WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Learning from past mistakes is a crucial part of every job. Four years after WannaCry’s outbreak, analyzing which weak security practices allowed this ransomware to proliferate is pivotal in trying to avoid similar events in the future. This blog focuses on mapping MITRE ATT&CK to the WannaCry campaign and will discuss some of the key lessons learned (or that we should have learned by now) in the aftermath of this destructive campaign.
They say that time flies and, believe it or not, today marks the fourth anniversary of WannaCry’s worldwide outbreak. The WannaCry attack was a malware attack which targeted Windows operating systems and managed to encrypt devices in more than 150 countries within a day. WannaCry—also known as WannaCrypt, Wana Decrypt0r 2.0, and Wanna Decryptor—was a watershed moment in the cybersecurity industry and put the spotlight on the growing risks linked with ransomware attacks.
On 12 May 2017, the infosec community was taken by storm by the devastating spread of a new malware encrypting Windows devices and asking for a ransom to be paid in Bitcoin. At that time, ransomware was nothing new, but the speed at which this malware was able to self-propagate and infect new victims represented a drastic shift in previously observed tactics.
Although initially thought to be the result of a widespread phishing campaign, WannaCry malware exploited a vulnerability in Microsoft’s Server Message Block (SMB) protocol. This exploit, called “EternalBlue”, was a weaponized vulnerability leaked by the Shadow Brokers threat group who allegedly stole it previously from the United States’ National Security Agency (NSA). After gaining access to the victims’ machine with this exploit, WannaCry used “DoublePulsar”, a backdoor with a history similar to EternalBlue, to install and execute a copy of this malware.
In the first 24 hours of its outbreak, WannaCry impacted more than 200,000 individuals in over 150 countries. Unlike its costlier counterparts, this ransomware demanded a relatively small ransom sum between 300-600 USD (via Bitcoin) to decrypt the data. However, the requested ransom wasn’t the most disruptive part of WannaCry; disruption to business continuity and the ensuing chaos generated by an unprecedented cyber attack really made the WannaCry campaign one for the history books.
MITRE ATT&CK is an invaluable knowledge database for organizations seeking a better understanding of the threats they may be exposed to. Digital Shadows (now ReliaQuest) recently launched a new Threat Intelligence library in SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) with mapping to MITRE ATT&CK and features to operationalize threat intelligence. Applying MITRE ATT&CK to your CTI program can provide crucial tools to security teams with a consistent shared understanding of threats, actors, and mitigation strategies. Let’s dive into WannaCry’s Tactics, Techniques, and Procedures (TTPs) without further ado.
T1595 – Active Scanning
According to the 2018 Department of Justice (DOJ) indictment, WannaCry “contained separate functions to identify and infect computers vulnerable to the [EternalBlue] exploit on the computer Local Area Network (LAN), as well as computers accessible over the internet.” The malware then attempted to connect to each IP address in the LAN to determine whether a computer located at that address would be vulnerable to infection.
At the time of the WannaCry outbreak, Windows had already released a security update to patch that vulnerability. However, many hospitals, businesses, and computers at home failed to update their operating system in time, which automatically led WannaCry with the upper hand to self-propagate and infect thousands of computers.
T1587.001 – Develop capabilities: Malware
Soon after WannaCry’s outbreak, researchers discovered that an earlier version of the ransomware had been circulating in the wild for quite some time. The striking difference between these two versions resided in how the malware was built to be spread out. WannaCry’s infamous second version used the SMB exploit described above, which “was able to spread to any unpatched computer on the internet that was allowing inbound connections via vulnerable SMB versions, or to computers that were connected to a network in which another computer was allowing the same.” Therefore, developing the malware capability to self-propagate via the EternalBlue exploit significantly increased the threat posed by WannaCry.
