WannaCry: A Throwback to the Past and a Vision of the Future

There has been significant news coverage over the past week of the "WannaCry" ransomware that has infected Windows computers worldwide. For those that missed the story, the vulnerability being exploited by WannaCry was made public as part of "The Shadow Brokers" (TSB) data breach earlier this year. The Shadow Brokers is a hacker group who first appeared in the summer of 2016 and published several leaks containing some of the National Security Agency's (NSA) hacking tools, including several zero-day exploits for Windows. While Microsoft patched the Microsoft Windows SMB Server vulnerability in March 2017 (MS17-010), enterprises and individual users who have not applied the patch have left large numbers of computers around the world vulnerable.

When WannaCry started disrupting business operations, mobile devices enabled some work to continue. However, the vast majority of business are unprepared for a similar attack on mobile, even though securing endpoints is a lesson that we all learned 15 years ago.

WannaCry is a reminder of the mass-spreading worms of the early 2000's when threats like Code Red, SQL Slammer and MS Blaster ruled the computer security news cycles. In fact, the spread and infection rates are similar between those threats and how we are seeing the WannaCry campaign develop.

Inspired by @daviottenheimer

While WannaCry has severely impacted many hospitals and caused businesses to shut down in the past few days to rid themselves of the infection, it hasn't been as widespread a problem as it would have been a decade ago.

In fact, most users and even enterprises who are affected by WannaCry would be able to perform many of their computing functions today, because they can be almost as productive on mobile - maintaining access to their email, text messages, social media, etc on their mobile devices - as they are on their desktop.

Imagine that WannaCry affected mobile devices on the same scale as it has Windows. Ransomware on mobile is a real threat, especially on Android, where we have seen several malware families including ScarePakage, ColdBrother, and Koler over the past four years. We have even seen styles of mass-spreading malware that relied on social engineering (rather than exploiting a vulnerability) on the mobile platform.

If WannaCry were to happen on mobile, the spread of the worm probably wouldn't have been over a simple network protocol now that we have firewalls with host- and network-based IDS/IPS that can be used as complementary controls to detect and protect against its spread. Instead, the threat would have spread between devices via SMS or other messaging protocol, which most security organizations have no visibility into.

In a WannaCry scenario on mobile, most users would be seriously impaired. In fact, most of us are unable to even log in to our enterprise network without the two factor token on our mobile devices. Services like Google Maps, Uber/Lyft, and telephone apps are exclusive to mobile and integral to our daily lives. A ransomware outbreak that spread quickly from mobile to mobile, and denied service to the device itself, would cause massive disruption to many people's daily lives to the point that most people would not be able to even call 911 in an emergency because their only phone is a mobile device.

Screen lock message from ColdBrother malware family on Android

Since the days of Slammer & Blaster we've largely become resilient to attacks against our Windows infrastructure. But this attack highlights the importance of the mobile platform along with its fragility. While we've spent 15 years building an environment where we can detect and respond to this type of attack in our traditional environment, most enterprises don't have those capabilities on mobile.

Organizations who don't have a threat defense solution deployed on their mobile fleet will be unable to prepare for, detect, or protect their devices in that situation.  If the last 20 years of computer security tells me anything, it's that a WannaCry-style attack against the mobile platform is a matter of "when," not "if."