Mike Mimoso at Kaspersky's Threatpost blog raised the theory that the ransomware wasn’t contained properly and spread before it was meant to be unleashed.
Malware expert Jake Williams, @MalwareJake on Twitter and founder of Rendition InfoSec, said there are “mind-blowing mistakes” in the ransomware code after an analysis of both the malware and the leaked NSA EternalBlue exploit used to spread the attack.
For starters, the developers used only three Bitcoin addresses for remittance which is by itself amateur hour. However, it's not amateurs behind the WannaCry attack. North Korea is unique among APTs in that the hackers fund themselves and their country through network exploitation and theft.
A Washington Post report cites an internal NSA assessment that connects, with “moderate confidence,” the North Korean government’s Reconnaissance General Bureau to WannaCry.
Williams contends that the developers behind WannaCry failed to properly contain it and the EternalBlue exploit before it was ready to be fully deployed. “The killswitch domain by itself—having a way to turn this off—I totally understand.
It makes perfect sense to want to have that there,” Williams said. “But if you’re going to do that, the killswitch wouldn’t simply accept a 200 status code, basically a success that yes we connected to the domain. This is version 0.0 and never intended to be in the wild. I’m 100 percent sure of that.”
So it’s likely this escaped a test environment hopping from an unpatched test machine to the public internet, and eventually more than 200,000 computers and servers in 150-plus countries.
“They failed to contain it,” Williams said. “When you build something like this, it’s like carrying around ebola. Pushing ebola out isn’t hard, it’s harder to keep something like that contained. Full blog post here.
Now is the time to innoculate your employees against ransomware attacks, as 95% of them use phishing emails as the attack vector. Get a quote for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will, because your filters never catch all of it. Get a quote and you will be pleasantly surprised.
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: