Unwrapping the Mystery: Did a Big, Slimy Internet Worm Make Hundreds of Organizations WannaCry?

Two weeks into the WannaCry aftermath, response teams are getting back to normal, organizations are re-evaluating their infrastructures, and even the bitcoin payments the fraudsters were collecting have almost stopped trickling in.

It’s time now to look into the data to find clues about what made WannaCry spread so rapidly and with such a wide scope. Is the mystery nothing more than a big slimy internet worm? So far, that’s what IBM X-Force data shows.

Where’s That Smoking Gun?

According to data from IBM X-Force, which includes spam monitoring, managed clients and incident response data, we have been observing the rapid spread of the WannaCry ransomware outbreak. Within 48 hours, the malware had infected hundreds of thousands of endpoints across the globe. More than 150 countries were affected, and there was no end in sight. Only the accidental discovery of a kill switch managed to slow down the havoc, which was spreading like wildfire.

But at the end of the day, WannaCry is nothing more than ransomware. Although it does have devastating effects, it is not considered sophisticated, and it is typically operated by groups that just want a little money. Yet something made it become the biggest ransomware attack of all time.

The fact is, ransomware campaigns, as large as they may be, usually only infect one person at a time. On corporate networks, shared drives or mapped cloud drives can also get encrypted, but normally the spread is limited to the infected endpoints or to that one company. Whether it comes via malware-laden email attachments or through stealthy exploit kits that drop the malware without a sign, a campaign’s overall reach remains limited and takes a lot more time than WannaCry did.

IBM X-Force scanned over 1 billion spam emails in search of WannaCry payloads and found none. To date, not one security vendor has managed to locate a spam email carrying this particular payload. Combining these factors, the answer to the smoking gun question might be as simple as it is old: It was nothing more than a computer worm. Without its worm replication, WannaCry would have never been able to spread the way it did.

Read the rest of this post here.