The WannaCry Ransomware Attack
By: Emma Kavanagh
The WannaCry ransomware attack is a massive cybersecurity attack that struck organizations around the world in 99 different countries on Friday, May 12, including the United States, the United Kingdom, China, Russia, and more. It exploits a vulnerability (known as “Eternal Blue”) in Microsoft Windows that was reportedly identified by the US National Security Agency (NSA) and exposed by The ShadowBrokers, an online group that has repeatedly published NSA code in a “protest” against US President Donald Trump.
The WannaCry ransomware will appear on affected computers and lock all files, preventing user access. The screen will show this, plus a button that allows the user to pay $300 (£230) in Bitcoins in order for the ransomware to be unlocked and for the user to regain access to the locked files. After a period of three days, the amount to unlock the files would double to $600 (£460). After a period of seven days, the ransomware would delete the files entirely if the $600 (£460) is not paid. Reports suggest that the attackers have only made about $70,000 so far, indicating that most companies and institutions are not paying the ransom demands.
Phishing emails that contained the WannaCry ransomware enabled the ransomware to spread so quickly around the world. Unsuspecting users would click a link in the emails, which would download and activate the ransomware on the computer. Then, the ransomware would spread itself to other vulnerable computers in a network in an effort to infect them as well.
Many industries throughout many countries were hit by this ransomware. Reports say that Russia had the most infections, including domestic banks, health and interior ministries (where over 1,000 companies were infected), the state-owned Russian railway firm, and Russia’s second-largest mobile phone network provider. Ukraine and India also had high numbers of WannaCry infections.
Many business firms were hit by the WannaCry cyberattack. Spain’s telecom giant Telefonica, utility provider Gas Natural, and power firm Iberdrola were reportedly hit. Other firms hit include France’s automaker Renault, Portugal’s Telecom, and US’s FedEx. Photos appeared on Twitter that showed that a university computer lab in Italy and a local railway ticket machine in Germany were also hit. Reports on social media indicate that a university computer lab in China may have been hit as well. Mikko Hypponen, the chief research officer of Helsinki-based cybersecurity company F-Secure, called WannaCry the “biggest ransomware outbreak in history.”
One of the most critical areas hit by WannaCry was British National Health Service (NHS) computers. Sixteen divisions were hit, causing patients in need of critical surgery and procedures to be diverted to other hospitals, while non-critical patients were asked to remain home while the cyberattack was dealt with. Reportedly, no patient data was compromised.
Microsoft had released a patch for the vulnerability WannaCry exploits via Windows Update, which would protect computers that had installed that patch. However, many Windows computers still use older versions of Windows that no longer receive mainstream support, including Windows XP, 8, and Server 2003. Microsoft said that it would roll out the update to those older operating system users as well in an effort to keep WannaCry from spreading further.
What is also helping to contain WannaCry is a “kill switch” that was accidentally found by a UK-based cybersecurity researcher. This researcher noticed that the Web address the virus was searching for had not been registered; when he registered that domain, the virus seemed to stop spreading. The researcher noted that this “fix” was just a temporary one and that Windows users should get the aforementioned patch in order to protect their computers from WannaCry.
Microsoft was critical of the US’s NSA because of the hacking tool it created that WannaCry was using to exploit Windows systems. The NSA would create the tool, then WikiLeaks would get hold of this information and publish it online. Then, virtually anyone could use it for nefarious purposes, which is what the WannaCry creators did. Microsoft criticized government intelligence services for wanting to keep such vulnerabilities secret to more easily spy while risking computer users in the process because the governments don’t alert the companies that such vulnerabilities exist.
There are various estimates from economic experts on how much the WannaCry ransomware attack would cost businesses and governments. The non-profit U.S. Cyber Consequences Unit research institute estimates that the total losses would amount somewhere in the hundreds of millions of dollars up to $1 billion. California-based cyber risk modeling firm Cyence estimated the total cost to be up to $4 billion, taking into account the cost that businesses would incur from the interruption of their services due to the cyberattack.
Cybersecurity experts have detected similarities between the WannaCry ransomware and code used by a North Korean hacking ring, known as Lazarus, suggesting that North Korea could be behind the ransomware attack. However, it is only speculation at this point, cautioning that the clues could be misleading and that more investigative work needs to be done.
Fortunately, fears of a second WannaCry outbreak on Monday, May 15, especially in Asia where the business day had essentially ended before the ransomware outbreak occurred on Friday, largely failed to materialize. There are concerns, however, that more outbreaks could occur if variants of the ransomware start spreading, especially with the high number of older Windows versions still being used around the world.
As mentioned above, patching the Windows vulnerability that WannaCry exploits is key to protecting a Windows computer from being infected, as well as the network it is part of. In addition, people need to be aware of phishing emails that can help spread WannaCry and other ransomware. If an email looks to be from a company, but the URL in the email is unknown when the mouse pointer hovers over it, it is best not to click that link. Doing so could open up one’s computer to ransomware like WannaCry and put one’s files in danger of being locked and even deleted. Having important files backed up to external hard drives and/or cloud-based systems (such as Dropbox, Box, Google Drive, etc.) can also help users to recover their files without having to pay the ransom demanded by WannaCry and other ransomware programs.
- Global News: What is the WannaCry ransomware cyber threat?
- BBC: Massive ransomware infection hits computers in 99 countries
- DW: British hospitals hit by major cyberattack
- Reuters: More disruptions feared from cyber attack; Microsoft slams government secrecy
- DW: Major ‘ransomware’ attack strikes worldwide targets