Two Years In and WannaCry is Still Unmanageable

Ben Seri, VP of Research

TL;DR

  • 103 countries still impacted
  • Over 145,000 devices worldwide are compromised
  • At least 3,500 successful WannaCry attacks per hour, worldwide
  • 22% of Internet service providers (ISPs) have customers impacted by WannaCry
  • 60% of manufacturing organizations and 40% of Healthcare organizations suffered a WannaCry attack in the past six months

Two years ago in May, WannaCry was unleashed upon the world. Contrary to common belief, WannaCry continues to impact devices even today. Armis leveraged its capabilities to track devices and their behavior to reveal new information regarding the current state of the infamous WannaCry malware.

According to our findings, WannaCry is still vastly present in the wild, and is estimated to be active on over 145,000 devices worldwide. In the multitudes of impacted devices, it is important to note that even a single WannaCry infected device can be used by hackers to breach your entire network.

Active WannaCry Heatmap

After analyzing data from the Armis platform, our research team estimates that as many as 60% of organizations in the manufacturing industry and 40% of healthcare delivery organizations (HDOs) experienced at least one WannaCry attack in the last six months. Organizations in these industries generally have a large number of older or unmanaged devices which are difficult to patch due to operational complexities. As it had when it emerged, WannaCry clearly demonstrates the frightening potential which unpatched vulnerabilities have on such devices.

Moreover, new and similar vulnerabilities are still being found. In fact, just last week Microsoft disclosed a new wormable vulnerability like the one used by WannaCry. The prevalence of unmanaged devices running old operating systems in organizational networks is surprisingly high, as shown by the Armis data.

Percentage of old Windows OS versions by industry type (Retail, Technology, Healthcare, Manufacturing)

As seen in the graph above, healthcare, manufacturing and retail sectors have high rates of old operating systems in their networks. By 2020, Windows 7 will reach its end-of-life, and join many of the earlier Windows versions that do not receive any security updates (excluding special occasions such as massive outbreaks ransomware). It is not a coincidence that these sectors are also the ones affected the most by ransomware like WannaCry, which rely on unpatched devices for their successful operation.

There are operational reasons to hold on to old and unsupported Windows devices. Manufacturing facilities rely on the HMI (Human-Machine-Interface) devices that control the factory’s production lines. HMI devices run on custom built hardware or use outdated software, that hasn’t been adopted to the latest Windows. In healthcare organizations, many of the medical devices themselves are based on outdated Windows versions, and cannot be updated without complete remodeling. And in retail environments, the Point-of-Sale devices are the weak-link, based on custom hardware, which is late to receive updates if at all. These reasons are also the reason many of them don’t run any endpoint security, and thus are even more likely to be compromised by WannaCry, or similar malware.

As seen in the graph above, healthcare, manufacturing and retail sectors have high rates of old operating systems in their networks. By 2020, Windows 7 will reach its end-of-life, and join many of the earlier Windows versions that do not receive any security updates (excluding special occasions such as massive outbreaks ransomware). It is not a coincidence that these sectors are also the ones affected the most by ransomware like WannaCry, which rely on unpatched devices for their successful operation.
There are operational reasons to hold on to old and unsupported Windows devices. Manufacturing facilities rely on the HMI (Human-Machine-Interface) devices that control the factory’s production lines. HMI devices run on custom built hardware or use outdated software, that hasn’t been adopted to the latest Windows. In healthcare organizations, many of the medical devices themselves are based on outdated Windows versions, and cannot be updated without complete remodeling. And in retail environments, the Point-of-Sale devices are the weak-link, based on custom hardware, which is late to receive updates if at all. These reasons are also the reason many of them don’t run any endpoint security, and thus are even more likely to be compromised by WannaCry, or similar malware.

A reminder: What’s WannaCry all about?

WannaCry is a ransomware cryptoworm which first appeared on May 12, 2017, and infected over 300,000 computers in a matter of days. The ransomware infiltrated Windows computers using the EternalBlue exploit which was developed by the NSA, but leaked publicly a few months prior to the attack. This severe exploit allowed the malware to spread laterally across networks and reach a staggering amount of devices.

After WannaCry exploits the EternalBlue vulnerability, it installs a backdoor, dubbed DoublePulsar, through which it deploys its main payload. Once on an infected device, the ransomware attempts to reach a predefined domain, dubbed the ‘kill switch’. If the domain is reached, WannaCry stops its operation. However, if not – WannaCry continues to pursue its malicious goal by encrypting the data on the computer and displaying a demand for ransom to be paid in bitcoin. While Microsoft issued patches for the vulnerability once it was made public, most organizations did not deploy these, leaving affected devices defenseless against WannaCry outbreaks.

WannaCry took a tremendous financial and physical toll on its victims. Businesses and factories were shut down for days and weeks, and some estimates put the cost of WannaCry attacks at over $4 billion, including $325 million in paid out ransom. These severe consequences led to a global effort to stop it, and eventually, the discovery of the kill switch mentioned earlier. Researchers registered the domain names found to be used by the different variants of the WannaCry ransomware which prevented it from spreading further and effectively stopped the initial epidemic in just four days.

Happy ever after? Not quite.

While the revelation of the kill switch was a game changer, it did not completely eradicate WannaCry:

  • WannaCry is still active today, and was reportedly responsible for 30% of all ransomware attacks worldwide in Q3 2018.
  • Devices already infected by the ransomware were not addressed after the discovery, and in fact, continued to spread it to other computers.
  • Devices on which WannaCry did not activate are vulnerable to other attacks, as the ransomware’s backdoor, DoublePulsar, remains wide open.

Many organizations fail to patch their networks, so any new variant of the ransomware, some of which lack a kill switch altogether, can compromise their security in an unstoppable attack.

The dangerous potential of dormant and new WannaCry variants is evident from a series of attacks which took place after the ransomware was subdued. The first example is the attack on TSMC — the world’s largest makers of semiconductors and processors. An outbreak of a new WannaCry variant last August forced the company to shut down some production lines in their facilities, which manufacture chips for Apple’s iPhone, among other things. A second example is an attack which attempted to block a network’s connection to the kill switch domain in an attempt to allow the ransomware to spread to new devices.

To determine how common WannaCry is today, we employed two approaches:

  1. We used a honeypot infrastructure to lure variants of WannaCry-infected computers to attack us, allowing us to assess their number which turned out to be over 145,000 devices. Newer variants of WannaCry don’t necessarily have the built-in kill-switch mechanism, and thus they continue to propagate and wreak havoc on compromised devices.
  2. We used DNS cache probing to determine which ISPs still receive DNS queries to the original kill switch used by the two-year-old WannaCry variants. We inspected the cache of over 10,000 DNS servers from over 120 countries, once every 15 minutes for over a week. These servers belong to ISPs which are a representative sample of all DNS servers around the world. As a result, we identified approximately 600,000 DNS queries to 2,648 DNS servers owned by 423 distinct ISPs in 61 countries that had the WannaCry kill switch domains in their cache. This staggering rate of queries translates to roughly one WannaCry attack per second just from the original variants of the ransomware.

# of WannaCry Attacks per Week Per Country

It is interesting to note that Vietnam comes in second on the list of WannaCry-infected countries, with over 10% of the attacks worldwide. As it turns out, many of the Internet Service Providers in the country block any attempt of WannaCry ransomware to connect to its kill switch domain, causing them to activate the ransomware’s full operation, and resulting in the highest prevalence rate.

Wasn’t this patched already?

A common misconception about WannaCry is that the patch issued by Microsoft stopped the ransomware and its associated exploit, EternalBlue, so they are no longer something we need to worry about. However, that’s not the case.

Just as most organizations have not deployed security patches which were made available in the months between the EternalBlue exploit leak and the outbreak of WannaCry, a disturbing number of organizations still haven’t deployed the latest security patches. This is especially concerning in light of the new vulnerabilities like the one disclosed by Microsoft last week. This too will likely go unpatched by most organizations, until an actual threat comes knocking on their doors.

By then, unfortunately, it’s often too late.

While many devices could be updated easily, most are not, which leaves them unprotected. Patching can be difficult and time-consuming, and in some cases, it could even require rebuilding entire systems. But doing so is absolutely necessary. Moreover, many industrial and medical devices rely on outdated operating systems like Windows 2000, XP, and Vista. These systems receive painfully slow upgrades since they are usually part of a customized hardware/software solution tailor-made for a specific industrial or medical use, or require costly downtime for upgrades.

