Is the world ready for the next big ransomware attack?

The WannaCry and NotPetya ransomware attacks were massive incidents that impacted companies both large and small across large geographic areas. Both propagated quickly and brought massive organizations such as the UK’s National Health Service (NHS) and shipping giant Maersk to a standstill.

While the threat from those two individual attacks has been mostly mitigated, variants of both still continue to propagate out in the wild. A new report suggests that another global attack in the same style, if coordinated and executed properly, could cause even more damage and cost companies billions of dollars in damage.

The cost of massive global attacks

WannaCry is estimated to have infected 200,000 computers across 150 countries, spreading through unpatched versions of Microsoft Windows. NotPetya propagated through a compromised update of a popular Ukrainian tax application and affected companies in Ukraine and in other parts of Europe, with Russia accused of orchestrating the attack. Both used the EternalBlue exploit – developed by the NSA and leaked by the Shadow Brokers hacker group – which took advantage of vulnerabilities in the Windows Server Message Block (SMB) protocol.

WannaCry cost the UK’s NHS an estimated £91.5 million [$118 million], according to government calculations; £19 million for the attack itself and another £72.5 million in IT support to remediate and upgrade systems in the wake of the attack. Despite actual profits from the attack barely reaching $100,000, cyber risk modeling firm Cyence estimated the total global cost of the attack could be as high as $4 billion.

NotPetya was also widespread and costly. Shipping company Maersk and logistics company FedEx lost approximately $300 million each. Speech and imaging technology company Nuance says its own losses were around $90 million, while law firm DLA Piper paid 15,000 hours of IT overtime to remediate its impact. CyberReason’s study of quarterly earnings and investor statements from affected companies puts the global cost of NotPetya attacks at around $1.2 billion

To complicate matters, having cyber insurance might not cover everyone’s losses. Zurich American Insurance Company refused to pay out a $100 million claim from Mondelez, saying that since the U.S. and other governments labeled the NotPetya attack as an action by the Russian military their claim was excluded under the “hostile or warlike action in time of peace or war” exemption.

According to the Lloyds of London report, Bashe attack: Global infection by contagious malware, another global attack in the same vein as WannaCry and NotPetya could affect more than 600,000 businesses worldwide and cost $193 billion in lost revenue and remediation.

How the next WannaCry could cripple organizations across the world

The report aims to show how “the reliance of the global economy on connectivity significantly increases the scope of the damage caused by malware.” In the proposed scenarios, created in conjunction with the Cyber Risk Management (CyRiM) project and Cambridge Centre for Risk Studies (CCRS), a ransomware attack – known as Bashe – enters a network through a malicious email, propagates and encrypts any devices connected to the network, and further spreads itself by automatically forwarding the malicious email to all contacts. In the most severe version of the event, even the backups are erased.

The methodology draws on CCRS’s historical datasets around malware and security incidents, including infection rates, replication rates and damage costs. It predicts it would take six programmers to carry out a malware attack on a global scale within a year and assumes the poorly executed parts of previous large-scale attacks – such as the web-based kill switch within WannaCry or the poor decryption and payment processes of NotPetya – are done properly.

“Corporations regardless of size and sector find themselves in a panic,” reads the report, “as they are no longer able to process hard payments, communicate between sites via email, or run essential programs. Traders, police officers and healthcare professionals alike find themselves forced to revert to pen and paper to complete their daily duties. In 24 hours, the ransomware encrypts the data on nearly 30 million devices worldwide.”

While the proposed ransom would be relatively low at around $700 per infection (or $350 per device to clean up or replace without paying the ransom) the calculated costs include cyber-incident response, damage control and mitigation, business interruption, lost revenue, and reduced productivity, and vary from $85 billion to $193 billion depending on the severity of the attack. The criminal organization that developed Bashe would bring in $1.14 to $2.78 billion in extortion revenues.

