It’s been one year this week since the ransomware known as WannaCry infected more than 200,000 machines in 150 countries, causing billions of dollars in damages and grinding global business to a halt. The speed and scale of the attack – helped along by leaked National Security Agency hacking tools – was obviously notable, but it’s WannaCry’s legacy that resonates today. The cyber-landscape has fundamentally changed, with threat actors increasing almost exponentially in their capabilities, sophistication and ambition.
“WannaCry changed the cybersecurity game, not just through its outsized impact; it made waves because of its outsized influence on the cyber-threat landscape,” Check Point researchers said in [a blog](<https://blog.checkpoint.com/2018/05/15/one-year-later-wannacry-dawn-new-generation-cyber-attacks/>) breaking down the implications. “Marking a turning point in the cybersecurity environment, we were looking at the first global-scaled, multi-vectored cyberattack powered by state-sponsored tools. WannaCry marked a new generation…of cyberattacks.”
In the year since WannaCry, ransomware has given way to [cryptomining](<https://threatpost.com/cryptomining-gold-rush-one-gang-rakes-in-7m-over-6-months/130232/>) as the go-to payload for cybercriminals. Cryptojacking in fact increased 8,500 percent in the last quarter of 2017, and made up 16 percent of all online attacks, according to Juniper Networks analysis. But ransomware isn’t waning: Numbers from Avast show that since the original attack, there have been more than 176 million attempted new WannaCry attacks globally.
We talked to several security researchers about what’s changed in the past year.
**Arms Race**
So what does “fundamental change” actually mean? For one, the use of nation-state-developed hacking tools has become widespread. WannaCry was the direct result of the Shadow Brokers hacker group stealing and then leaking exploits developed by the NSA. One of them, EternalBlue, [was used in WannaCry](<https://threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654/>), and just six weeks after that, [NotPetya](<https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/>) used the same exploit in its infamous attack. The genie was out of the bottle, and quickly, too.
EternalBlue and additional weapons from the trove have cropped up everywhere since then, in multiple campaigns spreading [banking trojans](<https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/>), other kinds of ransomware and, this year, [cryptomining code](<https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/>). Just recently, the SamSam ransomware attack that [shut down the city of Atlanta](<https://threatpost.com/ransomware-attack-cripples-several-atlanta-city-systems/130739/>) and cost it $5 million in damages and clean-up costs relied on DoublePulsar – another NSA-developed exploit in use now [across the internet](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>).
“In the past, cybercriminals traditionally used simplistic, homegrown tools for their hacking activities,” Check Point researchers noted. “WannaCry marked the shift toward using military-grade weapons, hacking tools that are powerful enough for a national cyber-defense agency to use on international cyber-warfare.”
**Bigger, Multi-Vector Attacks**
As befits the use of industrial-strength tools, WannaCry also demonstrated the potential for severe, large-scale cyber-attacks. Campaigns today go after ever-greater paydays, and the space is attracting well-funded criminal organizations looking to develop lucrative hacking operations. The surge in ransomware outlines this: Check Point analysis shows that in 2015, ransomware attacks caused $325 million in damage. Last year, attacks were up 15-fold, costing $5 billion in damages.
“Even the most sophisticated of these ransomware attacks emerging today are just the tip of the spear,” Derek Manky, global security strategist at Fortinet’s FortiGuard Labs, told Threatpost. “Cybercriminals are adopting new attack strategies, such as those used by [Hajime](<https://threatpost.com/mirai-and-hajime-locked-into-iot-botnet-battle/125112/>) and Hide-and-Seek, to accelerate both the scale and success of attacks.”
In tandem with this, there has been a sea-change in attack vectors. WannaCry established the concept of the “ransomworm” – code that’s able to spread through cloud networks, remote office servers and network endpoints alike, needing only one entry point in order to infect the entire system.
“This multi-level approach allowed WannaCry to easily overwhelm companies that followed the usual security strategy of picking their favorite product from different vendors for each entry point,” Check Point researchers said.
However, since then, there has been an evolution towards more sophisticated variations of this approach.
