Two years ago in 2017, the world was caught off guard by a very destructive ransomware named WannaCry. With its infection success rate, estimates revealed that ransom payment for WannaCry went up to $4 billion that year. The NSA’s former top secret weaponized bug in SMB (Server Message Block) version 1 went to the wrong hands, which eventually brought WannaCry into existence. Fast forward this year in 2019, WannaCry is still very much active, its well-known exploit named EternalBlue continues to cause file encryption operations in legacy unpatched systems. It is still a threat to be seriously dealt with, as Armis, a cybersecurity provider revealed there are still more than 145,000 Internet-connected unpatched Windows machines that harbor the infamous malware.
“Devices on which WannaCry did not activate are vulnerable to other attacks, as the ransomware’s backdoor, DoublePulsar, remains wide open. Many organizations fail to patch their networks, so any new variant of the ransomware, some of which lack a kill switch altogether, can compromise their security in an unstoppable attack,” explained Ben Seri, who works as Armi’s Vice President of Research.
The estimated infection number of 145,000 may be very small compared to the billions of Windows computers globally are currently deployed in various institutions and in the homes. The two remaining sectors where WannaCry survives to this day are the manufacturing (60%) and healthcare (40%) sectors. The mentioned sectors are regularly attacked by EternalBlue exploit, given that many manufacturing and healthcare institutions continue to use unpatched legacy machines, all the while these same machines have persistent Internet connection.
Upgrading, replacing or even patching the vulnerable machines are real challenges for healthcare corporations and manufacturing firms, as they cannot afford the downtime required for the needed action to take place. Some organizations made drastic action which isolates the machines from the rest of the network, preventing the machines from ever accessing the Internet, also known as air-gapping. Microsoft on its part had released the patch, not only for current versions of Windows, but also Windows XP that was already considered as discontinued since 2014.
“It is not a coincidence that these sectors are also the ones affected the most by ransomware like WannaCry, which rely on unpatched devices for their successful operation. In healthcare organizations, many of the medical devices themselves are based on outdated Windows versions and cannot be updated without complete remodeling. These reasons are also the reason many of them don’t run any endpoint security, and thus are even more likely to be compromised by WannaCry, or similar malware,” added Seri.
Seri’s team has conclusively pointed-out the active operations of WannaCry, as they created a dummy Windows machine that is unpatched (technically called the honeypot), which was infected by WannaCry in no-time. These rogue versions of WannaCry floating in the Internet can no longer contact the command and control servers, as it was already shutdown by raiding authorities. However, these remnants continue to infect systems with 0 possibility to decrypt the files it encrypts even if the victim agrees to pay the ransom demand through Bitcoin.
“Just as most organizations have not deployed security patches which were made available in the months between the EternalBlue exploit leak and the outbreak of WannaCry, a disturbing number of organizations still haven’t deployed the latest security patches. This too will likely go unpatched by most organizations, until an actual threat comes knocking on their doors. By then, unfortunately, it’s often too late,” concluded Seri.