The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomwarecryptoworm, which targeted computers running the Microsoft Windowsoperating system by encrypting data and demanding ransom payments in the Bitcoincryptocurrency.[4] It was propagated using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end of life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.
The attack began at 07:44 UTC on 12 May 2017 and was halted a few hours later at 15:03 UTC by the registration of a kill switch discovered by Marcus Hutchins. The kill switch prevented already infected computers from being encrypted or further spreading WannaCry.[5] The attack was estimated to have affected more than 300,000 computers[6] across 150 countries,[6] with total damages ranging from hundreds of millions to billions of dollars. At the time, security experts believed from preliminary evaluation of the worm that the attack originated from North Korea or agencies working for the country. In December 2017, the United States and United Kingdom formally asserted that North Korea was behind the attack, although North Korea has denied any involvement with the attack.[7]
A new variant of WannaCry forced Taiwan Semiconductor Manufacturing Company (TSMC) to temporarily shut down several of its chip-fabrication factories in August 2018. The worm spread onto 10,000 machines in TSMC's most advanced facilities.[8]
Description
WannaCry is a ransomwarecryptoworm, which targets computers running the Microsoft Windowsoperating system by encrypting (locking) data and demanding ransom payments in the Bitcoincryptocurrency. The worm is also known as WannaCrypt,[9] Wana Decrypt0r 2.0,[10] WanaCrypt0r 2.0,[11] and Wanna Decryptor.[12] It is considered a network worm because it also includes a transport mechanism to automatically spread itself. This transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access, and the DoublePulsar tool to install and execute a copy of itself.[13] WannaCry versions 0, 1 and 2 were created using Microsoft Visual C++ 6.0.[14]
DoublePulsar is a backdoor tool, also released by The Shadow Brokers on 14 April 2017. Starting from 21 April 2017, security researchers reported that there were tens of thousands of computers with the DoublePulsar backdoor installed.[18] By 25 April, reports estimated that the number of infected computers could be up to several hundred thousand, with numbers increasing every day.[19][20] The WannaCry code can take advantage of any existing DoublePulsar infection, or installs it itself.[13][21][22] On 9 May 2017, private cybersecurity company RiskSense released code on GitHub with the stated purpose of allowing legal white hat penetration testers to test the CVE-2017-0144 exploit on unpatched systems.[23]
When executed, the WannaCry malware first checks the kill switch domain name (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com); if it is not found, then the ransomware encrypts the computer's data,[24][25][26] then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet,[27] and laterally to computers on the same network.[28] On the local system, the WannaCry executable file extracts and installs binary and configuration files from its resource section. It also hides the extracted directory, modifies security descriptors, creates an encryption key, deletes shadow copies, and so on. As with other modern ransomware, the payload displays a message informing the user that their files have been encrypted, and demands a payment of around US$300 in bitcoin within three days, or US$600 within seven days (equivalent to about $370 and $750 in 2023),[25][29] warning that "you have not so enough time.[sic]" Three hardcoded bitcoin addresses, or wallets, are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the cryptocurrency wallet owners remain unknown.[30]
The attack began on Friday, 12 May 2017,[34][35] with evidence pointing to an initial infection in Asia at 07:44 UTC.[34][36] The initial infection was likely through an exposed vulnerable SMB port,[37] rather than email phishing as initially assumed.[34] Within a day the code was reported to have infected more than 230,000 computers in over 150 countries.[38][39]
Organizations that had not installed Microsoft's security update from March were affected by the attack.[40] Those still running unsupported versions of Microsoft Windows, such as Windows XP and Windows Server 2003[41][42] were at particularly high risk because no security patches had been released since April 2014 for Windows XP and July 2015 for Windows Server 2003.[9] A Kaspersky Lab study reported, however, that less than 0.1 percent of the affected computers were running Windows XP, and that 98 percent of the affected computers were running Windows 7.[9][43] In a controlled testing environment, the cybersecurity firm Kryptos Logic found that it was unable to infect a Windows XP system with WannaCry using just the exploits, as the payload failed to load, or caused the operating system to crash rather than actually execute and encrypt files. However, when executed manually, WannaCry could still operate on Windows XP.[44][45][46]
Defensive response
Experts quickly advised affected users against paying the ransom due to no reports of people getting their data back after payment and as high revenues would encourage more of such campaigns.[47][48][49] As of 14 June 2017, after the attack had subsided, a total of 327 payments totaling US$130,634.77 (51.62396539 BTC) had been transferred.[50]
