Wannacry: An Analysis of Competing Hypotheses
On 12 May 2017, as the WannaCry ransomware spread across computer networks across the world, a variety of explanations also began to worm their way through the information security community. Who was responsible for the WannaCry campaign? And what was the objective? Ransomware suggested it was the work of cybercriminals, although, given the sheer scale of infections and disruption, some commentators suspected the hand of a nation state. Despite relentless analysis from the security research community that has brought fragments of new information to the fore, no consensus has yet been reached on an attribution for the campaign.
One of the most recent theories put forward rests on a possible connection between WannaCry and the Lazarus Group, an actor that has previously been linked with several high-profile network intrusions and assessed as highly likely to have some association with the Democratic People’s Republic of Korea (DPRK). Analysis has indicated that WannaCry samples from February 2017 contained a small section of code identical to those used in previous Lazarus campaigns. At the time of writing, however, we assessed there to be insufficient evidence to corroborate this claim of attribution to this group, and alternative hypotheses should be considered. While malware may initially be developed and used by a single actor, this does not mean that it will permanently remain unique to that actor. Malware samples might be accidentally or intentionally leaked, stolen, sold, or used in independent operations by individual members of a group. It is therefore important to consider other factors, such as the consistency of an operation with previous activity attributed to an actor.
Digital Shadows has, therefore, applied the Analysis of Competing Hypothesis (ACH) technique to the information currently available through sources. ACH uses a weighted inconsistency algorithm to assign numeric values – weighted by the assessed reliability and relevance of each data point – to represent how consistent the available evidence is with a given hypothesis. While the aim here was not to provide a conclusive attribution for the WannaCry campaign, this structured analytical technique allows us to assess the reliability and relevance of the data presented thus far, as well as make some tentative assessments over the type of actor most likely to have been behind last week’s attacks. As such, we compared four hypotheses for the purposes of this exercise. That the campaign was the work of:
- A sophisticated financially-motivated cybercriminal actor – H1
- An unsophisticated financially-motivated cybercriminal actor – H2
- A nation state or state-affiliated actor conducting a disruptive operation – H3
- A nation state or state-affiliated actor aiming to discredit the National Security Agency (NSA) – H4
Using a mixture of primary and secondary reporting, as well as assessments from Digital Shadows analysts, we have included a collection of the most salient data points to have emerged at the time of writing. As well as the widely-discussed use of the DOUBLEPULSAR backdoor dropper, ETERNALBLUE exploit, and SMB vulnerability, the latter for propagation, we have included several other pieces of evidence to drive our assessment. These are presented in the ACH table below, though some of the more significant points include:
- So-called “kill-switch” probably an anti-sandboxing feature – MalwareTech, who discovered the unregistered domain, now believes this was most likely included as a badly-thought out anti-analysis measure.
- Low number of Bitcoin wallets a result of an unintentional bug – Symantec have reported that the creation of only three Bitcoin wallets for victims to transfer payment into was the result of a bug in the malware’s code, referred to as a race condition.
- No evidence that the malware was delivered via phishing emails – IBM X-Force, for example, scanned over one billion emails passing through its honeypots and found no evidence suggesting spam/phishing was the initial infection vector.
- Unconfirmed links to Lazarus Group and North Korean campaigns – Some researchers have now claimed that WannaCry contained pieces of code previously associated with the Lazarus Group, as well as two malware variants (called Joanap and Brambul) used in attacks against South Korean organizations. This connection, however, was assessed to be primarily based on the ordering of ciphers and public libraries used by the Lazarus Group, and inconclusive at the time of writing.
