It’s been a few days since the ransomware WannaCry wreaked havoc across the globe. Now after a few nights of rest, I want to reflect on what this incident means for the state of cyber security.
Yes, it is true that this attack utilized a well-known unpatched vulnerability to spread laterally from within an organization. While ransomware is not a new attack, in this particular case, however, it is unique because of its reliance on the recent NSA leak. I want to emphasize here that the NSA invested a massive amount of time and effort to discover this nation-state vulnerability.
You can find more details about the NSA leak here – http://bit.ly/ShadowBrokers-NSA
Can you recall the last time an attack of this magnitude was executed on a global scale, utilizing a rare unknown vulnerability to spread laterally inside the organization? No?
Ok, let me remind you.
It was 10 years ago. Back when the 2008 financial crisis hit.
This is to show you just how rare of an occasion it is.
The solution to this problem is simple: patch the vulnerability. It’s the same as it was then and the same as it is now.
But what if I told you that there is a built-in capability to spread laterally inside each and every corporation AND government around the world….and that it’s been there for the past 17 years (back when I had my bar mitzvah).
Would you call me crazy?
No, this is not a figment of my imagination. This is real.
It’s called the Active Directory.
Attackers don’t need to rely on nation-state zero days or unpatched vulnerabilities to spread laterally within the corporation. They just need to manipulate the Corporate Domain, which is managed by Active Directory, into their favor, steal credentials, and spread laterally.
The most successful APTs use this methodology to stay undetected and achieve their goal.
The day is not far when attackers will learn to combine these two methodologies—Active Directory manipulation and ransomware monetization—to demand even bigger sums of money.
When these two methodologies are combined, attackers are able to encrypt the entire corporation at once from the inside.
In fact, we have already seen this happen back in 2015 with Samas ransomware. With only one campaign in the United States, the group racked up $450,000 in ransom. http://bit.ly/SAMAS-RANSOM
WannaCry, on the other hand, has only been able to rack up $60,000 so far, and their attack was carried out on a global scale.
So imagine what will happen when attackers use the Active Directory to spread ransomware everywhere inside.
But we cannot leave this to imagination because this is what’s coming next.
This is the next wave of ransomware.