Healthcare, manufacturing and retail are the three most affected industries in each of the different scenarios, losing between $9 billion and $25 billion per sector. Retail’s reliance on payment systems, healthcare’s abundance of legacy systems and equipment, and manufacturing’s need to constantly be in production were cited as the main reasons for their vulnerability.

The U.S. is the most heavily affected region in terms of costs due its large number of what the report describes as “premier-sized” companies. Europe is close behind in terms of impact due to its high number of small- to medium-sized enterprises (SMEs), which are traditionally have less in terms of security budget and resources.

Is Bashe ransomware a likely scenario?

The report admits a massive attack such as this is “an unlikely, and extreme, yet plausible scenario,” but one that had recent precedence. Both WannaCry and NotPetya hit multiple large companies in various markets, propagated quickly, and cost affected companies heavily.

“The Bashe attack scenario described in the report is entirely feasible,” says Dr Simon Wiseman, CTO at Deep Secure. “While there are a number of technical challenges the attacker would have to overcome, the core elements of this campaign are common and achievable for a tech-savvy cybercriminal. It would involve some serious backdoor exploit capability, and the speed and ferocity of lateral spread would likely be determined by whether the target had learned from the WannaCry/NotPetya outbreaks and compartmentalized their systems appropriately.”

Chris Doman, security researcher at AlienVault, agrees that attack is possible, but unlikely, as the kind of email-based worm would have a hard time spreading as email providers would likely be quick to block it, and such a massive attack would need another high severity EternalBlue-style vulnerability to be developed and released into the wild. 

While some questioned the overly apocalyptic nature of the attack, all the security researchers CSO contacted agreed such an attack would likely be perpetrated by a nation state actor. The resources required to find such a serious zero-day vulnerability and launch a wide-ranging attack would be considerable, or at least have been developed by a government and then leaked a la EternalBlue. Also, the fact such an attack would be incredibly visible and attention-grabbing would make it more likely to be state-sponsored as criminals generally prefer to operate quietly where possible.

Have organizations learned their ransomware lesson?

While the Bashe attack is hypothetical, it offers an opportunity to highlight that many organizations still haven’t learned their lessons from previous real-world widespread attacks and should be looking to shore up their defenses. “WannaCry was undoubtedly a huge wake-up call for many organizations and businesses. Anybody hit by an attack like this will unquestionably be considering their processes, especially large organizations such as the NHS,” says David Emm, principal security researcher, Kaspersky. “It sometimes takes a lot for companies to improve their security processes, but I’d like to think that an attack like WannaCry was enough for businesses to take action.”

However, companies that were lucky enough not to be affected at the time may incorrectly feel the risk has passed. According to Kaspersky, the original WannaCry ransomware – for which a preventative patch has long been available – hit just under 75,000 users in Q3 2018, almost a third of all ransomware attacks the company saw in that period. Aerospace company Boeing fell victim to a WannaCry attack in March of 2018, over a year after the original attack. Other ransomware strands also use the same EternalBlue vulnerability that WannaCry exploited, as well as Trojan attacks such as Emotet and TrickBot, and continue to spread out in the wild.

“The chance of this Bashe type of scenario playing out in the near future may not be as far-fetched as some believe,” says Ollie Whitehouse, global chief technical officer at NCC Group. “Our own recent research, using a propagation designed to replicate the impact of NotPetya, resulted in hundreds of hosts being infected in a matter of hours.

Researchers at security consultant NCC Group rebuilt the NotPetya attack (with the malicious payload replaced with telemetry data) to help companies test their own susceptibility to a genuine attack. In its first test the attack, dubbed EternalGlue, was able to compromise over 100 hosts in 45 minutes and take down the target domain. In live testing within what NCC described as a “100 billion dollar company,” EternalGlue compromised over 200 hosts in 15 minutes, and would have affected the account directory if it was the original NotPetya malware.

Patching continues to be a challenge for organizations; a report from Veracode found more than 85 percent of all applications have at least one vulnerability in them, with the majority of vulnerability remaining unpatched a month after discovery and over half left open three months after discovery.

