From WannaCry to Conti: A 5-Year Perspective

Five years ago, on May 12, 2017, the world fell victim to a major ransomware attack known as ‘WannaCry’. The attack had an unprecedented scale, and spread around the world like wildfire, with more than 200,000 Windows computers across 150 countries affected outbreaking only a few days. The damage of the attack accounted to billions of dollars in losses.

About a month before the WannaCry attack, a hacker group called the Shadow Brokers publicly leaked an exploit developed by the National Security Agency (NSA). This exploit, dubbed EternalBlue, was based on the vulnerability in Windows SMB and allowed code execution on the remote machine. Although the vulnerability patch was released by Microsoft prior to the Shadow Brokers leak, many of the computers worldwide remained unpatched and therefore vulnerable, enabling EternalBlue to become a key to the unfortunate success of WannaCry. Equipped with extraordinary lateral movement capabilities based on the leaked NSA code, simple ransomware malware was upgraded into one of the most influential global cyberattacks observed.

Although not directly targeted, one of the most notable WannaCry victims was the UK’s National Health Service (NHS), which was running a large number of vulnerable machines and therefore was hit especially hard, with a third of NHS hospital trusts affected by the attack. Among other major victims of the global pandemic were Spain’s Telefonica telecom service as well as telecom providers, banks, the railway system, and even the Interior Ministry in Russia. Governments, hospitals, and other major companies all found themselves battling the attack. The outbreak was stopped when the researchers enabled the “kill switch” hardcoded in the malware – while this did not help already encrypted systems, it drastically slowed the spread of the infection.

On 18 December 2017, the U.S. Government formally announced that it publicly considered North Korea to be the main culprit behind the WannaCry attack, with Canada, New Zealand, Japan and the UK also standing behind those claims. Later in September 2018, the U.S. Department of Justice (DoJ) announced the first formal charges against the North Korean citizen Park Jin-Hyok. The DoJ contended that Park was a North Korean hacker working as part of a government-sponsored hacking team known as the “Lazarus Group”, had also been involved in the WannaCry attack, among other activities.

Figure 1 – WannaCry ransom demand

It is still widely discussed what was the primary goal of the WannaCry ransomware. The malware is obviously designed to extort money from the victims: they were forced to make a $300 payment within a 7-day deadline. The payments were requested to be made in Bitcoin, at the time when cryptocurrencies were much appealing to North Korea as the U.S. pursued international sanctions aimed at further isolating the country over its’s nuclear weapons program. The global impact of the attack together with other Lazarus Group regime-backed activities, however, indicates that in addition to the monetary aspect the attackers were really after chaos, panic, and destruction.

WannaCry attack changed the cybersecurity game – not just through its outsized impact; it made waves because of its outsized influence on the cyber-threat landscape. As the first global-scaled, multi-vectored cyberattack powered by state-sponsored actors, it marked a turning point in the cybersecurity environment, inspiring actors worldwide and affecting the whole threat landscape for the next five years up until now.

To mark the 5^th anniversary of the WannaCry attack, Check Point has created a Ransomware hub with reports, blogs, webinars, podcasts, videos and live statistics around ransomware attacks and its impact

Ransomware as a tool of nation-state actors

Being politically encouraged from the beginning, WannaCry outbreak ignited the idea to use ransomware for specific nation-state interests. In the summer of 2017, a month after the WannaCry attack, Ukraine suffered a catastrophic cyberattack by NotPetya ransomware that severely affected banks, public transportation, power companies and the government sector. The attack was carried out by Sandworm, a group of Russian military intelligence hackers, and was intended as a climactic strike against Ukraine in the years-long cyberwar Russia had carried out against its southwestern neighbor. However, from Ukraine the attack rapidly spread around the globe: likely inspired by WannaCry´s unfortunate success, NotPetya was also using EternalBlue to propagate between the computers, maximizing the outreach and hence the damage. This time, it was definitely not designed to make money, but to spread fast and cause damage, with a plausibly deniable cover of a ‘ransomware’, giving victims no way to retrieve their data and crippling operations for months. Several large public companies disclosed in securities filings that the attack cost them hundreds of millions of dollars in lost business and recovery efforts, including global shipping company Maersk, pharmaceutical company Merck and a number of hospitals in the U.S.

In 2020, Iranian nation-state-backed actors also started to add ransomware variants in their offensive operations. Ransomware operations proved themselves as powerful tools for disrupting or discrediting its victims. Between 2020 and 2021, at least six Iranian threat groups, including MosesStaff, Pay2Key, Black Shadow and APT35, were identified deploying ransomware variants, targeting primarily the Iranian regime’s main enemies – Israel and the U.S.

In early 2022, with the beginning of the kinetic war between Russia and Ukraine, multiple advanced cyber-attacks were detected targeting Ukrainian targets. One of these campaigns leveraged the wiper malware dubbed “HermeticWiper” combined with the ransomware named “HermeticRansom”. This GoLang-based ransomware’s code and workflow are relatively simple and appear to have been constructed hastily, indicating it was used as a decoy to prevent victims from accessing their data, while at the same time improving the efficiency of other simultaneous cyber-attacks. HermeticRansom was deployed at the same time as HermeticWiper aimed at finance and government contractor targets from Ukraine, Latvia, and Lithuania.

With the success of all these operations – where public attention and mass destruction of networks is the definition of success – we can definitely say that WannaCry’s legacy is still alive, inspiring ransomware usage by sanctioned countries like North Korea and Iran, with Russia joining them right now. Ransomware is still a plausible tool in achieving their political agenda, whether it’s causing the real damage or actually extorting ransom demands in cryptocurrency, which is a well-establish tool to evade sanctions.

From drive-by and email spam to domain-wide ransomware

In the WannaCry era of 2017, ransomware was commonly distributed on a large scale via massive email spam campaigns and drive-by downloads that were facilitated by Exploit Kits: everyone and anyone could be a target. Drive-by attacks allowed ransomware actors to infect victims who unknowingly visited a compromised website, without any additional action, heavily relying on unpatched browsers and plugins like Internet Explorer and Adobe Flash for successful exploitation. Email spam campaigns distributing ransomware relied on social engineering technics to make the victim run the ransomware, and usually were carried by spam botnets. One of the most successful examples of leveraging both methods of “spray and pray” delivery was the GandCrab ransomware, whose operators and affiliates collected a total an estimated of $2 billion in ransom payments, as part of their multiple campaigns.

With the development of anti-virus protection and the fall of exploit kits, spam distribution of ransomware became obsolete, and cybercriminals learned that one successful corporate victim can yield the same revenue as hundreds of non-corporate victims, with less effort. In 2018, ransomware distribution shifted from a numbers game to a more targeted approach of “big game hunting”, where advanced threat actors find – or even buy – their way into enterprise organizations. As the result, the cybercriminals behind the top malware families that started as banking trojans – like Emotet, Trickbot, Dridex, Qbot, and others, changed the focus of their botnet operations to hunting appropriate targets for ransomware attacks.

Once initial infection in corporate environments is achieved, threat actors conduct an extensive reconnaissance effort aimed at locating the most lucrative targets. Threat actors spend days, sometimes weeks, exploring the compromised networks to locate high-value assets and remove all possible backups, thus maximizing their damage. The scrutiny and the complexity of such target-tailored operations against enterprises turned ransomware operations over time into an enterprise-like business themselves. Prolific ransomware groups nowadays conduct not only a complicated technical operation, including the development of custom tools and the supporting infrastructure, but also maintain a business operation related to gaining initial access to lucrative targets, estimating the company’s paying abilities, collecting the information on victims – all to maximize their profits.

From simple locker to multiple extortion

WannaCry ransomware demands were relatively low: from each victim, the ransomware asked for $300, and doubling it to $600, if the payment was not made in the first 3 days. Judging by the public reports, it wasn’t such a successful operation money-wise with gains amounting to about $143,000. Over time, it appeared, that the low payment rate is not only a WannaCry ransomware problem, but is in general, the issue with the whole ransomware business model.

In the next few years, the threat actors started to develop innovative ways to increase their paychecks. First, by switching to corporate targets, but later, also by applying additional pressure on them to pay. In 2020 the double extortion strategy in ransomware emerged and until today, it is considered a common practice in the ransomware world. Double extortion ransomware is a multi-stage ransomware attack that combines the traditional encryption of the victim’s files and the exfiltration of their data outside the company, to attacker-controlled servers. The attacker then proves to the victim it has access to their sensitive data and threatens to release the breached data publicly unless the ransom payment is paid within the designated timeframe. This puts additional pressure on victims to meet the attackers’ demands, as well as exposes the victim to potential penalties from data protection regulators. To strengthen the double extortion, most of the ransomware gangs established shame blogs, where they post the names, and in some cases the data, of victims who are not willing to pay the ransom.

