WannaCry, OAuth Phishing and the Advent of Opportunistic, Viral Cybercrime

WannaCry, OAuth Phishing and the Advent of Opportunistic, Viral Cybercrime
9 minute read

Facts of the Case: What is WannaCry?

On Friday, May 12th, a strain of ransomware called Wana Decrypt0r, or WannaCry, spread across the globe, infecting hundreds of thousands of organizations (and counting) in 150 countries within a few short days. It is the fastest spreading and most prolific ransomware attack to date.

The attack has been particularly prolific in southeast Asia, which is where it supposedly originated, China, Russia and across Europe, downing NHS systems in the UK and Telcoms in Spain. WannaCry also hit the US to a slightly lesser degree, but still impacted major companies like FedEx.

The malware is initially downloaded as a Trojan, apparently within a PDF download. Once on the victim's machine, the worm spreads among machines on shared networks by exploiting a known Microsoft vulnerability, MS17-010. The NSA initially uncovered the zero-day and it seems as though an NSA authored tool called DoublePULSAR, recently publicly released by Shadow Brokers, is the mechanism for pivoting on internal networks to spread the worm. The malware enumerates active remote desktop sessions and exploits the vulnerability to spread the worm to different users on the network.

In summary, the worm uses an NSA tool to exploit a known Microsoft vulnerability to proliferate itself across networks, impacting even users who haven’t directly downloaded the initial Trojan. As such, entire workforces can be compromised from a single weak link. This is a break from more commonly occurring ransomware strains that do not feature self propagation but instead rely on human intervention to spread.

Like most ransomware, WannaCry encrypts all the files on the victim's machine and displays a popup instructing the user on how to decrypt the files. It demands $300 in bitcoin and includes timers counting down until the price increases (several days) and the files are deleted (one week).

The initial strain of the ransomware was blocked when a 22-year-old security researcher discovered a killswitch in the form of a domain. The worm pings the domain and only executes itself if the domain is unregistered. The researcher registered the domain, thus creating a sinkhole, engaging the killswitch and effectively halting the ransomware’s ability to execute.

Two other versions of the code were soon deployed. One version also contained a killswitch domain, which was quickly registered and sinkholed, and the other version did not have a killswitch, though this strain of the ransomware simply didn’t work. It’s possible other variants without kill switches are in the wild as well, but the jury is still out on how the attack will mature over time.

The challenge with attribution

Several security researchers and companies, notably Neel Mehta at Google and Symantec Security Response, have pointed to similarities between WannaCry and previous Lazarus group attacks, a hacker group with known associations to North Korea. They note similarities between the tools used and even a bit of verbatim code from a previous alleged Lazarus attack.

ZeroFox will caution, as always, that conclusive attribution is nearly impossible. A reused bit of code and similar tools are not sufficient evidence to suggest Lazarus is behind the attack. We have looked through the WannaCry code and do not believe there is sufficient evidence to suggest attribution. It’s likely that the recent tension with North Korea has exacerbated the storyline that DPRK hackers are to blame. It makes for a good story, and there’s some thin evidence, but we wouldn’t put money on it.

Amateur hackers creating professional-grade headache

The circumstantial evidence we do have tells a different story with an alternate conclusion.

There are several oddities in the ransomware that would suggest the actors behind this are new to the hacking game. First is the “killswitch” domain, which inexplicably rendered the entire attack lame with $10.69 and five minutes on Once the domain was sinkholed, the worm wouldn’t activate. Furthermore, the attacker then did some low-level binary patching to create a second version. Two variations were released, one with a different killswitch, which was registered and sinkholed, and another without a killswitch domain, which simply didn’t work.

Moreover, the attackers have only earned a meager $55-70K from the attack. For such a widespread, effective campaign, this is hardly the payout you would expect. The attackers are only asking for $300, which is low even by ransomware standards. It’s unlikely the attackers predicted their campaign would be so successful and viral as it was. Cisco Talos Researcher says of the WannaCry profits, “From a ransom perspective, it’s a catastrophic failure”

Various reports suggest that the decryption keys, if distributed to the victim at all, are manually generated. This implies the attacker launched a half-baked ransomware campaign, did not anticipate the success of the campaign and is struggling to keep up with demand. This is not a good sign from their perspective, as they need to maintain credibility to continue receiving payments. Once reports circulate that this is a slipshod operation that may not decrypt your files in the end anyway, victims will stop paying the ransom. This may help explain why they attackers have netted such a low dollar value so far.

Apparently the bitcoin payment workflow is less than professional, perhaps not even allowing the attackers to see who has and who hasn’t paid. On top of that, the attackers hardcoded four bitcoin addresses, ensuring the rest of the community could track their profits as they were recorded in the blockchain. Relative to other strains of professional ransomware, WannaCry falls far short.