While not a ransomware attack, vulnerabilities that enabled other major attacks are still prevalent within many companies. The Equifax fax breach – labeled “entirely preventable” by the U.S. House Oversight Committee – was enabled through an unpatched vulnerability within the company’s Apache Struts components and saw the company lose the personally identifiable information of 143 million people. Sonatype found over 18,000 businesses are still using the vulnerable version of Apache Struts, including two-thirds of the global Fortune 100 companies.

Even if companies are patching vulnerabilities that have caused previous attacks, attackers have an increasingly large number of new vectors to exploit. The report notes that IoT and industrial control systems (ICS) would likely experience severe disruption. According to Kaspersky Labs, over 40 percent of the ICS computers it monitors were attacked by malicious software at least once during the first half of 2018, and industrial companies continue to struggle with ICS security despite the sensitive nature of their operations.

“The report briefly touches on SCADA/ICS systems, and that is the most concerning to me,” says Chris Doman, security researcher at AlienVault. “There have been a number of attacks, closely related to NotPetya, that aimed to disrupt the power networks and airports in Ukraine. These could result in loss of life. The silver lining in WannaCry and NotPetya is that it raised cybersecurity on people’s radars and have spawned endless playbooks and response plans.

Howr real-world Bashe-like ransomware can be prevented

While Bashe is a what-if experiment, the logic is based on real events that organizations should try to secure themselves against. “Epidemics don’t cease as rapidly as they begin. The consequences of these attacks are unavoidably long-lasting,” says Kaspersky’s Emm. “It’s entirely feasible that such an attack [as Bashe] could cause greater harm, so it’s vital that companies to take adequate preventive measures before a cybercriminal acts – rather than focus on recovery. Companies need to audit their systems, carry out a risk assessment, question technology processes and procedures, know where they store data and what they do with data, etc.”

Eytan Segal, head of threat prevention solutions at Check Point, says to prevent something like the Bashe attack, use strong email security to help block the spread of email-based worms, network intrusion prevention systems to provide a layer of virtual patching to protect unpatched systems, and dedicated endpoint ransomware protection technologies.

“A key lesson from Wannacry and NotPetya was the existence of a large shadow internet, linking practically every intranet (local company network) to other networks using VPNs and other site to site tunnels, and a testament to the utter lack of any defensive in-depth systems in these networks,” says Ofri Ziv, VP of research at GuardiCore. “The basic techniques that would handle such an attack such as network segmentation, least-trust and separation of control and data networks would all help stop, mitigate and handle such an attack.”

“I’ve never been a fan of fictional ‘doomsday scenario global meltdown’ cybersecurity advice,” adds Paul Ducklin, senior technologist at Sophos, “but the defenses you need against cybercrime in general are great against both today’s real world threat and doomsday thought exercises like Bashe.” Those defenses are:

• Patch early, patch often: Almost every large-scale network worm attack in history has relied on unpatched security holes that have allowed the crooks to inject malware without human interaction.
• Filter suspicious email attachments to reduce staff exposure: Make sure you’re filtering outbound content, too. It can give an early warning of a rogue infected computer in your midst.
• Segregate your networks: Your social media experts don’t need access to your HR database or your legal records at the same time. Your cash registers and ATMs don’t need to be on the same network as your telesales team.
• Don’t rely only on online backups: The worst-case Bashe scenario seems to rely on having all your backups destroyed instantly and simultaneously during the attack. If that could happen to you, then you are already over-vulnerable to fire, theft, flood and many other not-at-all-impossible real-world woes.
• Pick proper passwords: Modern cybercrooks aren’t in the hurry that they used to be. If they can log in as an administrator, they generally won’t attack right away. They’ll appoint themselves as sysadmins of your whole network and learn as much as they can before they decide how to squeeze you for money. Make it harder for them to guess or trick their way in.
• Look at your logs: If you aren’t regularly reviewing your logs to see what they can teach you – who’s in, who’s being kept out, who’s online, who’s not – then you might as well not keep them in the first place.