The WannaCry ransomware outbreak a week ago could well have been an exploratory run before something much more devastating, according to a senior figure in the anti-malware industry.
Trend Micro senior architect Jon Oliver told iTWire that this conclusion was warranted by the fact that though WannaCry gained a very high profile due to the targets it hit and the subsequent media coverage, the financial returns to the attackers — which he said were always the main game these days — were poor.
Additionally, the inclusion of a domain name in the code that would serve as a kill switch when it was operational spoke of the amateurishness of the attempt, he added.
WannaCry hit Europe mainly on 20 May and subsided over the weekend after a British security researcher found an URL within the malware code and registered this domain. WannaCry used an NSA exploit to infect Windows machines that were not patched against a particular SMB vulnerability.
{loadposition sam08}Oliver pointed out that there had been two others cases of malware using the same NSA exploit: UIWIX and EternalRocks. Another malware known as Adylkuzz has been said by others to have used the NSA exploit to gain entry into vulnerable machines and use their computing power to mine for the Monero cryptocurrency.
EternalRocks opened up entry points into vulnerable Windows machines silently, and hence users were not aware of its presence. This was, in the end, a much more potent threat, Oliver said.
He pointed to a blog post that commented: "When threat actors get into a system and don’t drop a malicious payload, it brings up the potential that they’re leaving behind something else in turn.
"It’s possible that the attackers are preparing the network for future use. It could also be a distraction while other vulnerabilities are being exploited while no one is watching."
Asked why WannaCry had not affected the US, Oliver said there were a number of reasons that could be cited. For one, the weekend came in the way and once Monday (23 May) arrived, the malware had been more or less neutralised.
But, he said, there was a possibility that the target had always been intended to be Europe; this also tied in with the reasoning that this could be a trial run.