Regular readers of Rapid7 blogger ramblings will likely remember — albeit not too fondly — our WannaCry coverage this time last year. If you’re new to the blog or have repressed all memory of this harrowing past event, the TL;DR is that in April of 2017 the Shadow Brokers released some exploits that were later used by some malfeasants to create a fairly devastating ransomworm (which, incidentally, coined the term “ransomworm”). [Most of] the rest of us were spared significant harm due to the fast-thinking on the part of one security researcher who stood up a kill switch domain which the WannaCry malware checked for the existence of before bringing on the chaos to individual systems.
It’s hard to definitively suggest the success of WannaCry spurred the creation and launch of NotPetya attacks but their proximity suggests attackers learned from both the success and rookie-mistakes of the WannaCry perpetrators and leveled-up a bit before wreaking havoc of their own.
It’s Getting Better, Right?
In a word: no.
In our coverage last year we noted that the Shadow Brokers dump combined with WannaCry had a net-positive impact on the cadre of open SMB servers on the internet. What does the view look like one year later?
The United States still leads the pack when it comes to exposure:
...but the internet is still holding steady at about 500K exposed Microsoft SMB servers just ready to help cause damage.
But, Shadow Brokers Exploits Are Old News, Right?
SMB is a pretty choice target and we’ve tuned Project Heisenberg to watch for exploits that contain traces of EternalBlue. As you can see, EternalBlue is living up to the “Eternal” part pretty well so far:
Is There Any Hope?
We’d like to close with a message of hope but 2018 has seen both corporations and municipalities hit with Wannacry — yes, WannaCry. Despite all the warnings and costly infections of WannaCry and NotPetya in 2017, other municipalities were hit with equally powerful ransomware attacks.
The best we can leave you with is this call to action on the first WannaCryversery: take some focused time and effort to honestly assess your IT and application development/deployment practices with an eye for threat modeling a ransomware / ransomworm attack. Identify the areas that need improvement and start working on project plans to fix issues, even if they are systemic, longstanding issues. This includes ensuring you have a solid backup, continuity and disaster recovery (BCDR) plan that is honestly validated (i.e. no more rigging the tests to pass audits!).
The threat of ransomware will be with us for quite a while as it’s a lucrative and relatively easy path for attackers. The good news is that with some preparation and attention to detail, you need not suffer too greatly and can use your operational excellence to thwart these criminal intentions.