Wanna Cry Ransom ware attack

From Wikipedia, the free encyclopedia
WannaCry ransomware attack
Wana Decrypt0r screenshot.png

Screenshot of the ransom note left on an infected system
Date 12 May 2017–present
Location Worldwide
Also known as WannaCrypt, WanaCrypt0r. WCRY
Type Cyberattack
Theme Ransomware encrypting files with $200 – $1200 demand
Cause
Outcome Over 200,000 victims and more than 230,000 computers infected[1][2]

The WannaCry ransomware attack is an ongoing cyberattack of the WannaCry (or WannaCrypt,[3] WanaCrypt0r 2.0,[4][5] Wanna Decryptor[6]) ransomware computer worm, targeting the Microsoft Windows operating system, encrypting data and demanding ransom payments in the cryptocurrency bitcoin.[7]

The attack started on Friday, 12 May 2017 and has been described as unprecedented in scale,[8][9] infecting more than 230,000 computers in over 150 countries. The worst-hit countries are reported to be Russia, Ukraine, India and Taiwan,[10] but parts of Britain’s National Health Service (NHS),[11] Spain’s Telefónica, FedEx, Deutsche Bahn, and LATAM Airlines were hit;[12][13][14][15] along with many others worldwide.[16][17][9][18][19]

Ransomware usually infects a computer when a user opens a phishing email, and although such emails have been alleged to be used to infect machines with WannaCry,[20] this method of attack has not been confirmed. Once installed, WannaCry uses the EternalBlue exploit and DoublePulsar backdoor developed by the U.S. National Security Agency (NSA)[21][22] to spread through local networks and remote hosts[23] which have not installed recent security updates, to directly infect any exposed systems.[5][24] A “critical” patch had been issued by Microsoft on 14 March 2017 to remove the underlying vulnerability for supported systems, nearly two months before the attack,[25] but many organizations had not yet applied it.[26]

Those still running exposed older, unsupported operating systems such as Windows XP and Windows Server 2003, were initially at particular risk but Microsoft has now taken the unusual step of releasing updates for these operating systems for all customers.[3][27]

Shortly after the attack began, a web security researcher who blogs as “MalwareTech”, unknowingly flipped an effective kill switch by registering a domain name he found in the code of the ransomware. This slowed the spread of infection, but new versions have now been detected that lack the kill switch.

Background[edit source]

The purported infection vector, EternalBlue, was released by the hacker group The Shadow Brokers on 14 April 2017,[33] along with other tools apparently leaked from Equation Group, believed to be part of the United States National Security Agency.[34][35]

EternalBlue exploits vulnerability MS17-010[25] in Microsoft‘s implementation of the Server Message Block (SMB) protocol. This Windows vulnerability is not a zero-day flaw, but one for which Microsoft had released a “critical” advisory, along with a security patch to fix the vulnerability two months before, on 14 March 2017.[25] The patch was to the Server Message Block (SMB) protocol used by Windows,[36][37] and fixed several client versions of the Microsoft Windows operating system, including Windows Vista onwards (with the exception of Windows 8), as well as server and embedded versions such as Windows Server 2008 onwards and Windows Embedded POSReady 2009 respectively, but not the older Windows XP, according to Microsoft.[25] According to Dona Sarkar, head of the Windows Insider Program at Microsoft, Windows 10 was not affected;[38] however, IT writer Woody Leonhard questioned if this is the case with all Windows 10 systems, or just builds 14393.953 and later.[39]

Starting from 21 April 2017, security researchers reported that computers with the DoublePulsar backdoor installed were in the tens of thousands.[40] By 25 April, reports estimated the number of infected computers to be up to several hundred thousands, with numbers increasing exponentially every day.[41][42] Apparently, DoublePulsar was used alongside EternalBlue in the attack.[43][44]

The cyberattack[edit source]

Map of the countries initially affected[45]

On 12 May 2017, WannaCry began affecting computers worldwide.[46] The initial infection might have been either through a vulnerability in the network defenses or a very well-crafted spear phishing attack.[47] When executed, the malware first checks the “kill switch” domain name.[a] If it is not found, then the ransomware encrypts the computer’s data,[48][49][50] then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet,[51] and “laterally” to computers on the same network.[52] As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of around $300 in bitcoin within three days or $600 within seven days.[49][53]

Organizations that had not installed Microsoft’s security update were affected by the attack.[36] Those still running the older Windows XP[54] were at particularly high risk because no security patches had been released since April 2014 (with the exception of one emergency patch released in May 2014).[3][55] However, the day after the outbreak Microsoft released an emergency security patch for Windows XP.[3]

According to Wired, affected systems will also have had the DoublePulsar backdoor installed; this will also need to be removed when systems are decrypted.[6]