“These new variants are transitioning away from traditional ransomworm-based attacks, which require constant communication back to their controller, and replacing them with automated, self-learning strategies, potentially turning malicious ransomworms into ‘ransom-swarms’,” Manky said. “Future attacks are likely to leverage things like swarm intelligence to take humans out of the loop entirely in order to accelerate attacks to digital speeds.”
He added, “Cybercriminals have been using an attack-on-all-fronts strategy that has been especially effective.”
**A Physical Threat**
The stakes are higher than ever before as well: WannaCry demonstrated that cyberattacks can introduce real, physical risks into the equation. It famously hit Britain’s National Health Service (NHS), and attacked a wealth of [medical devices](<https://threatpost.com/patches-pending-for-medical-devices-hit-by-wannacry/125758/>), like medical imaging machines.
“Patients in the U.K. lost valuable medical response time (and it is very likely that one could honestly say WannaCry ended up causing mortal harm to some),” Bob Rudis, chief security data scientist at Rapid7, told Threatpost. Rapid7 research recently determined that WannaCry was still the sixth most-prevalent threat in the first quarter of 2018. “WannaCry and NotPetya both ended up causing hundreds of millions of dollars in damages to medical production lines and other business processes.”
The ability to issue an epic beat-down on connected devices beyond the PC has become part of the new normal thanks to WannaCry – a state of affairs that’s set to worsen. Brian NeSmith, CEO and co-founder at Arctic Wolf Networks, told us that, essentially, every company and every device is a target.
“For industries like healthcare, ransomware puts the lives of people at risk,” he said. “Ransomware is likely to evolve and expand to IoT devices and wreak even more havoc. Today, the focus is on PCs, but tomorrow, everything from machinery, power control systems, industrial sensors and even thermostats will be targets. In the case of machinery, it could impact the safety and well-being of workers, dramatically increasing the stakes beyond just the ransom money.”
**Increased Awareness**
WannaCry’s legacy is not all bad news: the event has also increased cyber-awareness, and that’s never a bad thing.
“The biggest impact WannaCry had (in the UK at least) was to take ransomware from the domain of IT and security professionals to the boardroom, the newsroom and Parliament,” Oscar Arean, technical operations manager at Databarracks, told us. “Particularly in small and medium-sized enterprises, there hasn’t been adequate investment in awareness, and there’s been a lax attitude to the risks of running systems beyond end-of-life. The benefit of WannaCry is that now, when an IT manager at a small business asks for budget for systems upgrades from their CFO and the board – they can point to the example of the NHS to justify the expense.”
Rishi Bhargava, co-founder at Demisto, told Threatpost that the awareness level was particularly raised in healthcare environments.
“WannaCry was unique because this was the first large ransomware attack targeted at the healthcare vertical and affected not only computers, but also many medical devices like MRI machines,” Bhargava said via email. “Overall, WannaCry did not fundamentally change the security tools or the approaches or people’s perception, but it did raise awareness of the best practices in healthcare organizations.”
**As Much as Things Change…**
Despite better awareness, poor security practices (including a lack of simple patch updates) continue to plague companies. Overall, a Check Point survey found that just 3 percent of U.S. organizations are prepared for another WannaCry-like attack.
“Companies need to make sure they are doing the basics,” NeSmith said. “Deploy patches, update antivirus clients and train employees on security best practices. The defense strategy needs to define how a ransomware infection will be contained and how it will be remediated. This will require a smooth process for detection, triage and execution of the remediation plan.”
Patching works, after all. “While WannaCry tore through organizations like the NHS, companies that kept their systems updated with the latest patches, performed backups and took proactive security measures emerged unscathed,” Ken Spinner, vice president of global field engineering at Varonis, told Threatpost. “Plenty of others heard the wake-up call but hit the ‘snooze’ button. Hope is not a strategy to prevent the next major cyberattack from hitting your company, yet some are mistaking good luck for sound preparation and effort.”
Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, laid out the basic best practices for us: patch; back up critical data and test your backups regularly; segment the network and make sure access to different segments is offered only on a business need; do not give admin privileges to all users if not needed; mount remote file systems on a system only if needed; and disable SMBv1 and make sure SMBv2 is not exposed to the internet. SMB, which is Microsoft’s file-sharing system, contains the vulnerability that EternalBlue, EternalRomance and other NSA tools exploit.
“Every board of directors should be asking its CISO about the company’s backup strategy,” Hahad told Threatpost, adding that there are also 2.3 million observable devices left out there with SMBv1 exposed to the internet. “A ransomware attack should be a blip on the radar that wastes people’s time to restore from backups, not a week-long debacle of trying to restore service and deciding whether to pay the ransom or not.”
He added, “The same mitigation techniques that have been recommended over and over again are still relevant and effective to minimize the impacts of a ransomware attack, but it comes down to actually implementing them.”
{"id": "THREATPOST:D3CB8A6F3330CAA50A30580F8D8F2328", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "One Year After WannaCry: A Fundamentally Changed Threat Landscape", "description": "It\u2019s been one year this week since the ransomware known as WannaCry infected more than 200,000 machines in 150 countries, causing billions of dollars in damages and grinding global business to a halt. The speed and scale of the attack \u2013 helped along by leaked National Security Agency hacking tools \u2013 was obviously notable, but it\u2019s WannaCry\u2019s legacy that resonates today. The cyber-landscape has fundamentally changed, with threat actors increasing almost exponentially in their capabilities, sophistication and ambition.\n\n\u201cWannaCry changed the cybersecurity game, not just through its outsized impact; it made waves because of its outsized influence on the cyber-threat landscape,\u201d Check Point researchers said in [a blog](<https://blog.checkpoint.com/2018/05/15/one-year-later-wannacry-dawn-new-generation-cyber-attacks/>) breaking down the implications. \u201cMarking a turning point in the cybersecurity environment, we were looking at the first global-scaled, multi-vectored cyberattack powered by state-sponsored tools. WannaCry marked a new generation\u2026of cyberattacks.\u201d\n\nIn the year since WannaCry, ransomware has given way to [cryptomining](<https://threatpost.com/cryptomining-gold-rush-one-gang-rakes-in-7m-over-6-months/130232/>) as the go-to payload for cybercriminals. Cryptojacking in fact increased 8,500 percent in the last quarter of 2017, and made up 16 percent of all online attacks, according to Juniper Networks analysis. But ransomware isn\u2019t waning: Numbers from Avast show that since the original attack, there have been more than 176 million attempted new WannaCry attacks globally.\n\nWe talked to several security researchers about what\u2019s changed in the past year.\n\n**Arms Race**\n\nSo what does \u201cfundamental change\u201d actually mean? For one, the use of nation-state-developed hacking tools has become widespread. WannaCry was the direct result of the Shadow Brokers hacker group stealing and then leaking exploits developed by the NSA. One of them, EternalBlue, [was used in WannaCry](<https://threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654/>), and just six weeks after that, [NotPetya](<https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/>) used the same exploit in its infamous attack. The genie was out of the bottle, and quickly, too.\n\nEternalBlue and additional weapons from the trove have cropped up everywhere since then, in multiple campaigns spreading [banking trojans](<https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/>), other kinds of ransomware and, this year, [cryptomining code](<https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/>). Just recently, the SamSam ransomware attack that [shut down the city of Atlanta](<https://threatpost.com/ransomware-attack-cripples-several-atlanta-city-systems/130739/>) and cost it $5 million in damages and clean-up costs relied on DoublePulsar \u2013 another NSA-developed exploit in use now [across the internet](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>).\n\n\u201cIn the past, cybercriminals traditionally used simplistic, homegrown tools for their hacking activities,\u201d Check Point researchers noted. \u201cWannaCry marked the shift toward using military-grade weapons, hacking tools that are powerful enough for a national cyber-defense agency to use on international cyber-warfare.