Security Encyclopedia

WannaCry

Five Things to Know about Profitless Ransomware

In May 2017 over the course of just 72 hours, much of the online world was captivated (and held captive) by a novel threat. The global business community was introduced to a rapidly-spreading malware that affected the systems of large, established enterprises both private and public as well as small and midsize ones. Before the cyberattack showed signs of diminishing, the WannaCry ransomware had infected 300,000 computers in 150 countries, with notable private targets such as Boeing, Renault, Honda, and FedEx. Users were met with warnings on their home screens to pay a digital currency ransom or face the destruction of their, their customers’, and partners’ data.

As the attack ended, it was learned that its most decisive countermeasure was merely serendipitous, and its extortion aim fell flat. WannaCry is estimated to have cost $4 billion of damage globally, however by other measures it failed to live up to the potential that a surprise cyberattack could have if architected more carefully. 

Image credit: Getty Images via TechCrunch

Here are five things you should know about WannaCry, destructive yet profitless ransomware.

1. WannaCry exploited vulnerabilities in Windows OS machines.

The attackers behind the WannaCry attack used a tool called EternalBlue to exploit Windows operating system software. EternalBlue was created by the US National Security Agency to exploit a vulnerability in the Windows Server Message Block, or SMB Protocol, which is a commonplace, normally safe system for sharing file access across a network. The vulnerability in question was a proven way to deceive the SMB Protocol into accepting data packets from outside the legitimate network.

In April 2017, just prior to the attack, a group called the Shadow Brokers stole EternalBlue from the NSA and published the exploit on the web. In response, Microsoft announced a patch for then-current versions Windows 7 and 10, closing the entry point that EternalBlue makes known. However as in many such cases system patching and updating doesn’t always occur as planned. (In addition, many people and organizations were still running Windows XP, leaving them vulnerable, as patches were not readily available.)

2. WannaCry caused serious healthcare disruption.

A prime example of an organization left wide open to a WannaCry cyberattack was the UK National Health Service, which was running unpatched Windows 7 and the unsupported, 16-year-old version Windows XP. The NHS was brought to a standstill for several days, with one-third of NHS hospitals in the UK and Scotland affected. WannaCry disruption cost the NHS and UK taxpayers at least £92 million, or around $128 million, due to the cancelation of 19,000 appointments and non-emergency surgeries.

There were perceptible delays as well as an overall mad scramble to reapportion care where it could be provided. Among studied, directly infected NHS hospitals, experts found 0% increase in mortality over the baseline. However, these facilities experienced meaningfully fewer elective and emergency admissions. In all, total admissions per infected hospital per day dropped 6%. Contributing to this overall 6% reduction were 9% fewer elective hospital admissions and 4% fewer emergency admissions. 

Photo credit: BankInfoSecurity

3. WannaCry ransomware yielded little ransom.

Ransomers sought 300-600 USD worth of the digital currency bitcoin (BTC), which during the week of the attack amounted to 0.6-0.3 BTC. (Curiously, as of this writing the bitcoin price has since gone to the moon.) This was under threat of captive files’ destruction within three days. Large organizations — the unwitting primary targets as these had unpatched legacy systems, including the NHS — were also the likeliest to periodically backup their data. Hence, many large organizations balked at paying ransom. They patched their systems, and synced their data. Small and midsize businesses were more likely to pay for the damaging prospects of losing all of their data, but fortunately the attack was pared back soon.

Security researchers note that WannaCry only garnered around 200 payments totaling less than $100,000 — highly unsuccessful since 300,000 computers were infected. It was fortunate that the WannaCry attack proved unprofitable, as researchers also note that WannaCry had no ability to tie a payment to a particular machine and thus payments provided no guarantee of data liberation.  

4. WannaCry had a kill switch and its discovery was pure luck.

A then-anonymous security researcher in the UK whose handle is MalwareTech (now known to be Marcus Hutchins) discovered that WannaCry was built to check if a specific gibberish URL navigated to a live website. Curious, MalwareTech registered the domain to see what happened. This was immediately revealed to be WannaCry’s kill switch, which in computer parlance is a mechanism to shut down or disable a program. Registering the URL provided a basic signal to WannaCry to halt spreading. MalwareTech’s $10.69 investment at the time pared down the WannaCry threat quickly and considerably. The kill switch was thought to be an intentional component of WannaCry allowing its creators to restrain the monster that they introduced to global networks running Windows environments. 

5. WannaCry today poses little threat.

The combined activities of the largest software company in the world and those of security researchers have caused WannaCry to no longer be a serious threat. Microsoft released software security patches rendering moot the EternalBlue Windows SMB Protocol exploit. MalwareTech aka Marcus Hutchins halted WannaCry’s spread by registering the URL found in its code, activating the program’s kill switch. Through defensive cryptanalysis of WannaCry, other researchers developed methods to decrypt files that were held hostage so long as the owner did not reboot the infected computer.

Recent discussion of WannaCry usually surrounds its impotency or dormancy, and the fact that EternalBlue-prone computers are rare. A WannaCry variant did surface in August 2018, infecting 10,000 machines of the Taiwan Semiconductor Manufacturing Company (TSMC), disabling four advanced chip-making facilities. Its effects were curtailed and TSMC claimed no damage to, or loss of, confidential data. 

Looking through today’s lens, there are more threatening ransomware attacks than WannaCry. These take the form of multilayer threats having an ability to self-propagate (not relying on a patchable exploit) and to tie ransom payments to particular devices. 

Hackers connected to the Democratic People’s Republic of Korea are thought to be responsible for creating and deploying WannaCry, making the incident a state-sponsored act.  In its aftermath a security researcher at Google — quickly followed by those at Kaspersky Lab, Intezer, Symantec, and Comae Technologies — tied WannaCry to the Lazarus Group. WannaCry’s profile matched that of other ransomware used by the group, and the group in turn has been linked to North Korean state-sponsored actors.

Security researcher Marcus Hutchins aka MalwareTech. Photo credit: Ramona Rosales via WIRED

Marcus Hutchins, the British security researcher going by MalwareTech, had found fame yet three months after almost single-handedly stopping WannaCry, he epically squandered every ounce of his celebrity (and integrity). While at the Defcon hacking conference in Las Vegas, he was arrested for being the creator of the Kronos banking trojan which caused chaos in the industry by exfiltrating account holders’ sensitive information. The hero had become the villain, and the domain he registered — http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/  — persists as a sinkhole and for posterity.

That’s five things you now know about WannaCry, destructive yet profitless ransomware. 

For more information read TechCrunch’s 2019 two-year retrospective, the WIRED story on Marcus Hutchins’ downfall, and watch the SciShow video below.