The day after the initial attack in May, Microsoft released out-of-band security updates for end-of-life products Windows XP, Windows Server 2003 and Windows 8; these patches had been created in February, but were previously only available to those who paid for a custom support plan.[42][51] Organizations were advised to patch Windows and plug the vulnerability in order to protect themselves from the cyber attack.[citation needed] The head of Microsoft's Cyber Defense Operations Center, Adrienne Hall, said that "Due to the elevated risk for destructive cyber-attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt [alternative name to WannaCry]".[52][53]
Researcher Marcus Hutchins[54][55] discovered the kill switch domain hardcoded in the malware.[56][57][58] Registering a domain name for a DNS sinkhole stopped the attack spreading as a worm, because the ransomware only encrypted the computer's files if it was unable to connect to that domain, which all computers infected with WannaCry before the website's registration had been unable to do. While this did not help already infected systems, it severely slowed the spread of the initial infection and gave time for defensive measures to be deployed worldwide, particularly in North America and Asia, which had not been attacked to the same extent as elsewhere.[59][60][61][62][63] On 14 May, a first variant of WannaCry appeared with a new and second[64] kill-switch registered by Matt Suiche on the same day. This was followed by a second variant with the third and last kill-switch on 15 May, which was registered by Check Point threat intelligence analysts.[65][66] A few days later, a new version of WannaCry was detected that lacked the kill switch altogether.[67][68][69][70]
On 19 May, it was reported that hackers were trying to use a Mirai botnet variant to effect a distributed denial-of-service attack on WannaCry's kill-switch domain with the intention of knocking it offline.[71] On 22 May, Hutchins protected the domain by switching to a cached version of the site, capable of dealing with much higher traffic loads than the live site.[72]
Separately, researchers from University College London and Boston University reported that their PayBreak system could defeat WannaCry and several other families of ransomware by recovering the keys used to encrypt the user's data.[73][74]
It was discovered that Windows encryption APIs used by WannaCry may not completely clear the prime numbers used to generate the payload's private keys from the memory, making it potentially possible to retrieve the required key if they had not yet been overwritten or cleared from resident memory. The key is kept in the memory if the WannaCry process has not been killed and the computer has not been rebooted after being infected.[75] This behaviour was used by a French researcher to develop a tool known as WannaKey, which automates this process on Windows XP systems.[76][77][78] This approach was iterated upon by a second tool known as Wanakiwi, which was tested to work on Windows 7 and Server 2008 R2 as well.[79]
Within four days of the initial outbreak, new infections had slowed to a trickle due to these responses.[80]
Attribution
Linguistic analysis of the ransom notes indicated the authors were likely fluent in Chinese and proficient in English, as the versions of the notes in those languages were probably human-written while the rest seemed to be machine-translated.[81][82] According to an analysis by the FBI's Cyber Behavioral Analysis Center, the computer that created the ransomware language files had Hangul language fonts installed, as evidenced by the presence of the "\fcharset129" Rich Text Format tag.[14] Metadata in the language files also indicated that the computers that created the ransomware were set to UTC+09:00, which is used in Korea.[14]
A security researcher[83][84] initially posted a tweet[85] referencing code similarities between WannaCry and previous malware. The cybersecurity companies[86]Kaspersky Lab and Symantec have both said the code has some similarities with that previously used by the Lazarus Group[87] (believed to have carried out the cyberattack on Sony Pictures in 2014 and a Bangladesh bank heist in 2016—and linked to North Korea).[87] This could also be either simple re-use of code by another group[88] or an attempt to shift blame—as in a cyber false flag operation;[87] but a leaked internal NSA memo is alleged to have also linked the creation of the worm to North Korea.[89]Brad Smith, the president of Microsoft, said he believed North Korea was the originator of the WannaCry attack,[90] and the UK's National Cyber Security Centre reached the same conclusion.[91]
On 18 December 2017, the United States Government formally announced that it publicly considers North Korea to be the main culprit behind the WannaCry attack.[92] Then-PresidentTrump's Homeland Security Advisor, Tom Bossert, wrote an op-ed in The Wall Street Journal about this charge, saying "We do not make this allegation lightly. It is based on evidence."[93] In a press conference the following day, Bossert said that the evidence indicates that Kim Jong-un had given the order to launch the malware attack.[94] Bossert said that Canada, New Zealand and Japan agree with the United States' assessment of the evidence that links the attack to North Korea,[95] while the United Kingdom's Foreign and Commonwealth Office says it also stands behind the United States' assertion.[96]
North Korea, however, denied being responsible for the cyberattack.[97][98]
On 6 September 2018, the U.S. Department of Justice (DoJ) announced formal charges against Park Jin-hyok for involvement in the Sony Pictures hack of 2014. The DoJ contended that Park was a North Korean hacker working as part of a team of experts for the North Korean Reconnaissance General Bureau. The Department of Justice asserted this team also had been involved in the WannaCry attack, among other activities.[99][100]