\u201d\n\n**Bigger, Multi-Vector Attacks**\n\nAs befits the use of industrial-strength tools, WannaCry also demonstrated the potential for severe, large-scale cyber-attacks. Campaigns today go after ever-greater paydays, and the space is attracting well-funded criminal organizations looking to develop lucrative hacking operations. The surge in ransomware outlines this: Check Point analysis shows that in 2015, ransomware attacks caused $325 million in damage. Last year, attacks were up 15-fold, costing $5 billion in damages.\n\n\u201cEven the most sophisticated of these ransomware attacks emerging today are just the tip of the spear,\u201d Derek Manky, global security strategist at Fortinet\u2019s FortiGuard Labs, told Threatpost. \u201cCybercriminals are adopting new attack strategies, such as those used by [Hajime](<https://threatpost.com/mirai-and-hajime-locked-into-iot-botnet-battle/125112/>) and Hide-and-Seek, to accelerate both the scale and success of attacks.\u201d\n\nIn tandem with this, there has been a sea-change in attack vectors. WannaCry established the concept of the \u201cransomworm\u201d \u2013 code that\u2019s able to spread through cloud networks, remote office servers and network endpoints alike, needing only one entry point in order to infect the entire system.\n\n\u201cThis multi-level approach allowed WannaCry to easily overwhelm companies that followed the usual security strategy of picking their favorite product from different vendors for each entry point,\u201d Check Point researchers said.\n\nHowever, since then, there has been an evolution towards more sophisticated variations of this approach.\n\n\u201cThese new variants are transitioning away from traditional ransomworm-based attacks, which require constant communication back to their controller, and replacing them with automated, self-learning strategies, potentially turning malicious ransomworms into \u2018ransom-swarms\u2019,\u201d Manky said. \u201cFuture attacks are likely to leverage things like swarm intelligence to take humans out of the loop entirely in order to accelerate attacks to digital speeds.\u201d\n\nHe added, \u201cCybercriminals have been using an attack-on-all-fronts strategy that has been especially effective.\u201d\n\n**A Physical Threat**\n\nThe stakes are higher than ever before as well: WannaCry demonstrated that cyberattacks can introduce real, physical risks into the equation. It famously hit Britain\u2019s National Health Service (NHS), and attacked a wealth of [medical devices](<https://threatpost.com/patches-pending-for-medical-devices-hit-by-wannacry/125758/>), like medical imaging machines.\n\n\u201cPatients in the U.K. lost valuable medical response time (and it is very likely that one could honestly say WannaCry ended up causing mortal harm to some),\u201d Bob Rudis, chief security data scientist at Rapid7, told Threatpost. Rapid7 research recently determined that WannaCry was still the sixth most-prevalent threat in the first quarter of 2018. \u201cWannaCry and NotPetya both ended up causing hundreds of millions of dollars in damages to medical production lines and other business processes.\u201d\n\nThe ability to issue an epic beat-down on connected devices beyond the PC has become part of the new normal thanks to WannaCry \u2013 a state of affairs that\u2019s set to worsen. Brian NeSmith, CEO and co-founder at Arctic Wolf Networks, told us that, essentially, every company and every device is a target.\n\n\u201cFor industries like healthcare, ransomware puts the lives of people at risk,\u201d he said. \u201cRansomware is likely to evolve and expand to IoT devices and wreak even more havoc. Today, the focus is on PCs, but tomorrow, everything from machinery, power control systems, industrial sensors and even thermostats will be targets. In the case of machinery, it could impact the safety and well-being of workers, dramatically increasing the stakes beyond just the ransom money.\u201d\n\n**Increased Awareness**\n\nWannaCry\u2019s legacy is not all bad news: the event has also increased cyber-awareness, and that\u2019s never a bad thing.\n\n\u201cThe biggest impact WannaCry had (in the UK at least) was to take ransomware from the domain of IT and security professionals to the boardroom, the newsroom and Parliament,\u201d Oscar Arean, technical operations manager at Databarracks, told us. \u201cParticularly in small and medium-sized enterprises, there hasn\u2019t been adequate investment in awareness, and there\u2019s been a lax attitude to the risks of running systems beyond end-of-life. The benefit of WannaCry is that now, when an IT manager at a small business asks for budget for systems upgrades from their CFO and the board \u2013 they can point to the example of the NHS to justify the expense.