WannaCry: When the Malware of Today Is No Match For Yesterday’s AI

WannaCry was the nastiest piece of malware the Internet has seen in a long time

It took the world by surprise and made international headlines. It felled computers by the thousands in hours, leaving customers bewildered and cybersecurity companies wringing their hands. Unfortunately, most companies didn’t see it coming because cybersecurity tools and techniques have a habit of looking backward, rather than forward.

So how were some vendors protecting against it as early as 2015, long before its conception? The advent of artificial intelligence (AI) based cybersecurity solutions has enabled companies to harness the power of prediction.

Malware like WannaCry doesn’t come around very often. Ransomware variants are two-a-penny these days, but the worm functionality that caused it to spread so quickly is still considered to be rare.

Occasionally, someone finds a vulnerability that enables software to infect a computer and then spread quickly to other machines on a network without any human interaction. We’ve seen it several times over the years, with worms like the Melissa virus, Code Red, and Conficker.

WannaCry took advantage of a vulnerability in the Server Message Block (SMB), a protocol that Windows uses for sharing files over a network. An attacker can take control of a computer by sending specific messages via older versions of SMB, such as those found in Windows XP, 7, and 8.

The U.S. National Security Agency (NSA) had originally discovered this vulnerability, and weaponized it in an exploit called EternalBlue for their own use. But an anonymous group that refers to itself as The Shadow Brokers stole details of this exploit in 2016, along with many others, in a digital heist, and has been regularly publishing that information online.

Once it infected a machine, WannaCry exploited the Windows vulnerability by looking for other computers on the same network. It would also search the broader Internet randomly for another computer to infect, which is one of the tricks that allowed the malware to spread so quickly.

The first WannaCry infections began in Europe. The ransomware mobilized quickly using its propagation code. It turned up the same day in both the U.K. and Spain. Spanish telco Telefonica reported that it had been hit, and National Health Service (NHS) employees in the U.K. said that they had been infected via an initial phishing attack. From there, the worm spread quickly inside the organization, crippling clinics by locking up patient files.

Nissan’s Sunderland production plant ground to a halt, and Renault suspended operations across Europe to prevent its spread. It affected German railways and even reached as far as China and Russia, the latter reporting infections in its interior ministry.

By May 14, WannaCry had reached 200,000 victims in 150 countries, according to Europol, and even the U.S. Department of Homeland Security (DHS) posted a memo warning about it.

Microsoft moved quickly to fix the problem, issuing an emergency patch for Windows XP and illustrating the severity of the situation, given that the operating system is now no longer officially supported outside of custom contracts.

However, the central tragedy of WannaCry is that it was preventable on systems other than XP long before it was released. Microsoft had publicly announced and patched the vulnerability that EternalBlue exploited in March, almost two full months before the worm appeared in the wild.

Why wasn’t it patched? Unless you’re a single user or a very small business, patching isn’t a simple, one-step solution. Patches must be tested, and many enterprises must align them with strict change management procedures, creating internal patching cycles that can take 90 days or more.

Why didn’t traditional antivirus software save people from WannaCry? Most antivirus software is driven by signature analysis, meaning that vendors need to update their files with its unique digital footprint before they can detect it. Then, the file updates have to be pushed out.

Even in the best-case scenarios, the signature scanning approach invariably means that some computers get sacrificed when a malware strain first appears. In the case of WannaCry, we see that the system didn’t work quickly enough to catch WannaCry’s initial, aggressive spread.

Traditional antivirus vendors often boast of heuristics analysis that can spot suspicious behavior on a computer and stamp it out. It’s hard to think of any behavior more suspicious than sending out malformed messages on a known vulnerable protocol to hundreds of machines on your local network, yet hundreds of thousands of computers were infected.

WannaCry’s rapid spread, and the fact that patches were available for weeks prior, demonstrates the reactive stance the business community has taken to cyberattacks.

Attackers are now evolving at a blinding pace. Not only do they have their own, highly innovative teams, but they are now able to draw from highly-classified, nation state weaponry. Those who wait for an attack to emerge and then react to it simply don’t stand a chance.

Wouldn’t it be more powerful to flip our industry’s stance entirely, and become predictive rather than reactive? Being ready for attacks long before they make headlines would save us from debilitating, or in some cases, paralyzing attacks like ransomware, and worse.

Instead of looking for file signatures or relying entirely on heuristics, we need to acknowledge that malware volumes are growing, and employ techniques can make organizations more vulnerable to attack. The current era of AI based technologies lets us do that.

By analysing thousands of files and modelling their characteristics, AI based threat analysis builds up a constantly evolving picture of what a malicious file looks like. It can use this statistical model locally the first time that it sees a file to score the risk of it behaving maliciously.

The AI based approach verily provides the ability to predict attacks well before they have been dreamt up by an attacker, which means no more sacrificial victims, and no having to scramble to the cloud for real-time updates to avoid infection. No more having to hope that your vendor beats the attacker in a head-to-head race for control of your machine.

How far ahead of the game can AI get you? Cylance® calculates this, referring to it as Temporal Predictive Advantage (TPA). When it sees a new malware strain making the headlines, the Cylance team goes back and tries it against historical releases of its machine learning model to determine which one would have spotted it first.

With WannaCry, the TPA was 14 months for users of Windows XP SP2. Long before Microsoft posted its vulnerability, and long before The Shadow Brokers dropped their treasure chest of exploit files, Cylance’s AI based CylancePROTECT endpoint protection was already protecting users against WannaCry. And their performance is similar if not better for other malware. Cylance had a TPA of 18 months for Goldeneye, another malware strain that caused grief for many customers.

Who said there was no such thing as a crystal ball?