Jump to navigation Jump to search
|Date||Discovered on 12 May 2017|
|Suspected actor||Lazarus Group on behalf of the North Korean government (official attribution statements made by US, UK, Australia, Canada, New Zealand)|
|Victims||The malware was largely indiscriminate as it affected more than 300.000 computers present in 150 States. Symantec has estimated that organizations (hospitals, banks and other companies) were particularly vulnerable because of the malware’s ability to spread across networks. Among multinational corporations, Telefónica (ES), Renault (FR) and FedEx (US) were hit. Infected public organizations included the National Health Service (UK) and the Russian Ministry of the Interior.|
|Target systems||Microsoft Windows based systems (March 2017 Patch – MS17-010)|
|Method||WannaCry exploited critical vulnerabilities in Windows computers, which were patched by Microsoft in March 2017. Similarly to the NotPetya mock ransomware (discovered in June 2017), WannaCry used the “Eternal Blue” exploit leaked by a group of hackers referring to itself as “Shadow Brokers”. The malware was able to search for and encrypt 176 different file types. Once encrypted, it asked victims to pay a ransom of 300 USD payable in Bitcoins, with the sum doubling if the amount was not paid after 3 days. Victims were told that their files would be permanently deleted after 7 days. However, Symantec has estimated that the malware was not able to carry out its threat of deleting files.|
|Purpose||Reuters has estimated that the purpose of the attack was financial gain which allowed North Korean hackers to “net” millions of dollars in virtual currencies at a time where North Korea struggled under the weight of economic sanctions. When the malware was discovered (May 2017), the value of Bitcoin resided between 1500 and 2500 USD but reached a valuation of 17500 USD shortly after, in December 2017.|
|Result||The overall estimated damage was in the billions of dollars. Most notably, the NHS had to cancel or turn away appointments including surgeries. In addition, companies around the globe suffered inconveniences to daily business activities such as encrypted files, employees being locked out of terminals or payment terminals being shut down.|
|Aftermath||International response to the attacks was fairly restrained with the US limiting itself to “publicly shaming” North Korea for its wrongful actions. South Korea considered the possibility of countermeasures in the image of increasing economic sanctions against North Korea In the US, the aftermath of WannaCry resulted in criticism directed towards the National Security Agency (NSA) for not disclosing the specific vulnerability which was known to it. In the UK, the attack provoked the NHS into being more aware of threats residing in the cyber realm.|
|Relevance||Scenario 07: Leak of State-developed hacking tools|
Scenario 12: Cyber operations against computer data
Collected by: Mihkel Pikkat
- S Jones, “Timeline: How the WannaCry cyber attack spread” (15 May 2017), Financial Times.
- D Volz, “US blames North Korea for ‘Wanna Cry’ cyber attack” (19 December 2017), Reuters.
- BBC News, “Cyber-attack: US and UK blame North Korea for WannaCry” (19 December 2017), BBC.
- “What you need to know about the WannaCry Ransomware” (23 October 2017), Symantec.
- J Wagstaff and J Smith, “Multi-stage cyber attacks net North Korea millions in virtual currencies: researchers” (19 December 2017), Reuters.
- Bitcoin (USD) Price
- G Korte, “White House plan to ‘shame’ North Korea shows complexities of responding to cyber attacks” (19 December 2017), USA Today.
- L Dearden, “NHS to spend £150m on cyber security to bolster defences after WannaCry attack” (28 April 2018), Independent.