kaptn - Fotolia

APAC accounted for 10% of global WannaCry infections

While damage caused by the ransomware attack in the region is subdued for now, its emergence has brought the issue of software patching to the fore

WannaCry’s spread in Asia-Pacific (APAC) accounted for just 10% of detections worldwide, indicating the ransomware’s limited reach in the region, according to a new study by Malwarebytes, a supplier of anti-malware products.

Its study showed that the top APAC country hit by WannaCry was India, where infections made up 26.7% of the total number in the region and 2.8% of the global total.

Singapore and South Korea were least hit, accounting for 0.12% and 0.04% of global infections, respectively.

Among the organisations infected were two malls in Singapore and a major South Korean theatre chain. The malware also prompted the shutdown of hundreds of ATM machines across India.

According to Malwarebytes, malware attacks tend to target Europe and the US before moving on to other areas, such as the Middle East and APAC.

This is largely a case of cyber crime “following the money”, with threat actors first eyeing more affluent geographies, Malwarebyte’s area vice president and APAC managing director Jeff Hurmuses told Computer Weekly.

“It is possible that the initial wave was focused on the Western hemisphere, with Asia to be targeted in subsequent waves,” Hurmuses said. “This would be a likely scenario if phishing was the main means of distribution.”

However, cyber security experts have ruled out phishing as a vector for infection. Instead, they have pinned the blame on a vulnerable server message block (SMB) protocol that is commonly used to share files on Microsoft Windows computers.

What could be a more likely explanation is that WannaCry began making waves on Friday, 12 May, which was early Saturday morning in the APAC region, Hurmuses said. “This is likely to have mitigated the spread somewhat, as most businesses were offline.”

The threat was further contained by the ransomware’s kill switch, which was discovered by a 22-year-old in southwest England who works for Kryptos Logic, a US-based threat intelligence firm.

“The combination of the two factors could have led to a reduction in incidents, especially since business networks tended to be the ones more easily compromised via the SMB port exploit,” Hurmuses said.

Read more about WannaCry

  • Ramsomware attack highlights system-wide issues around lack of infrastructure investment and the need for cyber security training and awareness.
  • Security advisers are urging organisations to patch their Windows systems to avert a possible second wave of an unprecedented, indiscriminate ransomware attack.
  • A failure by many organisations to take cyber security seriously has long been blamed on the lack of a single significant event to shake things up.
  • WannaCry reveals some important facts about our dependence on the internet and IT.

Although the damage caused by WannaCry in APAC has been minimal for now, experts have warned of at least two variants of the malware in circulation. “It is more than likely that threat actors will continue to evolve and adapt the malware to ensure it remains a threat,” Hurmuses said.

Indeed, it now appears that the WannaCry attack was just a smokescreen for the stealthy crypto-currency miner Adylkuzz, according to cyber security company McAfee.

Adylkuzz rides on the same Microsoft vulnerability as WannaCry did, but uses an infected machine’s resources to mine for Monero, a type of crypto currency.

The malware is believed to have infected far more machines because it was allowed to run free while everyone was focused on dealing with WannaCry, which was actually just a distraction, said McAfee.

“Organisations should never conclude that the absence of a major cyber attack means they have effective cyber defences,” said Steve Grobman, senior vice-president and chief technology officer at McAfee.

“WannaCry and Adylkuzz show how important security patches are in building and maintaining those effective defences, and why regular patching plans to mitigate environment vulnerabilities need to become a higher priority,” he added.

To patch or not to patch

The latest ransomware attacks have brought the issue of software patching to the fore. In large organisations, patches for software vulnerabilities are often tested extensively for compatibility with other applications before they are applied. Meanwhile, organisations run the risk of falling prey to software bugs that can be exploited by cyber criminals.

“Whenever there is a patch that must be applied, there is a risk associated with both applying and not applying it,” said Grobman. “IT managers need to understand what those levels of risk are, and then make a decision that minimises the risk for their organisation.”

Grobman said one difference between Adylkuzz and WannaCry is that it is advantageous for Adylkuzz to remain undetected and run as long as possible to maximise the amount of time a machine can be used for mining. 

“This creates an incentive for the cyber criminals behind Adylkuzz to cause minimal damage and fly under the radar, whereas WannaCry loudly informs the user that a compromise has occurred and causes massive destruction to the data on a platform,” he said.

“WannaCry and Adylkuzz are the latest reminders of how the ‘to patch or not to patch’ risk analysis needs to be rethought within organisations worldwide.”

Read more on IT risk management