WannaCry Decryption Prompt

In 2017, a ransomware cryptoworm, known as WannaCry, was unleashed and during the four days it was active, it successfully compromised over 200,000 computers and brought the UK’s National Healthcare System to a halt.  In this post we will look at the WannaCry worm and the vulnerability it used, known as EternalBlue, and compare it to the recently announced BlueKeep vulnerability to see if we are on the cusp of another WannaCry type malware campaign.

A brief background on WannaCry

On April 14th, 2017 a highly complex exploit named EternalBlue was leaked by The Shadow Brokers.  An exploit of this vulnerability was developed by the NSA and effected all Windows versions in the past 15 years, including Windows 10 and Server 2016.  It utilized a flaw in an external protocol known as Server Message Block (SMB) meaning it could be triggered remotely  and due to the severity of this exploit, Microsoft quickly patched the vulnerability yielding all modern systems invulnerable.

Less than a month later, on May 12th, WannaCry rained havoc on hundreds of thousands of legacy systems causing $4 billion in damage.  And then again on June 27th the same EternalBlue exploit was used in the NotPetya cyber attacks on Ukrainian systems causing another $1 billlion in damages.  But if Microsoft released a security fix for all effected operating systems, how was the worm able to infect 200,000 computers in only 4 days?

Countries Effected by WannaCry
Countries Effected by WannaCry

As we all know, companies do not like change.  If a system is working there is little incentive to update it and in fact disabling security updates from Microsoft all together is common practice by systems administrators. This is exactly the mentality that allowed WannaCry to spread so successfully.  Millions of computers, that could have been secured with the timely Microsoft patch, were vulnerable due to a resistance to change by adminstrators and/or end users.  In fact, within the last year the Defense Information Systems Agency (DISA)has mandated that all security patches released by Microsoft be applied on government systems within 15 days because they recognize the threat of recently released vulnerabilities if not patched as soon as possible.

Thankfully, WannaCry had a built-in kill-switch and four days after it was released, a junior security developer stumbled across it and stopped the malware from doing any more damage.  We might not be so lucky next time and the next time might be right around the corner.

In mid-May a new vulnerability was announced by Microsoft that effects all legacy Windows Operating systems.  The flaw is in the Remote Desktop Protocol used in older Windows systems and just like EternalBlue used by WannaCry it can be triggered remotely.  Microsoft has deemed the vulnerability severe enough they even released an extremely rare security update to their XP distribution.

 Security researchers quickly jumped on the vulnerability to develop proof of concept exploits and scanners to see the potential impact.  Graham, the CEO of Errata Security Firm, has said his team developed a scanner and found over 900,000 vulnerable devices in the US alone. Within just a few weeks Zerodium, a marketplace for exploits, announced it had a working exploit utilizing the BlueKeep vulnerability and you can assume that Nation-States are on the cusp of having working complex toolsets based around BlueKeep.

So, what can you do to protect yourself from potential malware using the BlueKeep vulnerability?  It is quite simple although could be quite the headache for those resistant to change or resource poor organizations.  All you need to do is apply the most recent security patch from Microsoft and your systems will no longer be vulnerable.  It is not a matter of if, but when the BlueKeep vulnerability will be used in a malware campaign.  When it happens it will be at least on the same order of impact as the WannaCry worm but this time we might not be so lucky as to have a kill-switch built into the malware.

Are your systems ready?