WannaCry, NotPetya, and the Evolution of Ransomware

In the past few months, we’ve seen what will likely mark a pivot point in the evolution of ransomware and how it’s being deployed. Let’s first rewind to May, when WannaCry struck and, ultimately, redefined the scope of ransomware on a global scale. This attack generated two important questions (both of which still remained largely unanswered):

1. Why a patch available since March 2017 — a patch that would have prevented the attack —hadn’t been deployed by so many organization with mission-critical public systems; and
2. Why there was such a lack of operational sophistication with this attack, which resulted in the perpetrators making very little money from their efforts.

Forensic investigations of the WannaCry malware found hard-coded Bitcoin wallets with little to no ability to tie a user’s payment to their computer, rendering it impossible for the attackers to issue the appropriate decryption key. When word got out that paying was essentially a futile path — and the discovery of the hidden kill switch stopped the spread of the attack — most stopped paying. Still, the $300 Bitcoin ransom set by the attackers was quite modest in general; most reports place the total take at just over $140,000 in Bitcoin (which, until very recently, sat untouched in the attackers’ online wallets).

Regardless of whether the “imperfections” in the WannaCry code were intentional or mistaken, by all accounts, the financial payoff for such a widespread attack was rather insignificant. This, in itself, marked a sea change in the world of ransomware.

From Dividends to Disruptions

Prior to WannaCry, ransomware was a fairly lucrative extortion scheme, with the most organized perpetrators typically utilizing Cerber or Locky variants that would consistently net them upwards of $200,000 a month (or even more). The goal of these attacks was a reflection of their nomenclature; it was all about the ransom, baby. We even saw new pricing models and ransomware-as-a-service “businesses,” in particular with Spora variants, which allowed attackers to not just unlock a victim’s entire device, but selectively unlock only particular files or sets of data — then demand additional payments to get the rest. Cerber arguably perfected the ransomware-as-a-service model, making it simple for cybercriminals to execute a ransomware campaign without having deal with all of the development and logistics.

Need help with getting your users up to speed on identifying and avoiding ransomware attacks?

So what happened? Up until the WannaCry ransomware attack, the goals seemed pretty clear. Ransomware had evolved like many products, from one-off pieces of software into tools that could be sold and monetized. Research by a group at Google found the most popular strains, Locky and Cerber, have taken in $7.8 and $6.9 million, respectively, since storming on the scene in 2016. As cybercriminals became craftier with these types of attacks, it seemed clear that ransomware had established itself as a lucrative, quick-hit operation for perpetrators.

But then came WannaCry and, shortly on its heels, NotPetya. Though the two strains, superficially, have little to do with one another, they seemingly shared the same new goal: to disrupt rather than to profit. They also both utilized a more sophisticated distribution code, displaying worm-like capabilities that allowed infections to take root without relying explicitly on phishing attacks or on users to run an executable. Compared to variants like Locky, Cerber, or SamSam, there was little effort put into being able to tie the infected computer to a payment and generate an unlock key. In fact, NotPetya earned next to nothing for its developers; reports in late July indicated that though the malware had spread to more than 60 countries, the attackers netted only about $10,000 in Bitcoin payments.

Looking Ahead

Is this new ransomware model a fad, or have actors with other aspirations found a new tool for their arsenals? My opinion is that it’s far more likely to be the latter. Both in life and in cybersecurity, we find that people are continually motivated to try to find more effective ways to accomplish their goals. For those looking to disrupt, ransomware — or wipeware, as these binaries are being dubbed — represents a powerful opportunity. When ransomware is properly executed, a locked drive is practically non-recoverable. For those who care more about crippling a business and/or impacting service delivery than they do about a monetary gain, this type of attack fits the bill very nicely.

The challenge for companies is that “traditional” ransomware and wipeware behave in much the same way at the outset; as such, infosec teams waste both money and time in figuring out which they’re up against when an infection occurs. This only makes the attacks more appetizing to those perpetrating them.

While the sample size is currently small, we should expect to see more of these types of attacks — and likely more variety in the use of the underlying ransomware binaries — as actors with different goals seek to leverage the power of denying us access to our data.