Three hardcoded bitcoin addresses, or “wallets”, are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the wallet owners remain unknown.[56] As of 17 May 2017, at 2:33 UTC, a total of 238 payments totaling $72,144.76 had been transferred.[57]

Impact[edit source]

The ransomware campaign was unprecedented in scale according to Europol,[8] which estimates that around 200,000 computers were infected across 150 countries. According to Kaspersky Labs, the four most affected countries were Russia, Ukraine, India and Taiwan.[10]

The attack affected many National Health Service hospitals in England and Scotland,[58] and up to 70,000 devices – including computers, MRI scanners, blood-storage refrigerators and theatre equipment – may have been affected.[59] On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.[13][60] In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.[54] NHS hospitals in Wales and Northern Ireland were unaffected by the attack.[11][13]

Nissan Motor Manufacturing UK in Tyne and Wear, England halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.[61][62]

The attack’s impact is said to be relatively low compared to other potential attacks of the same type and could have been much worse had an anonymous security expert, who was independently researching the malware, not discovered that a kill-switch had been built in by its creators[63][64] or if it had been specifically targeted on highly critical infrastructure, like nuclear power plants, dams or railway systems.[65][66]

Defensive response[edit source]

Several hours after the initial release of the ransomware on 12 May 2017, while trying to establish the size of the attack, Marcus Hutchins,[67] a researcher who blogs under the handle @MalwareTech,[68] accidentally discovered what amounted to be a “kill switchhardcoded in the malware.[69][70][71] Registering a domain name for a DNS sinkhole stopped the attack spreading as a worm, because the ransomware only encrypted the computer’s files if it was unable to connect to that domain, which all computers infected with WannaCry before the website’s registration had been unable to do. While this did not help already infected systems, it severely slowed the spread of the initial infection and gave time for defensive measures to be deployed worldwide, particularly in North America and Asia, which had not been attacked to the same extent as elsewhere. Analysis of the kill switch suggested that it may in fact be a bug in the malware whose code was originally intended to make the attack harder to analyse.[72][73][74][75] However, the kill switch domain needs to be available locally, and the response must be able to reach the malware to effectively work. Some network configurations may prevent the kill switch from working.[76]

Microsoft released a statement recommending users install update MS17-010 to protect themselves against the attack.[3] In an unusual move, the company also published security patches for several, for the general public now-unsupported versions of Windows, including Windows XP, Windows 8 and Windows Server 2003.[3]

On 16 May 2017, researchers from University College London reported that their PayBreak system is able to defeat WannaCry and several other families of ransomware.[77]

Reactions[edit source]

Several experts highlighted the NSA’s non-disclosure of the underlying vulnerability, and their loss of control over the EternalBlue attack tool that exploited it. Edward Snowden said that if the NSA had “privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, [the attack] may not have happened”.[78] British cybersecurity expert Graham Cluley also sees “some culpability on the part of the U.S. intelligence services”. According to him and others “they could have done something ages ago to get this problem fixed, and they didn’t do it”. He also said that despite obvious uses for such tools to spy on people of interest, they have a duty to protect their countries’ citizens.[79] Russian President Vladimir Putin placed the responsibility of the attack on U.S. intelligence services, for having created EternalBlue.[80]

Others commented that this attack shows that the practice of intelligence agencies to stockpile exploits for offensive purposes rather than disclosing them for defensive purposes may be problematic.[64] Microsoft president and chief legal officer Brad Smith wrote, “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”[81][82]

Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations stated that “the patching and updating systems are broken, basically, in the private sector and in government agencies”.[64] In addition, Segal said that governments’ apparent inability to secure vulnerabilities “opens a lot of questions about backdoors and access to encryption that the government argues it needs from the private sector for security”.[64]

A number of experts used the publicity around the attack as a chance to re-iterate the value and importance of having good, regular and secure backups, good cybersecurity including isolating critical systems, using appropriate software, and having the latest security patches installed.[83]

In the UK the impact on the NHS quickly became political, with claims that the effects were exacerbated by Conservative Party under-funding of the NHS as part of the government’s austerity measures, in particular the refusal to pay extra to keep protecting outdated Windows XP systems from such attacks.[84] Home secretary Amber Rudd refused to say whether patient data had been backed up, and shadow health secretary Jon Ashworth accused health secretary Jeremy Hunt of refusing to act on a critical note from Microsoft, the National Cyber Security Centre (NCSC) and the National Crime Agency two months previously.[85]

Arne Schönbohm (de), President of Germany’s Federal Office for Information Security (BSI) stated that “the current attacks show how vulnerable our digital society is. It’s a wake up call for companies to finally take IT-security [seriously]”.[37]

List of affected organizations[edit source]

Attribution[edit source]