T1190 – Exploit Public-Facing Application
SMB protocol is typically intended for internal network use only; consequently, when organizations adopt public-facing ones, they risk exposing themselves to malicious activity. By exploiting vulnerable SMB network protocols, WannaCry was able to access the targeted device. Particularly, WannaCry would send SMB requests checking for vulnerable devices. This request would ultimately determine whether the contacted machine had been already compromised or if it represented another occasion for infection.
T1083 – File and Directory Discovery
Once inside the computer, WannaCry would begin searching user files for encryption and categorizing them by file extension. Later, WannaCry would primarily target “file extensions associated with productivity and database applications, compressed archives, and multimedia formats” for the encryption process.
T1018 – Remote System Discovery
Once WannaCry had accessed the victim computer, it would then proceed to discover further potential victims and begin the encryption process. As stated by MITRE, “WannaCry scans its local network segment for remote systems to try to exploit and copy itself to.”
T1210 – Exploitation of Remote Services
As aforementioned, WannaCry exploited a vulnerability in Windows’ Server Message Block network protocol to gain unauthorized access and move laterally within the system. The exploitation of vulnerable remote services is a common technique within cybercriminals and threat actors. For this reason, a few months ago, Digital Shadows (now ReliaQuest) also published a blog mapping MITRE ATT&CK to compromised RDP sales as part of our Initial Access Brokers (IAB) research.
T1573.002 – Encrypted Channel: Asymmetric Cryptography
WannaCry contained a list of TOR addresses to communicate with a remote Command and Control (C2) server. WannaCry would use a custom asymmetric encryption algorithm to conceal traffic and ensure that only the appropriate recipient can read the encrypted message.
T1486 – Data Encrypted for Impact
With WannaCry being a ransomware, it would inevitably encrypt data on target systems to request a specific ransom. The requested sum for WannaCry was usually between USD 300 and USD 600 – a lot less than what ransomware threat groups are asking right now – with the consequence that disruption to the availability of system and network resources was often the most costly result.
Most security experts often discourage ransomware victims from paying cybercriminals for two main reasons. First, there’s no guarantee that you will get your data back, and second, you will also likely fund further criminal activity. This was proven true for WannaCry, as many victims claimed that they never got their data restored after having paid the ransom.
WannaCry’s 2017 outbreak proved once again the importance of having updated operating systems and patched vulnerabilities to avoid catastrophic events. WannaCry was far from using a zero-day exploit in May 2017 because Microsoft had already provided the relevant patching tools well in advance.
WannaCry ransomware thrived because many individuals and organizations were using end-of-life operating systems such as Windows XP (for which Microsoft provided a rare patch). Unfortunately, four years later, these issues are far from being solved and still constitute one of the adversaries’ popular entry points. End-of-life operating systems continue as compiling a thorough asset inventory can be a daunting task for organizations that have been through several mergers and acquisitions (M&A). Additionally, granting business continuity can sometimes have a more significant financial impact in the short term than ensuring a high-security level for the IT infrastructure, with the likely result of postponing (often indefinitely) the update of the relevant systems.
Another interesting analysis point stemming from the WannaCry campaign came directly from Windows President Brad Smith in a press release addressing this massive incident soon after its outbreak. In this note, he raised awareness on the issue linked with EternalBlue and DoublePulsar by stating that “this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem”.
Ultimately, although WannaCry had a tremendous impact on individuals and organizations worldwide, it wasn’t a perfect piece of malware and it was relatively short-lived as security researcher Marcus Hutchins found its kill switch just days after the virus outbreak. Given ransomware evolution in the past four years, it is easy to imagine how profound the impact of such a widespread campaign could be right now. Let’s hope we’ll never find out!
To learn more about malware threats relevant to your industry sector and geography, Digital Shadows (now ReliaQuest) offers a test drive of our Threat Intelligence library which can save hundreds of hours in analyst investigation on research, combing, analyzing, and reporting on TTP’s and threat actors across open, closed, and technical sources.
Alternatively, to view our previous intelligence on MITRE ATT&CK, check out our