Why WannaCry was a dud (but you should get ready for the next one)

While WannaCry has made headlines for its prolific spread (and use of Windows Exploits), by and large it has been a total failure for the attackers themselves. This is because from a technical (or more so “business”) standpoint, WannaCry is/was not a good product.

Let’s talk about why. First of all, ransomware in general has become a money machine for organised crime syndicates. But only a fool wouldn’t realise this is because significant research and development has gone into creating their “product”. As a result, they generate literally millions of dollars for their vendors.

[mk_blockquote font_family=”none”]WannaCry has so far made about AUD$120,000 dollars.[/mk_blockquote]

WannaCry has so far made about AUD$120,000 dollars. Because of the way the WannaCry writers have crafted the malware, they are only using three Bitcoin wallets to accept payments from victims. And because of the way Bitcoins work, you can see the payments right here.

This is highly unusual. Most ransomware will create a unique Bitcoin wallet so payment can be verified. It’s very important to note that WannaCry cannot verify you have paid your ransom so under no circumstances should you pay it.

WannaCry also had a built in kill switch in the form of a URL that prevents WannaCry from starting its encryption routine if a connection is successfully made. Unfortunately the WannaCry vendors forgot to register that URL so somebody else did, rendering WannaCry useless.

As a result you can see a live map of where WannaCry would have struck at https://intel.malwaretech.com/pewpew.html

In retrospect this is all pretty funny, especially since Australia got through it all pretty unscathed. But in reality it is the alarm bell for a new form of ransomware that more sophisticated attackers will learn from and in turn develop more refined and dangerous malware delivery methods.

In a future attack, your anti-virus may mark the suspect email as spam. Failing that, it might notice and stop the encryption routine. A clever security researcher may be able to stop the encryption payload mechanism by the time your machine gets infected. Windows may patch the vulnerability before it is exploited in the wild.

But you can always restore from backup. Provided of course, that you have a backup. So it’s important (today, right now important) that you know your backup is recoverable, timely, not directly accessible (as in ransomware can’t delete/encrypt it while on its rampage) and a few other things that make sure your backup is safe and dependable.

CR&T can do this for you. Unfortunately it is chargeable, but it may be the best insurance you ever buy. Call or email and we’ll get started – we’ll also check the appropriate Windows Update has been installed to prevent the WannaCry exploit. Even though WannaCry has been effectively shut down nothing prevents someone else from using the same exploit on unpatched systems.

[mk_blockquote font_family=”none”]But you can always restore from backup. Provided of course, that you have a backup.[/mk_blockquote]

Subscribe to the latest news, malware alerts and more from CR&T

* indicates required

(Infographic) WannaCry Ransomware

Subscribe to the latest news, malware alerts and more from CR&T

* indicates required

The Dark Internet

The Dark Internet

Broadband customers, some military systems and people who are spammed or hacked are the most common victims of an online phenomenon researchers have dubbed “dark address space,” which leaves some 100 million Internet Web hosts completely unreachable from portions of the Internet.

For a variety of reasons ranging from contract disputes among telecommunications network operators to simple communications devices being mis-configured, over five percent of the Internet’s deliverable address space does not connect globally

Isn’t the Internet supposed to be a 100% connected system?

Popular belief holds that the Internet represents a completely connected system. It turns out that’s just not true.

Anecdotal evidence has long hinted at the existence of dark address space, but researchers have just shed light on the subject by continuously gathering and analysing core “routing tables” for over three years. In the end, they found that for much of the Internet, the shortest path between two points doesn’t exist.

What causes dark address space?

The most common factors contributing to dark address space are: aggressive traffic filtering by network administrators seeking to ease the load on equipment, and accidental mis-configuration. Some military sites frequently fall into the shadow zone because they often occupy neglected ‘Milnet’ address blocks dating back to the Internet’s stone age. Just why broadband modem customers also top the list remains one of the great unsolved mysteries.

Murky Crime

Despite the large number of hosts that fall into the partitioned space, the phenomenon may not always be noticeable to average Internet users because most Internet consumers only use a tiny portion of the Net. It is suggested most people access only five or ten web sites on average.

In the course of monitoring, occasional fleeting glimpses were observed of another, more elusive routing anomaly, one that often comes with a more sinister explanation.

Blocks of Internet address space that are supposed to be unused sometimes briefly appear in the communications router systems, and are used to launch a cyber attack, or to send a flurry of unsolicited commercial email, before being withdrawn without a trace.

How can attackers and spammers gain access to these systems?

Dubbed “murky” address space, this works because of the fundamental insecurity of the Internet’s communications routing infrastructure. Under protocols developed during cyberspace’s age of innocence, if an Internet router claims that it owns a block of address space, the rest of the Internet will take it at its word, and re-direct to it to it all the traffic for that address block. You co-opt one router, and you can create whatever net-block you want and inject it into the global net.

How were these intrusions detected in the first place?

Network researchers went to the mail logs of an ISP and compared several thousand unique mail sources with “murky” addresses spotted in their monitoring. They found that some of those addresses sprang into existence shortly before sending the email, and then quickly vanished afterwards.

Because communications routers don’t normally log such activity, murky address space could hide the full range of antisocial or illegal network behaviour.

Is this going to an on-going problem?

In October, a report from Carnegie Mellon’s CERT Coordination Centre warned that hackers are increasingly compromising routers, and using them to launch denial of service attacks against Internet hosts.