With one month of hindsight, and a lot of research, under the industry's belt, analysts are still in the process of building a complete picture of the WannaCry ransomware attack that took the world by storm, but some points are firmed up.
Tom Levasseur, CGI's vulnerability assessment and penetration specialist, gave the attendees at SC Media's RiskSec Toronto 2017 an in-depth look at WannaCry, putting to rest several of the initial rumours that popped up regarding how the ransomware was propagated and which operating systems were at risk.
A few of the points he, along with most industry researchers, are certain of is the EternalBlue and DoublePulsar tools did originate from the National Security Agency, aka the Equation group, the ShadowBrokers are most likely a Russian intelligence organisation. However, nailing down who was behind the attack is still up in the air.
Levasseur's analysis found that unlike the initial thoughts WannaCry was not spread by a phishing campaign, but was a true worm with the cyber-criminals scanning the internet for an open port 445, which was then targeted for attack. He believes several thousand computers were targeted in such a manner at the outset of the attack.
“We had not seen a good internet worm in a long time, Levasseur noted, adding that the first attacks were spotted taking place in Southeast Asia.
Levasseur also pointed out that the reports fingering Windows XP as the primary OS being targeted, it was Windows 7 variants that were hit most frequently.
There are also several remaining mysteries surrounding WannaCry. Even though about $170,000 has been spotted spread across three bitcoin wallets, none has yet been withdrawn. Levasseur speculated that the huge amount of unwanted press the attack gained might have scared off the cyber-criminals, perhaps out of concern that any bitcoin withdrawal could be tracked.
This would fall in line with the general impression the cyber-gang made on most analysts that they were not the sharpest tools in the shed when it came to creating and sending the attack, but with that said Levasseur noted that they still pulled off a massive and somewhat successful attack.
The existence of the kill switch is also still a bit of a head scratcher. Levasseur believes the fact it was part of the process is simply a strong indicator that the code comes from the NSA.
“This could be a standard NSA procedure to control their malware,” he told the crowd.