Impact
The ransomware campaign was unprecedented in scale according to Europol,[38] which estimates that around 200,000 computers were infected across 150 countries. According to Kaspersky Lab, the four most affected countries were Russia, Ukraine, India and Taiwan.[102]
One of the largest agencies struck by the attack was the National Health Service hospitals in England and Scotland,[103][104] and up to 70,000 devices—including computers, MRI scanners, blood-storage refrigerators and theatre equipment—may have been affected.[105] On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.[106][107] In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.[41] In 2018 a report by Members of Parliament concluded that all 200 NHS hospitals or other organisations checked in the wake of the WannaCry attack still failed cybersecurity checks.[108][109] NHS hospitals in Wales and Northern Ireland were unaffected by the attack.[106][110]
The attack's impact is said to be relatively low compared to other potential attacks of the same type and could have been much worse had Hutchins not discovered that a kill switch had been built in by its creators[116][117] or if it had been specifically targeted on highly critical infrastructure, like nuclear power plants, dams or railway systems.[118][119]
According to cyber-risk-modeling firm Cyence, economic losses from the cyber attack could reach up to US$4 billion, with other groups estimating the losses to be in the hundreds of millions.[120]
Affected organisations
The following is an alphabetical list of organisations confirmed to have been affected:
A number of experts highlighted the NSA's non-disclosure of the underlying vulnerability, and their loss of control over the EternalBlue attack tool that exploited it. Edward Snowden said that if the NSA had "privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, the attack may not have happened".[107] British cybersecurity expert Graham Cluley also sees "some culpability on the part of the U.S. intelligence services". According to him and others "they could have done something ages ago to get this problem fixed, and they didn't do it". He also said that despite obvious uses for such tools to spy on people of interest, they have a duty to protect their countries' citizens.[163] Others have also commented that this attack shows that the practice of intelligence agencies to stockpile exploits for offensive purposes rather than disclosing them for defensive purposes may be problematic.[117] Microsoft president and chief legal officer Brad Smith wrote, "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen."[164][165][166] Russian President Vladimir Putin placed the responsibility of the attack on U.S. intelligence services for having created EternalBlue.[152]
On 17 May 2017, United States bipartisan lawmakers introduced the PATCH Act[167] that aims to have exploits reviewed by an independent board to "balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process".[168]
On 15 June 2017, the United States Congress was to hold a hearing on the attack.[169] Two subpanels of the House Science Committee were to hear the testimonies from various individuals working in the government and non-governmental sector about how the U.S. can improve its protection mechanisms for its systems against similar attacks in the future.[169]
Marcus Hutchins, a cybersecurity researcher, working in loose collaboration with UK's National Cyber Security Centre,[170][171] researched the malware and discovered a "kill switch".[55] Later globally dispersed security researchers collaborated online to developopen-source tools[172][173] that allow for decryption without payment under some circumstances.[174] Snowden states that when "NSA-enabled ransomware eats the Internet, help comes from researchers, not spy agencies" and asks why this is the case.[171][175][176]
Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations, stated that "the patching and updating systems are broken, basically, in the private sector and in government agencies".[117] In addition, Segal said that governments' apparent inability to secure vulnerabilities "opens a lot of questions about backdoors and access to encryption that the government argues it needs from the private sector for security".[117]Arne Schönbohm, president of Germany's Federal Office for Information Security (BSI), stated that "the current attacks show how vulnerable our digital society is. It's a wake-up call for companies to finally take IT security [seriously]".[177]
Others argued that hardware and software vendors often fail to account for future security flaws, selling systems that—due to their technical design and market incentives—eventually won't be able to properly receive and apply patches.[180]
The NHS denied that it was still using XP, claiming only 4.7% of devices within the organization ran Windows XP.[44][181] The cost of the attack to the NHS was estimated as £92 million in disruption to services and IT upgrades.[182]
After the attack, NHS Digital refused to finance the estimated £1 billion to meet the Cyber Essentials Plus standard, an information security certification organized by the UK NCSC, saying this would not constitute "value for money", and that it had invested over £60 million and planned "to spend a further £150 [million] over the next two years" to address key cyber security weaknesses.[183]
Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.
