Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Did WannaCry Ransomware Escape North Korean Containment?

    WanaCry RansomwareMike Mimoso at Kaspersky's Threatpost blog raised the theory that the ransomware wasn’t contained properly and spread before it was meant to be unleashed.

    Malware expert Jake Williams, @MalwareJake on Twitter and founder of Rendition InfoSec, said there are “mind-blowing mistakes” in the ransomware code after an analysis of both the malware and the leaked NSA EternalBlue exploit used to spread the attack.

    For starters, the developers used only three Bitcoin addresses for remittance which is by itself amateur hour. However, it's not amateurs behind the WannaCry attack. North Korea is unique among APTs in that the hackers fund themselves and their country through network exploitation and theft.

    A Washington Post report cites an internal NSA assessment that connects, with “moderate confidence,” the North Korean government’s Reconnaissance General Bureau to WannaCry.

    Williams contends that the developers behind WannaCry failed to properly contain it and the EternalBlue exploit before it was ready to be fully deployed. “The killswitch domain by itself—having a way to turn this off—I totally understand.

    It makes perfect sense to want to have that there,” Williams said. “But if you’re going to do that, the killswitch wouldn’t simply accept a 200 status code, basically a success that yes we connected to the domain. This is version 0.0 and never intended to be in the wild. I’m 100 percent sure of that.”

    So it’s likely this escaped a test environment hopping from an unpatched test machine to the public internet, and eventually more than 200,000 computers and servers in 150-plus countries.

    “They failed to contain it,” Williams said. “When you build something like this, it’s like carrying around ebola. Pushing ebola out isn’t hard, it’s harder to keep something like that contained. Full blog post here.

    Now is the time to innoculate your employees against ransomware attacks, as 95% of them use phishing emails as the attack vector. Get a quote for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will, because your filters never catch all of it. Get a quote and you will be pleasantly surprised.

    Get a Quote Now

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://info.knowbe4.com/kmsat_get_a_quote_now

     

    Return To KnowBe4 Security Blog

    Topics: Ransomware

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews