Why ‘Aftershock’ Attacks May Bring More Tears than WannaCry

Sep 15, 2017 2:01:24 PM

LG recently confirmed that some of its self-service kiosks in South Korea were infected with WannaCry, forcing the consumer electronics manufacturer to shut down some of its systems to prevent further spread of the malware. It’s the latest outbreak of the worst ransomware attack in history, which initially ripped through hundreds of thousands of computers in 150 countries in May of this year.

WannaCry spread rapidly by exploiting a vulnerability in Microsoft’s Server Message Block (SMB) file-sharing protocol. Security researcher Marcus Hutchins found a “kill switch” that would prevent further spread, and Microsoft released an emergency patch. However, the ransomware has continued to infect unpatched PCs older than Windows 10 as well as some Windows Server operating systems.

Experts have traced the WannaCry attack to a North Korean hacking group, but the source of the malware is an exploit called “EternalBlue” that was developed by the National Security Agency (NSA). In April, a hacking group known as The Shadow Brokers leaked EternalBlue and a number of other NSA exploits in an archive dubbed “Lost in Translation.” The exploits include DoublePulsar, which gives hackers high-level control over older Windows operating systems and was also used in the WannaCry attack.

These are not zero-day exploits — most were patched by the Microsoft security update a month before the leak. Nevertheless, their publication has already brought disastrous consequences, and experts fear that waves of “aftershock” attacks could prove far more damaging than WannaCry.

In June, another massive ransomware attack affected computers around the world, initially in the Ukraine. Dubbed “ExPetya” or “NotPetya” because it resembles the Petya ransomware, it not only encrypts files but hijacks systems and prevents them from working. The attack crippled shipping giant Maersk, costing the company as much as $300 million in lost revenue due to the length and scope of the business disruption.

The worst may be yet to come. A worm called EternalRocks uses a total of seven NSA hacking tools to open a “backdoor” into infected systems. It names itself WannaCry but isn’t ransomware — security researcher Miroslav Stampar has described EternalRocks as a “full-scale cyber weapon” lying in wait for some future attack. It’s unknown how many systems are infected with EternalRocks, but researchers say it’s still spreading. It has been dubbed the “Doomsday” worm, and could strike at any time.

It does no good to patch a system that’s already infected. Therefore, experts are recommending that organizations move quickly to upgrade older PCs to Windows 10, which doesn’t appear to be affected by the NSA hacking tools.

Attacks conducted with the help of exploits are among the most effective as they generally do not require any user interaction, and can deliver their dangerous code without the user suspecting anything. As a result, these tools are increasingly used by cybercriminals seeking to extort money, disrupt operations and steal sensitive information. WannaCry may have largely died down, but organizations can’t let down their guard. Aftershock attacks can be far more devastating and demonstrate the need for constant vigilance.

By John Flores, Vice President of Marketing


Topics: Blog