Unwrapping the Mystery: Did a Big, Slimy Internet Worm Make Hundreds of Organizations WannaCry?
Two
weeks into the WannaCry aftermath, response teams are getting back to normal,
organizations are re-evaluating their infrastructures, and even the bitcoin
payments the fraudsters were collecting have almost stopped trickling in.
It’s
time now to look into the data to find clues about what made WannaCry spread so
rapidly and with such a wide scope. Is the mystery nothing more than a big
slimy internet worm? So far, that’s what IBM X-Force data shows.
Where’s That Smoking Gun?
According
to data from IBM X-Force, which includes spam monitoring, managed clients and
incident response data, we have been observing the rapid spread of the WannaCry
ransomware outbreak. Within 48 hours, the malware had infected hundreds of
thousands of endpoints across the globe. More than 150 countries were affected,
and there was no end in sight. Only the accidental discovery of a kill switch
managed to slow down the havoc, which was spreading like wildfire.
But at
the end of the day, WannaCry is nothing more than ransomware. Although it does
have devastating effects, it is not considered sophisticated, and it is
typically operated by groups that just want a little money. Yet something made
it become the biggest ransomware attack of all time.
The fact
is, ransomware campaigns, as large as they may be, usually only infect one
person at a time. On corporate networks, shared drives or mapped cloud drives
can also get encrypted, but normally the spread is limited to the infected
endpoints or to that one company. Whether it comes via malware-laden email
attachments or through stealthy exploit kits that drop the malware without a
sign, a campaign’s overall reach remains limited and takes a lot more time than
WannaCry did.
IBM
X-Force scanned over 1 billion spam emails in search of WannaCry payloads and
found none. To date, not one security vendor has managed to locate a spam email
carrying this particular payload. Combining these factors, the answer to the
smoking gun question might be as simple as it is old: It was nothing more than
a computer worm. Without its worm replication, WannaCry would have never been
able to spread the way it did.
Read the rest of this post here.
Comments
Post a Comment