How the nastiest ransomware and flaws get their names
Which one of these was not the name of an attack/flaw: Heartbleed, Masacre3, Venom, Petya, Frogwarts?
Monsters used to live under the bed. Now they live in computers. It's up to the ones who find them lurking or the ones who created their presence to give them an identity, to give them a name.
If a name doesn't come from its malicious creator, it most likely comes from a security researcher. Researchers are great at, well, research and are sometimes the best candidates to name the ghouls that cost industries billions.
Malware, ransomware, vulnerabilities, hacker groups crave identifiers. Often, names are given in an effort to promote publicity and awareness. Names that are catchy and clever will always receive more publicity compared to those derived from a "stodgy cybersecurity company," Mark Sangster, VP and industry security strategist at eSentire, said in an interview with CIO Dive.
There are standard naming conventions like the Common Malware Enumeration that "provide unique, common identifiers to new malware threats for the benefit of the public."
A name from the Enumeration can be "boring as all heck," said Sangster, because they're categorized in a way similar to how the animal kingdom is organized by scientific names.
For example, classifying a threat adware, malware, spyware, a trojan, virus or worm is one of the first steps in attributing it to an existing family or stylized attack.
Malware, vulnerabilities and bugs have to be identified by type, platform, family name, variant and other relevant details. It's like the scientific naming of species and subspecies.
Names can therefore be based on the predominant behavior or activity as discovered by researchers or by "rock star perpetrators" who seek recognition through the name of their code, said Sangster.
In naming cyberattacks and flaws, hackers and researchers are given the chance to flaunt their creativity.
Here's how five of the nastiest ransomware vulnerabilities got their names:
How it works: Attackers were enabled to read files on memory through the Heartbleed vulnerability. Files that were supposed to be encrypted could be read in plain English. The vulnerability was publicized with a bleeding heart logo as a reflection of its name.
How it earned its name: Hackers would ping servers from their computers and look for a response. Their software was able to recognize when it got a response and would reciprocate with data. Essentially, the process "would mimic a heartbeat," said Sangster.
Analysts picked up an "echoey signal," thus cementing its Heartbleed name in cyber history, he said.
Software security company Codenomicon named Heartbleed after its beating heart-like process: "send it, receive it, send it, receive it," said Sangster.
Born: 2014 Died: The beat goes on; The bug has been "out in the wild" since 2011 in OpenSSL and as long as there are vulnerable versions of OpenSSL in use, the flaw can still be exploited.
How it works: Last year's NotPetya, or Nyetya, is a strain of the original Petya attack. It was disguised as a ransomware but ultimately wiped its victims' computers clean whether they paid the ransom or not.
Call it junior: Kaspersky Labs coined the name NotPetya, though Janus Cybercrime Solutions' Twitter slyly reemerged the day following the global ransomware attack in a cheeky tweet.
The backdrop: Janus is a company or group of "bad guys" who brand and run themselves like a startup, according to Sangster. Janus franchises its activity, which is important because the group "created a viable business model behind it," he said.
Nyetya has a "touch of bravado," and the group brands itself as Russian, hence the Petya name. The groups logo features the USSR hammer and sickle, is Cyrillic-looking and "it just screams Russia," said Sangster.
Met the Public: 2017 Died: No graveyard can hold it; Companies like Maersk had to make "herculean" recoveries in the days after Nyetya, and 2017's ransomware has spawned a new form of monetary threats: cryptomining.
How it works: Meltdown was found alongside Spectre, but Meltdown is the more serious of the two. Meltdown "breaks the most fundamental isolation between user applications and operating systems," leaving a computer's memory vulnerable to intrusion.
You find it, you name it: The Meltdown and Spectre vulnerabilities started 2018 off with a bang. The security flaws were named by the researchers who discovered them, including Thomas Prescher, researcher at Cyberus.
Discovering Meltdown was a "lucky coincidence" for Prescher and one done without any "insight into the Intel architecture," he said. The most readable names are the ones that will get picked up by the media, as opposed to their registered Common Vulnerabilities and Exposures (CVE) names, he told CIO Dive.
Meltdown was named to help people who are unfamiliar with "CPU microarchitecture to identity the issue across multiple articles," he said. From there, the Meltdown discovery could be passed along to the impacted chip manufacturers and then the public.
How it works: WannaCry was attached to the Eternal Blue exploit, which aided in its spread.
Wipe away those tears: Hackers took the initiative to name the ransomware attack by essentially saying, "we're going to hurt you so bad you're gonna wanna cry," in a locking screen on a victim's computer, said Sangster. Some users may have seen ".WCRY" as an extension attached to their file names.
The ransomware was an escalation from WannaCrypt and was renamed because it was more painful in comparison.
Just plain mean: The attack highlighted a change in hacker motives. It was no longer about how much money they could steal, but how devastating the attack could be.
WannaCry was famously the appetizer to Nyetya in 2017, and as hackers "upped their cruelty," said Sangster, "the stakes got higher."
Met the public: 2017 Died: Tears keep it alive; a kill switch was found not long after it began spreading. It was most likely a case of negligence from its creators. However, Boeing was still hit by WannaCry earlier this year.
How it works: ShellShock is a member of the CVE-2014-6271 bug family, according to Symantec, but its name is more or less playful. The vulnerability impacts the PowerShell component in Unix and Linux.
The vulnerability gives a nod to traditional CVE naming conventions, but it's also a pun that plays on the whole concept of a PowerShell and war terminology.
Simply stated: When the vulnerability made its public debut, security researchers expected hackers to work quickly to abuse unpatched computers, leaving their victims in "ShellShock."
Met the public: 2014 Died: Every time an update isn't done, it rises; Users had to update their version of Bash, a command processor, and apply available patches.
Answer: Consider this our Halloween trick. Masacre3 and Frogwarts are not known named attacks. As Harry Potter fans, we are particularly inclined to like Frogwarts.
Follow Samantha Ann Schwartz on Twitter