WannaCry Ransomware: Predicting the future from the past

Guest Author Avatar

Okay, so this article isn’t going to focus much on the WannaCry Ransomware that’s wreaked havoc across the globe. It’ll be more focused on trying to highlight potential cyber-security related events linked to the root of this particular deadly malware, the Equation Group.

So, a little bit of backstory. The first time I ever came across the name Equation Group was some years back when I was doing research for my Master’s degree on malware development and an article was making the rounds about how they had developed a way to exploit the firmware of a hard drive! That exploit truly was a thing of beauty. Of course, they were said to be linked to the United States’ NSA but that link is not exactly what this article is about as well.

Moving on, I ended up keeping an eye out for any discoveries or articles to do with exploits related to the Equation Group. But then 2016 came and the world of infosec got even more exciting. A group known as Shadowbrokers apparently hacked the Equation Group and raided a great deal of their exploits and zero-days. A zero day is basically a vulnerability that is discovered but has not yet been patched. The Shadowbrokers then proceeded to auction the stolen exploits to the highest bidder (offering the Equation Group an opportunity to buy back their stolen exploits) but unfortunately for them, the bidding exercise did not go as they wanted.

Enter 2017 and the Shadowbrokers decided to change tactics. In April 2017, they proceeded to leak a part of the stolen exploits from the Equation Group that included ways to hack into Windows OS systems as well as the SWIFT transaction system particularly for the Middle East. Researchers and penetration testers the world over proceeded to download these exploits and test them to verify their validity and usability.

For me, most of my focus was on the Windows exploits because most of these exploits affected the same OS releases many of my friends use (Windows 7, 8, Server 2012). Multiple text-based and video tutorials were then shared online via Twitter, 4chan, Reddit and other boards and sites by hobbyists as to how to get the exploits to work.

In my opinion, one of the more interesting aspects of the Equation Group’s exploits was that they had actually developed their own exploit framework, FuzzBunch, which effectively worked like Empire and Rapid7’s Metasploit framework to simplify the exploiting process. One of the simpler exploits I got to demonstrate and execute as a proof-of-concept on a Windows virtual Host was one named EternalBlue which exploited the SMB (Server Message Block) vulnerability. An SMB vulnerability is basically a flaw in the file sharing functionality in selected Windows Systems.

Other exploits included EternalRomance, ExplodingCan, EternalSynergy, EternalChampion and DoublePulsar. For those who have read the technical details related to WannaCry, you may have come across articles which highlight that it actually uses the EternalBlue and DoublePulsar exploits to get a foothold in targets before executing the ransomware.

This effectively means that the hackers, who developed the WannaCry ransomware, did not develop the malware from scratch but basically added the Worm functionality to the EternalBlue exploit to enable the ransomware to propagate across a network. In many circles it is then commonly referred to as a Ransomworm.

Fortunately, by some coincidence Microsoft immediately managed to release patches for those vulnerabilities, which are now referred to as MS17-010. The reason I have gone to pains to explain this relationship between WannaCry and the Equation Group is because a number of newer versions of WannaCry are bound to be developed and modified by script kiddies and hackers in order to avoid Intrusion Detection Systems or other network protection mechanisms. We will most likely see more ransomworm attacks or modified versions of the exploits from the Shadowbrokers leak listed earlier.

1It also doesn’t really help our cause either that starting from 1 June 2017, the Shadowbrokers have promised to release more of the stolen exploits in a “wine of the month” subscription model which means advanced exploits will be brought into the wild on a monthly basis.  In all likelihood, these exploits will undergo the same evolution that EternalBlue went through. In other words, ransomworms are here to stay so we should definitely buckle up and ensure our operating systems and applications are constantly patched and updated.

Robert Shoniwa is the head of the information security and assurance department at the Harare Institute of Technology. He holds a Master of Technology degree in Information Security and Cyber Forensics from SRM University in India.

Image: Kaspersky

One response

  1. Tookie

    Nice article. However, Microsoft knew of the vulnerabilities this worm could exploit. They actually released the Update, and Patch in mid February. The patch, KB4012598 was for the unsupported OS’s like XP and Vista. The Update MS17-010 was for the supported OS’s, and hence the Windows 10 machines, if automatic update was switched on, was not in the running to be infected. So, personally, I do not believe it to be a coincidence that a few hours after the world knew there was something wrong, the USA Defense Attorney, a Microsoft Representative and the Press Secretary made an announcement to the world to force install these patches. What actually astounds me, is the number of techs in Zimbabwe who still, even now, have not installed these on their servers etc. And if you are a lover of conspiracy theory, is this not a good way to force the die hards, still using XP, 7, and 8.1 to upgrade to Win10? It was after all, Microsoft who stated they could loose millions to Apple if more Microsoft consumers did not migrate to Win10. And finally, many experts around the world, in late December 2016, before the Vault 7 leaks, stated that 2017 was going to be the “Year of Ransomware”.
    Looks like they were right.