With WannaCry and now with Petya we’re getting to see how and why some ransomware worms are more effective than others.
[ Jul 3, 2017 — It’s now pretty well accepted that Petya wasn’t ransomware but a wiper instead. The post still applies to ransomware, though. ]
I think there are 3 main factors: Propagation, Payload, and Payment.
- Propagation: You ideally want to be able to spread using as many different types of techniques that you can.
- Payload: Once you’ve infected the system you want to have a payload that encrypts properly, doesn’t have any easy bypass to decryption, and clearly indicates to the victim what they should do next.
- Payment: Finally, you need to be able to take in money efficiently and then actually decrypt the systems of people who pay. This piece is crucial otherwise people will soon learn that you can’t get your files back no matter what and will be inclined to just start over.
WannaCry vs. Petya
WannaCry used SMB as its main spreading mechanism, and its payment infrastructure lacked the ability to scale. It also had a killswitch, which was famously triggered and that stopped further propagation.
Petya seems to be much more effective at the spreading game since it’s using not only SMB but also wmic, psexec and lsasump to get onto more systems. This means it can harvest working credentials and spread even if the new targets aren’t vulnerable to an exploit.
[ NOTE: This is early analysis (Tuesday morning) so some details could turn out to be different as we learn more. ]
What remains to be seen is how effective the payload and the payment infrastructures are. It’s one thing to encrypt files, but it’s something else entirely to set up an infrastructure to have hundreds of thousands of individual systems send you money, and for you to send them each decryption information.
That last piece is what determines how successful, financially speaking, a ransomeware worm is. This is, of course, assuming that the primary goal was to make money, which I’m not sure we should take as a given.
- Manny attributed WannaCry to North Korea. Do they think the new worm is from the same origin?
- What are defenses against non-exploit-based spreading mechanisms?
- What are we learning about worm defense from both of these instances?
Sounds like it’ll be an interesting next few days, at the very least.
- I’m sure there are much more thorough ways to analyze the efficacy of worms. These are just three that came to mind while reading about Petya and thinking about it compared to WannaCry.
- Thanks to Michael A. for the updated information regarding spreading methods.