They’re still out there, pinging away for vulnerable Sever Message Block (SMB) services in order to find a way in. One year after the historic and massive WannaCry ransomware attack unleashed by nation-state hackers from North Korea, an unknown number of WannaCry-infected Windows machines in their zombie state around the globe continue to attack other devices.
WannaCry marked the biggest ransomware attack ever, but it wasn’t the first widespread worm infection, and experts say it won’t be the last. Symantec blocked some 5.4 billion WannaCry attack attempts last year overall.
Security experts say another worm-spreading mass attack akin to WannaCry is inevitable. It may not be a ransomware attack, but it likely will be another SMB-type worm that exploits the fact that so many organizations leave Windows machines unattended and with open ports to the Internet—and unpatched for the newest flaws.
A “WannaCry 2.0”-type attack could be more of a data-wiping campaign akin to NotPetya, which posed as a ransomware attack but in reality was destroying the data it locked down rather than locking it up for ransom. Or it could be a widespread cryptojacking campaign that could more easily net attackers more profit and a lower-profile, less-noticeable attack method than ransomware.
Worms tend to wreak havoc quickly and loudly, so it depends on the attacker’s intent. “If you want to be destructive,” a worm is a quick way to spread pain, like the data-wiping NotPetya worm did, notes Chris Wysopal, CTO and co-founder of Veracode. He doesn’t believe WannaCry was meant to spread as widely as it did because its high visibility led to its demise as a not-so-profitable ransomware attack.
“If you don’t go wormable, you’re not going to get noticed for months,” Wysopal says.
The thing about worms, though, is that they never really die. Security firms and researchers today still see remnants of the epic 2003 SQLSlammer worm attack, and even the mysterious Conficker worm from early 2009. “Any time you have one of these worms [out], they are never going to go away,” says Craig Williams, senior threat researcher and global outreach manager for Cisco Talos.
Keeping the worm alive are older and forgotten machines that don’t get the security patch. “You’re always going to have some number of machines connected to the network that are going to be patched and they ping packets around for all time,” Williams says.
WannaCry’s abuse of the EternalBlue exploit basically let the cat out of the bag, and other worms continue to employ it, Williams says. The good news, though, is that WannaCry itself is at least declining in infections. “We’re confident that it’s decreasing, but we don’t see it going away.”
Large organizations for the most part have updated their Windows machines and revisited their SMB policies, but smaller and midsized companies in healthcare, education, and other industries most likely remain at risk. Check Point’s incident response team sees four to five cases of ransomware attacks per week, mostly in the networks of small- to midsized organizations.
The next big worm attack is not likely to resemble a mass ransomware attack like WannaCry. While WannaCry was a relative financial failure for North Korea, it did wreak havoc and chaos.
Ransomware in the wake of WannaCry has become more targeted, while cryptojacking attacks have surged practically overnight.
WannaCry 2.0 could be a stealthy cryptojacking campaign that only mines during off-hours when businesses are closed, for example.