While the world still heals and reals from the torrent of an attack that is WannaCryptor (WannaCry), security experts find themselves bracing for potential new versions and copycats of the unique malware. As we covered in Wormable ransomware strain uses freshly leaked exploit to encrypt data when in a matter of less than 24 hours the WannaCry malware infected more than 230,000 systems in 150 countries. The attack impacted businesses large and small, across many vertical industries, and both the public and private sectors.
Since then a handful of new variants have struck, one variant disabled a so-called “kill switch” that was included in the original WannaCry malware and another version attempts to connect to a different web domain than the original. And a quick look through the website VirusTotal shows new versions/imitations are already on their way. Expect more. Though their success, unless a new exploit surfaces, will likely be minimal.
Over the long term, hover, the experts with whom I’ve spoken have stated they believe we will see more worm-propagation techniques (which enabled WannaCry to spread to so quickly) coupled with traditional ransomware attacks. The only thing holding back that strategy will be the availability of software vulnerabilities that are capable of being remotely and automatically exploited in order to help spread such a worm.
It turns out that gaining access to such vulnerabilities may become a lot easier in the weeks ahead, thanks to the same hackers that allegedly leaked the attack tools of the U.S. National Security Agency and the very exploit (EternalBlue, the Windows SMB exploit that WannaCry used) that made WannaCry possible in the first place. The group known as Shadow Brokers first emerged last summer when it purported to have a cache of software attack exploits from the Equation Group. The Equation Group is generally thought to have connections to the NSA.
On Tuesday of this week, just days following the WannaCry outbreaks, Shadow Brokers announced that they will make many more exploits available as part of a paid service that will be launched next month. The group claims to have more NSA hacking tools to share.
What’s worrisome about this development is that The Shadow Brokers have made good on their promises in the past. The group has published a number of important software exploit leaks including those that targeted widely used enterprise security software products.
While it’s not known who the Shadow Brokers are, there are a number of theories ranging from former contractors, nation state APT, and even an insider.
While the software exploit releases from Shadow Brokers have been put to use from attackers, the group’s previous attempts to profit from the trove didn’t appear to be successful. When Shadow Brokers first released some exploits, it asked for about $12 million to be paid in bitcoins. After there weren’t any takers, the group shut down many of its online accounts.
As reported in Shadow Brokers teases more Windows exploits and cyberespionage data the group claims to have many more Equation exploits that haven't been leaked yet. And the exploits will be available as a subscription service starting next month. According to their blog post the service would provide exploits for browsers, networking equipment, mobile end points, and Windows.
While pricing for the service, if they even do actually follow through and offer such a service, hasn’t been announced. Either way, enterprise security teams should strap themselves in as this summer is likely to be a wild ride.