Wannacry Cyber Attack

What was the cyber attack?

The WannaCry ransomware attack was a worldwide cyber attack in May 2017 by the WannaCry ransomware. It propagated through EternalBlue, an exploit developed by the United States National Security Agency (NSA) for older Windows systems. WannaCry is a ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. The worm is also known as WannaCrypt, Wana Decrypt0r 2.0, WanaCrypt0r 2.0, and Wanna Decryptor. It is considered a network worm because it also includes a transport mechanism to automatically spread itself. This transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access, and the Double Pulsar tool to install and execute a copy of itself. WannaCry versions 0, 1, and 2 were created using Microsoft Visual C++.

When did it happen?

The attack began on Friday, 12 May 2017, with evidence pointing to an initial infection in Asia at 07:44 UTC. Within a day the code was reported to have infected more than 230,000 computers in over 150 countries. Officially the initial outbreak was from 12 May 2017 to 15 May 2017. Organizations that had not installed Microsoft’s security update from April 2017 were affected by the attack.

How did it happen?

The vulnerability WannaCry exploits lies in the Windows implementation of the Server Message Block (SMB) protocol. The SMB protocol helps various nodes on a network communicate, and Microsoft’s implementation could be tricked by specially crafted packets into executing arbitrary code. It is believed that the U.S. National Security Agency discovered this vulnerability and, rather than reporting it to the infosec community, developed code to exploit it, called EternalBlue. This exploit was in turn stolen by a hacking group known as the Shadow Brokers, who released it obfuscated in a seemingly political Medium post on April 8, 2017. Microsoft itself had discovered the vulnerability a month prior and had released a patch, but many systems remained vulnerable, and WannaCry, which used EternalBlue to infect computers, began spreading rapidly on May 12. In the wake of the outbreak, Microsoft slammed the U.S. government for not having shared its knowledge of the vulnerability sooner.

Who did it?

The US and UK governments have said North Korea was responsible for the WannaCry malware attack affecting hospitals, businesses and banks across the world in May 2017. Ironically, it was allegedly developed as a cyber-attack exploit by the US National Security Agency. Although they were reported to have known of the tool’s vulnerabilities, the NSA didn’t bring it to Microsoft’s attention until the hacker group called Shadow Brokers leaked EternalBlue to an obscure website. Further analysis of the attack by companies such as Symantec revealed links to the Lazarus group who in turn have been linked to North Korea although the attack does not bear the hallmarks of a nation-state campaign.

Which security services were violated?

WannaCry spread using an exploit called EternalBlue, created by—and subsequently stolen from—the U.S. National Security Agency (NSA). EternalBlue enabled attackers to discover vulnerable computers on the target network. WannaCry also leveraged an NSA backdoor called DoublePulsar to install WannaCry on the networkThe WannaCry ransomware attack hit around 230,000 computers globally .A third of NHS hospital trusts were affected by the attack. Terrifyingly ambulances were reportedly rerouted, leaving people in need of urgent care in need. It was estimated to cost the NHS a whopping £92 million after 19,000 appointments were canceled as a result of the attack. As the ransomware spread beyond Europe, computer systems in 150 countries were crippled. The WannaCry ransomware attack had a substantial financial impact worldwide. It is estimated this cybercrime caused $4 billion in losses across the globe.

Affected organizations

  • Andhra Pradesh Police, India
  • Automobile Dacia, Romania
  • Boeing Commercial Airplanes
  • Cambrian College, Canada
  • Hitachi
  • Honda
  • Instituto Nacional de Salud, Colombia
  • Portugal Telecom
  • Pulse FM
  • Renault
  • Russian Railways
  • University of Milano-Bicocca, Italy
  • Vivo, Brazil