Considering the turn of events in the WannaCry ransomware outbreak, here is what it appears to look like from a high level:
- Based on a vulnerability in Microsoft’s SMB protocol, the NSA develops an exploit called “Eternal Blue.”
- After hacking the NSA, the Shadow Brokers get hold of artefacts for Eternal Blue and other NSA exploits.
- Microsoft releases a patch for the SMB vulnerability in March for supported Microsoft Windows platforms.
- An announcement is made by the Shadow Brokers that they have obtained this trove of NSA tools and exploits.
- The group tries to auction off the proceeds, fails, and then selectively dumps some of the tools for free.
- Hackers get hold of the tools and launch the WannaCry exploit in the beginning of May, a worldwide outbreak.
- Folks using older versions of Windows not covered by the March patch and those who had not applied the patch are all especially vulnerable.
- Microsoft provides an emergency patch for the versions of Microsoft Windows that are past their de-support deadlines.
- A “kill switch” is discovered where the malware depends on an unregistered domain to carry out its work. Registering the domain deactivates the ransomware exploit, for now…
Essentially, the NSA cache seems to have turbocharged what was a “regular piece” of ransomware malware to enable it to spread like wildfire.
As an aside, it could be assumed that Microsoft was informed by the NSA about the hack, prompting them to come out with the March patch. Additionally, something that could potentially be asked is did the NSA discover the SMB vulnerability on their own or were they cued about it. Communication could, after all, flow both ways.
Taking a closer look at ransomware itself; where it appears to stand out is its finely-tuned use of cryptography to carry out its handiwork. A public and private key pair is generated for each infected machine, the public key is sent to the client machine, sets of private keys are generated and used to encrypt files on the target machine, and the public key is used to encrypt the private keys. At which point, the files are locked out, irredeemable without the use of the private key lying on the command and control server. It seems to be all about the use of keys, encrypted files stay on the machine, but remain inaccessible. It is almost like someone locks you in at home and demands a ransom to open the door and set you free.
So long as there are vulnerabilities to be exploited, clearly there will be no shortage of malware and exploits. Given that it is not just the hackers who are interested in vulnerabilities but also the powerful governmental spy agencies, we can expect no letup in such attacks.
NSA toolkits appear to have had exploits for many more vulnerabilities including for the Swift network and Linux systems. From an earlier release, firewalls from Cisco, Fortinet, and Juniper seem to have been among the targets with the tools enabling remote code execution and privilege escalation. Getting a foothold in a network and sending files to a target system were some of the other hacks that were reported. And there could be many more that the Shadow Brokers are yet to release.
Therefore, it is entirely conceivable that we could be seeing more such attacks that are inspired by NSA material. Several WannaCry wannabes may be in the works, more turbulence ahead.