ACH reveals the most plausible scenario is that an unsophisticated cybercriminal actor launched the WannaCry campaign
|Use of ETERNALBLUE Equation Group exploit||Secondary reporting||High||High||N||N||N||N|
|Installed DOUBLEPULSAR backdoor||Secondary
|Exploitation of SMB vulnerability to propagate||Secondary reporting||High||High||N||N||N||N|
|ETERNALBLUE relatively easy to use||DS Assessment||High||Medium||N||N||N||N|
|Anti-analysis feature usable as kill-switch||Secondary
|Samples first appeared in Feb 2017||Primary||Medium||Medium||N||N||N||N|
|No evidence of phishing vector (untargeted spread)||Secondary reporting||High||High||I||C||I||C|
|No operator input needed for encryption||Secondary reporting||High||High||C||C||C||C|
|Victims who paid reportedly did not receive decryption keys||Primary||Medium||Medium||I||C||N||N|
|Only three BTC wallets produced due to race condition bug||Secondary reporting||High||High||I||C||I||I|
|Ransom demand 300 USD per machine rather than against individual organizations||Primary||High||High||I||C||N||N|
|Inefficient extortion approach||DS Assessment||High||Medium||I||C||N||N|
|Money had not been cashed out||Primary||High||High||I||C||N||N|
|Untargeted geographic distribution||DS Assessment||Medium||Medium||I||C||I||C|
|No resurgence of campaign||Primary and Secondary reporting||High||High||N||C||N||N|
|Lack of supporting media narrative||DS Assessment||Medium||Medium||N||N||N||I|
|Code links to Lazarus Group||Secondary reporting||Low||Medium||C||I||C||C|
|Code similarities with other North Korean operations||Secondary reporting||Medium||High||C||I||C||C|
|C||Evidence is consistent with hypothesis|
|I||Evidence is inconsistent with hypothesis|
|N||Evidence is neither consistent nor inconsistent with hypothesis|
Figure 1 – ACH diagram
Though by no means definitive, we assessed that a WannaCry campaign launched by an unsophisticated cybercriminal actor was the most plausible scenario based on the information that is currently available. While there were numerous data points that were consistent with this assessment, a few stand out:
- Coordination and implementation of the campaign was relatively poor: victims who paid reportedly did not receive decryption keys
- No discernible pattern to the organizations that were targeted
- Only three Bitcoin wallets were created for the receipt of payment
- An inability to monetize effectively
- Failed anti-sandboxing measure and race condition bug
These inconsistencies are not errors we normally associate with a sophisticated cybercriminal operation. The Carbanak (AKA Anunak) organized criminal group, in comparison, are known for conducting highly-targeted, lucrative, and efficient operations relying on the strategic use of social engineering attacks and network intrusions that more resemble the tactics used by Advanced Persistent Threat (APT) groups.
H3 and H4, which posit that the campaign was the work of a state-affiliated actor, also contain inconsistencies:
- If the attacks were aimed to discredit the NSA (H4), then why the lack of a supporting media narrative driving this message home? In the 2016 attacks on the US Presidential election, for example, network intrusions against the Democratic Party and subsequent data leaks were accompanied by blog posts and media commentary critical of Hillary Clinton. Were this to be a nation state campaign intended to cause disruption (H3), we would also expect to see some level of target specification alongside clear campaign objectives.
- During their previous destructive campaigns, the Lazarus Group, for example, have generally displayed a consistent level of geographic targeting – primarily against organizations in South Korea and the US. Specific industries such as media companies, financial institutions and critical national infrastructure have been the main targets of attack, but in the case of WannaCry, infections were widely distributed across the world, and the malware appeared to spread virtually indiscriminately with no control by its operators. Had the attackers used a phishing vector, they would have been able to limit the malware’s capability to spread outside a network and instead used spear phishing emails to target selected organizations.
Such tactics would have been more consistent with the activities of a sophisticated criminal outfit or a technically-competent nation-state actor.
It is entirely possible that new information will come to light in future that further supports, or even discredits, some of the hypotheses proposed in this exercise. While attribution may be exciting and fulfil our insatiable desire to put a face to the crime, perhaps what is more important in this instance is reviewing what lessons we can learn from the WannaCry campaign? (For this we advise checking out the recent blog from the Digital Shadows Security Engineering Team, which outlines five fundamental and widely used security principles that are reusable across different types of attackers, be it nation-state or petty cybercriminal.)