Making matters worse, at the end of 2020, the actors came up with additional ways to apply even more pressure on victims. Called “triple extortion”, it includes demands based on the threat of additional infrastructure damage – such as DDoS attacks against victims’ resources until they pay, or extortion using threats to third parties. For example, in October 2020, the Vastaamo clinic in Finland announced it was the victim of a yearlong breach that culminated in extensive patient data theft and a ransomware attack. In addition to the ransom demanded from the healthcare provider itself, the attackers sent smaller ransom demands to individual patients threatening to publish their sensitive therapist session notes. The triple extortion idea was quickly adopted by other actors: one of the most notorious actors, the REvil gang, for example, provided their affiliates with a voice-scrambled VoIP calls to journalists and colleagues, using third-parties to apply more pressure to the victims.

A matter of the national security

Ransomware operations evolution always aimed to increase the ransomware payments. Over the years, ransomware gangs learned that high-profile targets might bring them more revenue. In 2018-2019, while most governmental organizations were not ready for the growing ransomware threat, ransomware affiliates spotted that the public sector, especially at the state and the municipal level, were easy targets – and those were ravaged by ransomware attacks. Some of them, like the US city of Baltimore, even had to battle ransomware attacks twice.

Rising stakes and the increasing profile of the targets peaked in May 2021, with a ransomware attack on Colonial Pipeline, which shut down the major gasoline and jet fuel pipeline to large swaths of the South and the East Coast and led to fuel shortages. This incident, where a critical national infrastructure became hostage to ransomware, forced the U.S. government, and many others after that, to change their stance toward ransomware actors. They turned from preemptive and reactive measures to proactive offensive operations that targeted the ransomware operators themselves, as well as their funding and supporting infrastructures.

Following that, in the U.S., the Department of Justice (DoJ) defined ransomware as a national security threat, placing it at the same priority level as terrorism. The Office of Foreign Assets Control (OFAC) administered its first sanctions against a Russian-operated virtual currency exchange SUEX, involved in ransomware payments, and published an updated advisory on sanction risks for ransomware payments. A few months later, the European Union and an additional 31 countries announced they would join the effort to disrupt additional cryptocurrency channels, in an attempt to cripple the money laundering process that often follows ransomware operations. The same month, the Australian Government issued its “Ransomware Action Plan”, which includes the formation of a new special task force and harsher punishments for ransomware actors.

These measures allowed for increased budgets to fight cybercrime and enhanced collaborative efforts across borders between various government and law enforcement agencies. Following law enforcement’s new stance, multiple ransomware operators and affiliates were apprehended in various countries. Among the most significant was the international joint operation led by Interpol named “Operation Cyclone” in November 2021. This resulted in the seizure of infrastructure and arrests of money laundering affiliates for Cl0p, the group responsible for the Accellion breach which caused numerous double and triple extortions throughout 2021. In addition, the U.S. Department of Justice and other Federal agencies pursued further actions against REvil. These actions included members’ arrests, the seizure of US$6 million US dollars in ransom money, confiscation of devices, and a bounty program worth US$10 million. In January 2022, authorities in Russia reported they had dismantled the ransomware crime group REvil and charged several of its members. This was considered an unprecedented act of goodwill and marked a new era in ransomware business evolution.

Conclusion

Over the last five years, ransomware operations have made a long journay from random spray and pray emails to multi-million dollar businesses, conducting targeted and man-operated attacks affecting the organizations in almost any geographic location, and within any industry. While western countries, after all these years, started to take this problem utterly seriously, the ransomware economy still thrives mainly due to the local law enforcement agencies turning a blind eye to ransomware gangs, mostly based in Eastern Europe. With the current war between Russia and Ukraine, the future of law enforcement collaboration between Russia and western countries to stop the ransomware threat is not as bright as it seemed only a few months before. The ransomware shadow economy is fully based on cryptocurrencies, and while the war unfolds, the sanctions imposed by the U.S. against crypto crime keep expanding rapidly. Only in April 2022, OFAC sanctioned Garantex, a virtual currency exchange, and the world’s largest and most prominent darknet market, Hydra Market, in a coordinated international effort to disrupt the proliferation of malicious cybercrime services, dangerous drugs, and other illegal offerings.

Nevertheless, the example of North Korea-backed WannaCry is here to remind us again that the countries operating their economy under heavy sanctions tend to conduct and leverage cyber operations for their own purposes. So given the current situation, we cannot expect the Golden Era of ransomware to come to an end in the near future.

To mark the 5^th anniversary of the WannaCry attack, Check Point has created a Ransomware hub with reports, blogs, webinars, podcasts, videos and live statistics around ransomware attacks and its impact