stash than larger ones with 1,000+ employees. Possibly because larger companies are more likely to have backups and security in place which make ransomware less effective. Lyne, however, is wary of such planning.

“I’m not saying maybe it’s not a good idea for a big business to have that option, given some ransomware has an unlock timer that starts deleting files very quickly. But banking on it as your strategy I think is terrible advice. You’re trusting cyber criminals to be honest. Granted, a lot of ransomware campaigns are incentivised, but they don’t all do that. And some of them come back and extort you for more because they know you pay.”

The other issue, he argues, is the fact there’s a lot of ransomware out in the wild that you simply can’t undo: the payment channels have fallen over, or they feature email addresses you can no longer contact, the bitcoin wallets are no longer in the control of cyber criminals, or they just abandoned it because they felt the heat of law enforcement. “There’s ransomware out there that’s inadvertently moved onto shredware or destructionware, and you can’t depend on being able to pay and get your data back.”

Ultimately, it’s hard to fault hoarding bitcoins as a final reserve strategy, but investing your money correctly in the first place makes more sense. “You need to invest in prevention, having a business continuity strategy, doing the right things in the first place, or you will regret it.”