Exactly three years ago, a scourge known as WannaCry ransomware began its global spread. For Avast researchers, May 12, 2017 started like a typical Friday until Avast Antivirus blocked 2,000 users from ransomware attacks at 8am. Within the next hour, another 6,000 Avast users were blocked from the same kind of ransomware. The next hour, saw another 10,000. Avast users were safe from the WannaCry attack, as were those running an updated version of Windows, but many people around the globe suffered damage that day. By the time Saturday morning dawned, WannaCry had infected over 230,000 Windows PCs across 150 countries, causing an estimated $4 billion in losses.
WannaCry wreaked massive havoc like a cyberweapon, and there’s a reason for that – because it was actually developed as a cyberweapon! At least, the EternalBlue exploit was. The U.S. National Security Agency (NSA) created it, and a hacking group called Shadow Brokers leaked it to the world. WannaCry developers worked the EternalBlue attack into their ransomware, and a menace was born. Microsoft had actually released a patch that fixed the flaw two months before WannaCry struck, so users who had updated or who were protected by any antivirus were safe. All others were not.
Because it was programmed to be an unstoppable worm, the virus spread like wildfire, initially targeting victims in Russia and Asia, but soon spreading around the world. It encrypted files and demanded $300 in bitcoin within 3 days from the users under threat that the files would be deleted otherwise. Some people paid and some people didn’t, but it’s unclear if anyone got their files restored. For the most part, security experts view WannaCry as a file destroyer.
“Technically, we classify WannaCry more like a wiper,” said Jakub Kroustek, an Avast researcher who was on the front lines during the attack and blogged about it. We asked Jakub how today’s ransomware attacks differ from WannaCry’s attack three years ago. “There’s been no publicly available fresh exploit like EternalBlue,” he said. “So no such massive outbreak has happened since then. On the other hand, there’s been a clear uptick in the number of targeted ransomware attacks starting approximately one or two years ago.”
WannaCry was not a targeted attack – it was a broad fusillade meant to claim as many victims as possible. But some attackers today are plying different strategies. “These days, ransomware operators mostly attack only selected businesses and organizations where they expect to receive the maximum ransom profit,” Jakub told us. “Many of these strains also started using a technique called doxing, which we predicted three years ago.”
Doxing is the current rising trend where ransomware attackers not only encrypt user data but also use it as leverage to pressure payment from their victims. They threaten that if the victims do not pay, their data will either be sold on the dark web or posted on a public website expressly created to shame ransomware victims.
So what’s next for ransomware? “We expect to still see both mass-spread and targeted ransomware attacks in the near future,” commented Jakub. “In terms of infection vector, we expect to see scam emails and infected pirated applications to be the main delivery mechanisms for targeting consumers with ransomware. In terms of businesses, the remote desktop protocol (RDP) will still be the most commonly used attack vector. We also expect to see even more aggressive doxing methods in the near future, such as medical record leaks.”
WannaCry was an international catastrophe that took the world by surprise. And while we haven’t seen another attack of that scale, new ransomware is still causing massive damage week after week. Like WannaCry, many ransomware attacks exploit known vulnerabilities in the hopes users haven’t updated. The natural remedy to this is to get in the habit of updating your system every time new patches are released. Also, a robust antivirus solution will keep you protected. Stay vigilant, and stay safe!