This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.
Ransomware is a type of malware that encrypts the victim's personal data until a ransom is paid. They commonly use difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Sometimes the original files can be retrieved without paying the ransom due to implementation mistakes, leaked cryptographic keys or a complete lack of encryption in the ransomware.
A blended threat is a software exploit that involves a combination of attacks against different vulnerabilities. Blended threats can be any software that exploits techniques to attack and propagate threats, for example worms, trojan horses, and computer viruses.
The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.
A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.
Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.
The Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the group, researchers have attributed many cyberattacks to them since 2010.
The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "Equation Group" who are widely suspected to be a branch of the National Security Agency (NSA) of the United States. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.
EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that allowed users to gain access to any number of computers connected to a network. The NSA knew about this vulnerability but did not disclose it to Microsoft for several years, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.
DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017. The tool infected more than 200,000 Microsoft Windows computers in only a few weeks, and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack. A variant of DoublePulsar was first seen in the wild in March 2016, as discovered by Symantec.
Marcus Hutchins, also known online as MalwareTech, is a British computer security researcher known for stopping the WannaCry ransomware attack. He is employed by cybersecurity firm Kryptos Logic. Hutchins is from Ilfracombe in Devon.
Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the users make a payment in Bitcoin in order to regain access to the system.
A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.
BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.
Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian or Ukrainian, who target organizations rather than individual consumers.
Park Jin Hyok (Korean: 박진혁) is a North Korean programmer and hacker. He is best known for his alleged involvement in some of the costliest computer intrusions in history. Park is on the FBI's wanted list. North Korea denies his existence.
↑ Condra, Jon; Costello, John; Chu, Sherman (25 May 2017). "Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors". Flashpoint. Archived from the original on 27 May 2017. Flashpoint assesses with high confidence that the author(s) of WannaCry's ransomware notes are fluent in Chinese, as the language used is consistent with that of Southern China, Hong Kong, Taiwan, or Singapore. Flashpoint also assesses with high confidence that the author(s) are familiar with the English language, though not native. [...] Flashpoint assesses with moderate confidence that the Chinese ransom note served as the original source for the English version, which then generated machine translated versions of the other notes. The Chinese version contains content not in any of the others, though no other notes contain content not in the Chinese. The relative familiarity found in the Chinese text compared to the others suggests the authors were fluent in the language—perhaps comfortable enough to use the language to write the initial note.
↑ Jones, Sam (14 May 2017). "Global alert to prepare for fresh cyber attacks". Financial Times.
↑ Millar, Sheila A.; Marshall, Tracy P.; Cardon, Nathan A. (22 May 2017). "WannaCry: Are Your Security Tools Up to Date?". The National Law Review. Keller and Heckman LLP. Archived from the original on 4 August 2017. Retrieved 9 July 2017.
↑ Kirk, Jeremy. "WannaCry Outbreak Hits Chipmaker, Could Cost $170 Million". Information Security Media Group, Corp. Archived from the original on 10 August 2018. Retrieved 10 August 2018. Taiwan Semiconductor Manufacturing Co., the world's largest chip manufacturer, says a WannaCry infection hit unpatched Windows 7 systems in its fabrication facilities, leaving multiple factories crippled.
This page is based on this Wikipedia article Text is available under the CC BY-SA 4.0 license; additional terms may apply. Images, videos and audio are available under their respective licenses.