The Unmanaged Device Exposure

As we noted previously, WannaCry affects industrial and medical environments the most, since they often have a large number of unmanaged devices. While some devices are left unmanaged by authorized users who, out of frustration with poor user experience, disable agents or uninstall them from their devices entirely, most of the devices are unmanageable due to one of the following:

  • Unsanctioned, IoT, and other connected devices that can’t host an agent, yet are connected to the network anyway
  • Sanctioned business critical devices that wind up on the networks without the IT or security team’s knowledge
  • Unauthorized devices which do not belong to the company at all that make their way onto network under the radar (yes, it does happen).

This phenomenon of unmanageable devices results in a critical blind spot because IT and security teams don’t have visibility into their existence at all.

Enterprises are surrounded by a new generation of devices that can’t host security agents at all, include devices like smart TVs or Smart HVAC systems, robotic arms andHMIs on an assembly line, X-Ray and MRI machines, and more. And despite efforts to stop ransomware attacks on industrial or medical devices, it’s still a fairly common occurrence today.

How does WannaCry put devices at risk today?

The discovery of the WannaCry kill switch crippled the momentum of the attack but did not resolve many of its consequences. Devices already infected with the active strain of the ransomware continued to spread it laterally to other devices. And while these infections do not trigger the encryption process, they still open a backdoor that enables an attacker to gain complete control over the device with minimal effort.

In complex networks, and especially industrial ones, network segmentation is used. This means that parts of the network don’t have Internet access at all, but are routed securely to parts which do. However, malware like WannaCry which constantly try and propagate can eventually traverse across the boundaries of the various segments. In addition, such environments typically include devices with outdated operating systems, as we mentioned earlier. The combination of these factors means any straying WannaCry instance could infiltrate even a closed, sensitive network, and ravage it causing tremendous damage to the organization since it cannot connect to the kill switch through the internet to which it lacks access.

Another concern is caused by the massive noise generated by a handful of devices compromised by WannaCry for the Security Operations Center (SOC). Compromised devices constantly try to infect other devices in their vicinity, which in turn connect to the kill switch domains each time they are attacked, generating large amounts of traffic. After a while, the SOC which has higher priorities becomes numb to the WannaCry incident, but attackers can use the noise to hide below it — simply by using the same techniques and protocols WannaCry uses. For instance, Command and Control communications camouflaged as DoublePulsar traffic would easily be ignored in such an environment.

Perhaps the worst threat to organizations infected by WannaCry is a Denial of Service (DoS) attack blocking the domain names that act as WannaCry’s kill switch. Once these domains are inaccessible to devices compromised by WannaCry, the ransomware’s attempts to spread to other devices are more likely to be successful, allowing it to propagate across the entire network.

As mentioned earlier, this type of DoS attack was actually attempted after one of the kill switch domains was registered. The attackers leveraged the Mirai botnet to try and flood the name-server of the kill switch domain with requests. Luckily, this attempt was not successful, but having a bullet-proof defense against DDoS attacks is almost impossible, and cannot be relied upon as the sole defense for your organization.

So what should you do?

  1. Patch your devices. As clear and obvious as it sounds, all users and organizations need to patch all devices in their possession. However, we continue to see delays in applying patches. In most cases, late patches may be due to resources or focus, but not because of an actual difficulty to do so. You should always remember that in the long term you are always better off patching as soon as possible – given the active nature of the WannaCry threat.
  2. Know your devices. As we have seen time and again, without the proper control and monitoring of devices and networks, organizations are bound to lose track of both. It is only a matter of time until you forget about a device you’ve left connected somewhere or a network configuration which connected or disconnected it from internal networks. We see this all to frequently at Armis. This is why you must maintain a continuous asset inventory of all devices, and monitor your network for unknown, suspicious, or misplaced devices connected to it.
  3. Address unmanaged devices. The last important step is to implement solutions capable of monitoring and protecting unmanageable devices, which are extremely vulnerable and prone to attacks. Especially those devices you can’t put any agents on. Healthcare and manufacturing environments are rampant with such devices from MRIs to infusion pumps to ventilators to industrial control devices, robotic arms, HMIs, PLCs, etc. Without such solutions, these devices, and consequently your entire network, are sitting ducks for any hacker.

Learn more: WannaCry Two Years Later: How We Did We Get the Data?