Although cybersecurity firms Kaspersky and Symantec have both said the code has some similarities with that previously used by the Lazarus Group,[116] (believed to have carried out the cyberattack on Sony Pictures in 2014 and a Bangladesh bank heist in 2016 – and linked to North Korea),[116] this may be either simple re-use of code by another group, or an attempt to shift blame – as in a false flag operation.[116]

NWO Website Exposes Official List of Companies Involved

The World Economic Forum

 http://www.weforum.org/world-economic-forum

  • is an International Institution committed to improving the state of the world through public-private cooperation.
  • engages political, business, academic and other leaders of society in collaborative efforts to shape global, regional and industry agendas.  Together with other stakeholders, it works to define challenges, solutions and actions, always in the spirit of global citizenship.
  • serves and builds sustained communities through an integrated concept of high-level meetings, research networks, task forces and digital collaboration.
  • delivers unique value to its Partners, Members and Constituents through its Annual and Regional Meetings, its Centres dedicated to global, regional, and industry issues, its future-oriented communities of New Champions, its expert networks of Global Agenda Councils, its TopLink knowledge and interaction platform and the Forum Academy.
  • was established in 1971 as a not-for-profit Foundation and is headquartered in Geneva, Switzerland. It is independent, impartial and not tied to any special interests, working in close cooperation with all major international organisations.
  • strives in all its efforts to demonstrate entrepreneurship in the global public interest while upholding the highest standards of governance. Moral and intellectual integrity is at the heart of everything it does.
  • Read the Annual Report 2013 – 14 here.
Professor Klaus Schwab
Professor Klaus Schwab, Founder and Executive Chairman

From our Founder 

“We live in a fast-moving, highly interconnected world, and our existing systems, structures and formal institutions no longer suffice. Pressing global problems can arise quickly and without warning. At the same time, new and unprecedented opportunities for global growth and positive change are emerging and must be harnessed for the future of humanity.

Barriers between political, economic and social issues have dissolved. The new reality of our networked society is that global, regional and industry developments are completely intertwined. Technological revolutions are changing the context for decision-making and disrupting our conventional decision-making processes.

Today, to address these issues, the world needs a level of global cooperation that is increasingly difficult to attain, precisely due to the growing complexities and interdependencies in the world.

The Forum’s experience since its foundation in 1971 shows there are few issues that cannot be adequately progressed by convening the most relevant actors from all sectors – business, government and civil society – in a high-level, informal environment of trust. Among international institutions, the Forum is an impartial platform for transforming dialogue into insights, insights into agendas, and agendas into action. This provides the practical basis for our mission: to improve the state of the world by serving as a trusted partner of all the stakeholders of global society as they embark upon transformation processes in response to the profound economic, social and political changes sweeping our world.

I encourage you to download our Institutional brochure, which explains in greater depth how we are organized as a community of communities to generate interaction, insight and impact from our activities.”

Leadership and Governance

The World Economic Forum is governed by its Foundation Board. The Foundation Board is the guardian of our mission, values and brand. It is responsible for inspiring business and public confidence in the Forum through an exemplary standard of governance. Individuals with unique leadership experience – from business, politics, academia and civil society – participate for three years in the Board’s activities. The Board’s role includes: managing the statutes of the World Economic Forum and its institutions; appointing new members; reviewing fund applications; determining and monitoring the execution of the World Economic Forum’s strategies; and defining the roles of the Managing Board and committees, including the review of strategies and activities in light of the Forum’s mission.

Foundation Board Members

  • Patrick Aebischer photo
  • Mukesh D. Ambani photo
  • Peter Brabeck-Letmathe photo
  • Mark J. Carney photo
  • Victor L. L. Chu photo
  • Orit Gadiesh photo
  • Carlos Ghosn photo
  • Herman Gref photo
  • Angel Gurría photo
  • Jim Hagemann Snabe photo
  • Susan Hockfield photo
  • Donald Kaberuka photo
  • Klaus Kleinfeld photo
  • Christine Lagarde photo
  • Peter Maurer photo
  • Luis Alberto Moreno photo
  • Indra Nooyi photo
  • H.M. Queen Rania Al Abdullah of the Hashemite Kingdom of Jordan photo
  • Peter Sands photo
  • Joe Schoendorf photo
  • Klaus Schwab photo
  • Heizo Takenaka photo
  • George Yeo photo
  • Jack Ma Yun photo
  •  Min Zhu photo

 

The Forum’s activities are managed by its executive leadership. Led by Founder and Executive Chairman Professor Klaus Schwab, the leadership and staff of the Forum comprise exceptional individuals from all walks of life and over 60 nationalities. This global depth and experience ensures our ability to fully support our global membership and their engagement on global issues.

Chairman

Klaus Schwab photo

Klaus Schwab

Founder, Executive Chairman

Management Committee

David Aikman photoDavid Aikman Head of New Champions
Jennifer Blanke photoJennifer Blanke Chief Economist
Espen Barth Eide photoEspen Barth Eide Head of the Centre for Global Strategies, Member of the Managing Board
Paolo Gallo photoPaolo Gallo Chief Human Resources Officer
Julien Gattoni photoJulien Gattoni Chief Financial Officer
W. Lee Howell photoW. Lee Howell Head of Global Programming, Member of the Managing Board
Jeremy Jurgens photoJeremy Jurgens Chief Information and Interaction Officer
Helena Leurent photoHelena Leurent Head of Business Engagement
Adrian Monck photoAdrian Monck Head of Public Engagement
Gilbert J. B. Probst photoGilbert J. B. Probst Dean, Leadership Office and Academic Affairs
Philipp Rösler photoPhilipp Rösler Head of the Centre for Regional Strategies, Member of the Managing Board
Richard Samans photoRichard Samans Head of the Centre for the Global Agenda,
Member of the Managing Board
Jim Hagemann Snabe photoJim Hagemann Snabe Chairman, Centre for Global Industries
Murat Sonmez photoMurat Sonmez Chief Business Officer, Member of the Managing Board
Jean-Luc Vez photoJean-Luc Vez Head of Security Policy and Security Affairs
Dominic Kailash Nath Waughray photoDominic Kailash Nath Waughray Head of Public-Private Partnerships
Alois Zwinggi photoAlois Zwinggi Head of Operations and Resources, Member of the Managing Board

 

Strategic Partners

A

Y

Z

Industry Partner Groups

Z

Regional Partners

A

  • Abdul Latif Jameel Co.,
  • Aflac Japan,
  • African Development Bank Group,
  • African Rainbow Minerals,
  • AirAsia,
  • Al Dabbagh Group,
  • Al Dahra Holding,
  • Alghanim Industries,
  • Alshaya Group,
  • Apollo Tyres Ltd,
  • averda,
  • Axiata Group Berhad,

B

  • Bajaj Auto,
  • Bank Mandiri,
  • Barclays Africa Group Limited,
  • BNP Paribas,
  • Burgan Bank,

C

  • Capital Bank,
  • Comision Federal de Electricidad,
  • Crescent Enterprises,
  • Crescent Petroleum,

D

  • Dana Gas,
  • Development Bank of Southern Africa,

E

  • Ecobank Transnational,
  • Emirates NBD,
  • European Bank for Reconstruction and Development,
  • European Investment Bank,

F

  • First Bank of Nigeria,
  • FirstRand,
  • Flour Mills of Nigeria,

G

  • Gentera,
  • GMR Group,
  • Goldcorp Inc.,
  • Greenberg Traurig,
  • Grupa Azoty,
  • Grupo Lauman,

H

  • Habboush Group,
  • Habib Bank,
  • Hikma Pharmaceuticals,
  • Hindustan Powerprojects Pvt.,

I

  • Industrial Development Corporation of South Africa,
  • Intercorp,
  • Interprotección,
  • Investec,

K

  • KIO Networks,
  • Kirin Holdings,

L

  • Lippo Group,
  • Lulu Group International,

M

  • Majid Al Futtaim Holding,
  • Mitsubishi Heavy Industries,
  • Mizuho Financial Group,
  • MMI Holdings Limited,

N

  • Naspers,
  • Nigeria LNG Limited,

O

  • Oando,
  • OAO Tatneft,
  • OHL México, S.A.B. DE C.V.,
  • OJSC “Bank Otrkritie Financial Corporation,
  • OJSC Mining&Metallurgical Company “Norilsk Nickel,
  • The Olayan Group,
  • Omnilife-Angelíssima Group,
  • Ooredoo Group,
  • Orrick, Herrington & Sutcliffe,
  • Overseas Infrastructure Alliance,

P

  • PAIPED,
  • Palestine Telecommunications Company,
  • PPF a.s.,

Q

  • Qalaa Holdings

R

  • Rajesh Wadhawan Group,
  • RDIF Management Company ,
  • RGE Pte Ltd,
  • RMZ Corp.,

S

  • Samruk-Kazyna,
  • San Miguel Corporation,
  • SapuraKencana Petroleum Berhad,
  • Sasol,
  • Saudi Telecom,
  • SBI Holdings,
  • Seplat Petroleum Development Company,
  • SICPA Holding,
  • Sinar Mas, Agribusiness & Food,
  • SM Investments Corporation,
  • SMFG,
  • The Standard Bank Group Limited,

T

  • Telkom,
  • Tokio Marine Holdings,
  • Transnet SOC Ltd,

U

  • United Phosphorus

V

  • Vision 3,
  • Visy Industries Pty ,
  • VPS Healthcare,

W

  • Wilmar International Limited

Y

  • YTL Corporation Berhard