Screenshot of the ransom note left on an infected system
|Date||12 May 2017–present|
|Also known as||WannaCrypt, WanaCrypt0r. WCRY|
|Theme||Ransomware encrypting files with $200 – $1200 demand|
|Outcome||Over 200,000 victims and more than 230,000 computers infected|
The WannaCry ransomware attack is an ongoing cyberattack of the WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) ransomware computer worm, targeting the Microsoft Windows operating system, encrypting data and demanding ransom payments in the cryptocurrency bitcoin.
The attack started on Friday, 12 May 2017 and has been described as unprecedented in scale, infecting more than 230,000 computers in over 150 countries. The worst-hit countries are reported to be Russia, Ukraine, India and Taiwan, but parts of Britain’s National Health Service (NHS), Spain’s Telefónica, FedEx, Deutsche Bahn, and LATAM Airlines were hit; along with many others worldwide.
Ransomware usually infects a computer when a user opens a phishing email, and although such emails have been alleged to be used to infect machines with WannaCry, this method of attack has not been confirmed. Once installed, WannaCry uses the EternalBlue exploit and DoublePulsar backdoor developed by the U.S. National Security Agency (NSA) to spread through local networks and remote hosts which have not installed recent security updates, to directly infect any exposed systems. A “critical” patch had been issued by Microsoft on 14 March 2017 to remove the underlying vulnerability for supported systems, nearly two months before the attack, but many organizations had not yet applied it.
Those still running exposed older, unsupported operating systems such as Windows XP and Windows Server 2003, were initially at particular risk but Microsoft has now taken the unusual step of releasing updates for these operating systems for all customers.
Shortly after the attack began, a web security researcher who blogs as “MalwareTech”, unknowingly flipped an effective kill switch by registering a domain name he found in the code of the ransomware. This slowed the spread of infection, but new versions have now been detected that lack the kill switch.
The purported infection vector, EternalBlue, was released by the hacker group The Shadow Brokers on 14 April 2017, along with other tools apparently leaked from Equation Group, believed to be part of the United States National Security Agency.
EternalBlue exploits vulnerability MS17-010 in Microsoft‘s implementation of the Server Message Block (SMB) protocol. This Windows vulnerability is not a zero-day flaw, but one for which Microsoft had released a “critical” advisory, along with a security patch to fix the vulnerability two months before, on 14 March 2017. The patch was to the Server Message Block (SMB) protocol used by Windows, and fixed several client versions of the Microsoft Windows operating system, including Windows Vista onwards (with the exception of Windows 8), as well as server and embedded versions such as Windows Server 2008 onwards and Windows Embedded POSReady 2009 respectively, but not the older Windows XP, according to Microsoft. According to Dona Sarkar, head of the Windows Insider Program at Microsoft, Windows 10 was not affected; however, IT writer Woody Leonhard questioned if this is the case with all Windows 10 systems, or just builds 14393.953 and later.
Starting from 21 April 2017, security researchers reported that computers with the DoublePulsar backdoor installed were in the tens of thousands. By 25 April, reports estimated the number of infected computers to be up to several hundred thousands, with numbers increasing exponentially every day. Apparently, DoublePulsar was used alongside EternalBlue in the attack.
The cyberattack[edit source]
On 12 May 2017, WannaCry began affecting computers worldwide. The initial infection might have been either through a vulnerability in the network defenses or a very well-crafted spear phishing attack. When executed, the malware first checks the “kill switch” domain name.[a] If it is not found, then the ransomware encrypts the computer’s data, then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet, and “laterally” to computers on the same network. As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of around $300 in bitcoin within three days or $600 within seven days.
Organizations that had not installed Microsoft’s security update were affected by the attack. Those still running the older Windows XP were at particularly high risk because no security patches had been released since April 2014 (with the exception of one emergency patch released in May 2014). However, the day after the outbreak Microsoft released an emergency security patch for Windows XP.
Three hardcoded bitcoin addresses, or “wallets”, are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the wallet owners remain unknown. As of 17 May 2017, at 2:33 UTC, a total of 238 payments totaling $72,144.76 had been transferred.
The ransomware campaign was unprecedented in scale according to Europol, which estimates that around 200,000 computers were infected across 150 countries. According to Kaspersky Labs, the four most affected countries were Russia, Ukraine, India and Taiwan.
The attack affected many National Health Service hospitals in England and Scotland, and up to 70,000 devices – including computers, MRI scanners, blood-storage refrigerators and theatre equipment – may have been affected. On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted. In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP. NHS hospitals in Wales and Northern Ireland were unaffected by the attack.
Nissan Motor Manufacturing UK in Tyne and Wear, England halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.
The attack’s impact is said to be relatively low compared to other potential attacks of the same type and could have been much worse had an anonymous security expert, who was independently researching the malware, not discovered that a kill-switch had been built in by its creators or if it had been specifically targeted on highly critical infrastructure, like nuclear power plants, dams or railway systems.
Defensive response[edit source]
Several hours after the initial release of the ransomware on 12 May 2017, while trying to establish the size of the attack, Marcus Hutchins, a researcher who blogs under the handle @MalwareTech, accidentally discovered what amounted to be a “kill switch” hardcoded in the malware. Registering a domain name for a DNS sinkhole stopped the attack spreading as a worm, because the ransomware only encrypted the computer’s files if it was unable to connect to that domain, which all computers infected with WannaCry before the website’s registration had been unable to do. While this did not help already infected systems, it severely slowed the spread of the initial infection and gave time for defensive measures to be deployed worldwide, particularly in North America and Asia, which had not been attacked to the same extent as elsewhere. Analysis of the kill switch suggested that it may in fact be a bug in the malware whose code was originally intended to make the attack harder to analyse. However, the kill switch domain needs to be available locally, and the response must be able to reach the malware to effectively work. Some network configurations may prevent the kill switch from working.
Microsoft released a statement recommending users install update MS17-010 to protect themselves against the attack. In an unusual move, the company also published security patches for several, for the general public now-unsupported versions of Windows, including Windows XP, Windows 8 and Windows Server 2003.
Several experts highlighted the NSA’s non-disclosure of the underlying vulnerability, and their loss of control over the EternalBlue attack tool that exploited it. Edward Snowden said that if the NSA had “privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, [the attack] may not have happened”. British cybersecurity expert Graham Cluley also sees “some culpability on the part of the U.S. intelligence services”. According to him and others “they could have done something ages ago to get this problem fixed, and they didn’t do it”. He also said that despite obvious uses for such tools to spy on people of interest, they have a duty to protect their countries’ citizens. Russian President Vladimir Putin placed the responsibility of the attack on U.S. intelligence services, for having created EternalBlue.
Others commented that this attack shows that the practice of intelligence agencies to stockpile exploits for offensive purposes rather than disclosing them for defensive purposes may be problematic. Microsoft president and chief legal officer Brad Smith wrote, “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations stated that “the patching and updating systems are broken, basically, in the private sector and in government agencies”. In addition, Segal said that governments’ apparent inability to secure vulnerabilities “opens a lot of questions about backdoors and access to encryption that the government argues it needs from the private sector for security”.
A number of experts used the publicity around the attack as a chance to re-iterate the value and importance of having good, regular and secure backups, good cybersecurity including isolating critical systems, using appropriate software, and having the latest security patches installed.
In the UK the impact on the NHS quickly became political, with claims that the effects were exacerbated by Conservative Party under-funding of the NHS as part of the government’s austerity measures, in particular the refusal to pay extra to keep protecting outdated Windows XP systems from such attacks. Home secretary Amber Rudd refused to say whether patient data had been backed up, and shadow health secretary Jon Ashworth accused health secretary Jeremy Hunt of refusing to act on a critical note from Microsoft, the National Cyber Security Centre (NCSC) and the National Crime Agency two months previously.
Arne Schönbohm (de), President of Germany’s Federal Office for Information Security (BSI) stated that “the current attacks show how vulnerable our digital society is. It’s a wake up call for companies to finally take IT-security [seriously]”.
List of affected organizations[edit source]
- Andhra Pradesh Police
- Automobile Dacia
- Chinese public security bureau
- Cambrian College
- CJ CGV
- Deutsche Bahn
- Dharmais Hospital
- Faculty Hospital, Nitra
- Garena Blade and Soul
- Government of Kerala
- Government of West Bengal
- Harapan Kita Hospital
- Colombia‘s Instituto Nacional de Salud
- Lakeridge Health
- LATAM Airlines Group
- Ministry of Internal Affairs of the Russian Federation
- Ministry of Foreign Affairs (Romania)
- National Health Service (England)
- NHS Scotland
- Nissan Motor Manufacturing UK
- Portugal Telecom
- Russian Railways
- São Paulo Court of Justice
- Saudi Telecom Company
- Sun Yat-sen University
- Telenor Hungary
- Timrå kommun
- University of Milano-Bicocca
- University of Montréal
Although cybersecurity firms Kaspersky and Symantec have both said the code has some similarities with that previously used by the Lazarus Group, (believed to have carried out the cyberattack on Sony Pictures in 2014 and a Bangladesh bank heist in 2016 – and linked to North Korea), this may be either simple re-use of code by another group, or an attempt to shift blame – as in a false flag operation.