\u201d\n\nRishi Bhargava, co-founder at Demisto, told Threatpost that the awareness level was particularly raised in healthcare environments.\n\n\u201cWannaCry was unique because this was the first large ransomware attack targeted at the healthcare vertical and affected not only computers, but also many medical devices like MRI machines,\u201d Bhargava said via email. \u201cOverall, WannaCry did not fundamentally change the security tools or the approaches or people\u2019s perception, but it did raise awareness of the best practices in healthcare organizations.\u201d\n\n**As Much as Things Change\u2026**\n\nDespite better awareness, poor security practices (including a lack of simple patch updates) continue to plague companies. Overall, a Check Point survey found that just 3 percent of U.S. organizations are prepared for another WannaCry-like attack.\n\n\u201cCompanies need to make sure they are doing the basics,\u201d NeSmith said. \u201cDeploy patches, update antivirus clients and train employees on security best practices. The defense strategy needs to define how a ransomware infection will be contained and how it will be remediated. This will require a smooth process for detection, triage and execution of the remediation plan.\u201d\n\nPatching works, after all. \u201cWhile WannaCry tore through organizations like the NHS, companies that kept their systems updated with the latest patches, performed backups and took proactive security measures emerged unscathed,\u201d Ken Spinner, vice president of global field engineering at Varonis, told Threatpost. \u201cPlenty of others heard the wake-up call but hit the \u2018snooze\u2019 button. Hope is not a strategy to prevent the next major cyberattack from hitting your company, yet some are mistaking good luck for sound preparation and effort.\u201d\n\nMounir Hahad, head of Juniper Threat Labs at Juniper Networks, laid out the basic best practices for us: patch; back up critical data and test your backups regularly; segment the network and make sure access to different segments is offered only on a business need; do not give admin privileges to all users if not needed; mount remote file systems on a system only if needed; and disable SMBv1 and make sure SMBv2 is not exposed to the internet. SMB, which is Microsoft\u2019s file-sharing system, contains the vulnerability that EternalBlue, EternalRomance and other NSA tools exploit.\n\n\u201cEvery board of directors should be asking its CISO about the company\u2019s backup strategy,\u201d Hahad told Threatpost, adding that there are also 2.3 million observable devices left out there with SMBv1 exposed to the internet. \u201cA ransomware attack should be a blip on the radar that wastes people\u2019s time to restore from backups, not a week-long debacle of trying to restore service and deciding whether to pay the ransom or not.\u201d\n\nHe added, \u201cThe same mitigation techniques that have been recommended over and over again are still relevant and effective to minimize the impacts of a ransomware attack, but it comes down to actually implementing them.\u201d\n", "published": "2018-05-17T15:25:57", "modified": "2018-05-17T15:25:57", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/", "reporter": "Tara Seals", "references": ["https://blog.checkpoint.com/2018/05/15/one-year-later-wannacry-dawn-new-generation-cyber-attacks/", "https://threatpost.com/cryptomining-gold-rush-one-gang-rakes-in-7m-over-6-months/130232/", "https://threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654/", "https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/", "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", "https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/", "https://threatpost.com/ransomware-attack-cripples-several-atlanta-city-systems/130739/", "https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/", "https://threatpost.com/mirai-and-hajime-locked-into-iot-botnet-battle/125112/", "https://threatpost.com/patches-pending-for-medical-devices-hit-by-wannacry/125758/"], "cvelist": [], "immutableFields": [], "lastseen": "2019-04-25T05:49:48", "viewCount": 3, "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {"references": [{"type": "canvas", "idList": ["ETERNALBLUE"]}, {"type": "threatpost", "idList": ["THREATPOST:87E75B39A9EA199219B63B195B4FC821", "THREATPOST:ACD4ADCDE62D82057F5FC60661014FD3"]}]}, "exploitation": null, "vulnersScore": 0.2}, "_state": {"dependencies": 1678917980, "score": 1678916296, "epss": 1678938645}, "_internal": {"score_hash": "45c48714b1747bf131e23f3d95f0c377"}}
One Year After WannaCry: A Fundamentally Changed Threat Landscape