These aren’t the hallmarks of an organized hacking group. These characteristics suggest a semi-technical, amateur hacker who didn’t fully realize the implications of his or her actions when the campaign went live. The attacker took advantage of a recently released NSA tool to launch a highly-scalable, viral attack, despite that it was half baked, laced with obvious kill switches and questionable code. Wired writer Andy Greenberg came to the same conclusions in his excellent piece, The WannaCry Hackers Made Some Real Amateur Mistakes.

A new security paradigm

This type of attack -- opportunistic, viral, automated and potentially launched by any cybercriminal advanced or novice -- is becoming more and more common. While large-scale, programmatic cybercriminal activity isn’t necessarily new, think Mirai or Zeus, WannaCry opens up a new Pandora’s Box of risks. This attack could have been launched by a novice hacker and it rampages indiscriminately around the world, probably far beyond what even the hacker had in mind.

The massive Google OAuth phishing attack that spread via GoogleDoc last week is another excellent example of a low-tech, opportunistic, viral attack. The attack exploded across the internet and contained no payload. ZeroFox reversed the code and it appeared half finished. It was a huge missed opportunity for the attacker to harvest credentials or disseminate an exploit kit. It almost seems like the attack went out early while being debugged, hitting a viral chord well before the authors ever intended to release it.

Viral, opportunistic attacks are a new threat model and security schema that must be addressed by security professionals. This is not the nation state actor or TTP launching targeted attacks with discrete and nefarious motives. This is amatuer cyber criminals tinkering with their code and exploiting opportunities to create viral, self propagating, aimless attacks. The costs, as was proven with WannaCry, can still be vast.

We again return to the nerve wracking “what if” line of thought. What if WannaCry was a slick operations demanding hundreds of thousands of dollars from major institutions worldwide? What if it exploited social media to proliferate at an even grander scale? What if the attacker behind it was more professional and advanced? What if the OAuth phishing attack actually distributed a payload?

The virus analogy it too obvious not to make. Your body is full of self-replicating, albeit benign microorganisms like the OAuth phishing attack. Wait until one of them turns truly virulent and cancerous. We’re standing at that precipice in the security world today, and unfortunately, considering the increasing social connectivity of our world, it’s going to get worse.

Last year the infamous Locky ransomware migrated to social media in a bid for virality that, in retrospect, was a harbinger for the successful automation of the WannaCry campaign. ZeroFox has seen ransomware disseminated through social media time and time again, and similar to the OAuth phishing attack or the malicious Twitter campaign that duped even Twitter CFO Anthony Noto in 2015 (a technique called “spamrunning”), ransomware campaigns can hijack accounts, pretend to be that person or organization, and proliferate itself to followers with an unprecedented rate of success.

Did attackers bite off more than they can chew?

Because the attackers might be lower-tech and relatively inexperienced, they might be as caught of guard by the success of this worm as were the victims. The attack is effectively automated and proliferates itself at scale once launched, and there's a huge disconnect between the encryption, which is automated and scalable, and the decryption, which is manual.

Think about this from the attacker's perspective: your worm went viral in a way you never expected. The encryption is automated and scalable; your decryption is manual and unscalable. You can't keep up with demand, you're losing credibility, and, thus, people aren't going to keep paying. The press is having a field day, and you're the new Ace of Spades in the cybercrime enforcement world.

If this is a relative new hacker, they might be worried that they’re about to delete millions of terabytes of data worldwide on Friday, when many of the ransoms are set to expire, simply because the campaign was half-baked, partially manual, and snowballed out of control. Worst of all, they now a huge target on their back.

What to do if I am infected or worried I’ll be infected?

Most security firms, including ZeroFox, do not recommend paying the ransom. There are mixed reports about whether or not the files are decrypted in the event that a victim decides to pay.

Symantec has reported that there may be ways to recover some files depending on where they are stored.

Otherwise, ZeroFox recommends the following:

  • Update your machine. Microsoft has issued patches for the vulnerability that allows this worm to spread. The more up to date the machine, the lower the risk that it can be affected by known vulnerabilities like MS17-010.
  • Keep back ups. Regular backups on external devices allows you to avoid paying the ransom.
  • Be vigilant online. The best defense starts before you’re infected. Be careful what you click in emails or what you see on social media. If it looks suspicious, appears too-good-to-be-true or is coming from an eyebrow-raising “trusted source,” it’s likely malicious. Remember that attackers can imitate someone you know or breach their email and social accounts to distribute malicious links or attachments from a more authentic source.

WannaCry is a loud and resonant wakeup call. We should be thankful it wasn’t more sophisticated and more damaging. Most importantly, we need to prepare for when it is. There’s no more time to wait.

See ZeroFox in action