Vendors will break WannaCry’s encryption within months, strategist predicts

The heat is on the ransomware’s creators – but it’s not clear whether they will crack under pressure, or redouble their efforts

Concerted industry efforts are likely to produce a decryption tool for the WannaCry ransomware attack within months, the head of one vendor’s security team has predicted while warning that the attack’s emboldened creators may be using it as a distraction for other malicious activity.

Every security vendor has turned its sights to reverse-engineering the WannaCry code in the wake of its high-profile worldwide outbreak, Bitdefender chief security strategist Catalin Cosoi told CSO Australia, and the sheer numbers pitted against it meant a solution was going to happen one way or another.

“There is a war room in every security vendor’s offices,” Cosoi explained. “At some point it will open up – and while I’m not saying we will necessarily be the ones to do it, it will be a joint effort. These guys caused too much attention for us to not find a solution to the problem.”

Whether through sheer determination or by exploiting vulnerabilities in the code, researchers have previously been successful in developing tools to help victims of ransomware attacks including TeslaCrypt, CryptXXX and CryptoLocker.

In the case of TeslaCrypt, the crack came after the ransomware’s authors gave researchers the encryption key they had used – leading Cosoi to suggest that even WannaCry’s creators may end up pulling the plug in a similar way if they feel the attack has blown way out of control. This might be in exchange for a reduced penalty if they are caught, or simply because they are worried that the attack is causing much more damage than they ever expected.

Another possible scenario bodes much more poorly for victims, with Cosoi warning that the whole thing may be a distraction. “Since the entire industry is focusing on this ransomware,” he said, “it may be that other perpetrators are working their way around in a targeted attack on an institution where they want to steal something very important.”

The attack has served as a painful reminder of the importance of patching for companies that have failed to patch their old Windows systems – which WannaCry targets – and have often left them unchanged for years. Yet with the worm still very much in play and its creators likely to be reworking their use of the NSA-originated EternalBlue exploit, even companies that have patched their systems may be left exposed and many in the industry are warning that the worst may well be yet to come.

The success of WannaCry confirms earlier predictions, such as a new analysis by the Institute for Critical Infrastructure Technology that predicted 2016 would be “the year ransomware holds America hostage”.

“One reason that ransomware is so effective is that the cybersecurity field is not entirely prepared for its resurgence,” the report noted. “Attacks are more successful when effective countermeasures are not in place. Information security systems exist to detect and mitigate threats, to prevent data modification, to question unusual behavior, etc.”

“After it is on a system, ransomware bypasses many of these controls because it effectively acts as a security application. It denies access to data or encrypts the data. The only difference is that the owner of the system does not own the control.”

Ultimately, the runaway success of the WannaCry ransomware has not only served as a wakeup call to businesses – but has forced the security industry to reassess its approach to handling vulnerabilities. The damage it has caused might, for example, create additional impetus for mandatory software updates that vendors have previously been reluctant to push onto users.

Whatever change comes from WannaCry – and however long it takes to crack as law enforcement picks up the investigation – Cosoi says the incident will be remembered for a long time to come.

“A phenomenon like this happens once every five years,” he said. “Since it has been a very media-ised event, it will be a wakeup call for all those people believing that nobody will target them – which is often why they didn’t update their systems. It’s a reminder for institutions and companies that security isn’t a joke – and that something will eventually happen that will bite you on the arse.”