WannaCry (2017)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date Discovered on 12 May 2017[1]
Suspected actor Lazarus Group on behalf of the North Korean government (official attribution statements made by US[2], UK, Australia, Canada, New Zealand)[3]
Victims The malware was largely indiscriminate as it affected more than 300.000 computers present in 150 States.[3] Symantec has estimated that organizations (hospitals, banks and other companies) were particularly vulnerable because of the malware’s ability to spread across networks.[4] Among multinational corporations, Telefónica (ES), Renault (FR) and FedEx (US) were hit. Infected public organizations included the National Health Service (UK) and the Russian Ministry of the Interior.[1]
Target systems Microsoft Windows based systems (March 2017 Patch – MS17-010)[4]
Method WannaCry exploited critical vulnerabilities in Windows computers, which were patched by Microsoft in March 2017. Similarly to the NotPetya mock ransomware (discovered in June 2017), WannaCry used the “Eternal Blue” exploit leaked by a group of hackers referring to itself as “Shadow Brokers”. The malware was able to search for and encrypt 176 different file types. Once encrypted, it asked victims to pay a ransom of 300 USD payable in Bitcoins, with the sum doubling if the amount was not paid after 3 days.[4] Victims were told that their files would be permanently deleted after 7 days.[4] However, Symantec has estimated that the malware was not able to carry out its threat of deleting files.[4]
Purpose Reuters has estimated that the purpose of the attack was financial gain which allowed North Korean hackers to “net” millions of dollars in virtual currencies at a time where North Korea struggled under the weight of economic sanctions.[5] When the malware was discovered (May 2017), the value of Bitcoin resided between 1500 and 2500 USD but reached a valuation of 17500 USD shortly after, in December 2017.[6]
Result The overall estimated damage was in the billions of dollars.[3] Most notably, the NHS had to cancel or turn away appointments including surgeries.[3] In addition, companies around the globe suffered inconveniences to daily business activities such as encrypted files, employees being locked out of terminals or payment terminals being shut down.[1]
Aftermath International response to the attacks was fairly restrained with the US limiting itself to “publicly shaming” North Korea for its wrongful actions.[7] South Korea considered the possibility of countermeasures in the image of increasing economic sanctions against North Korea[5] In the US, the aftermath of WannaCry resulted in criticism directed towards the National Security Agency (NSA) for not disclosing the specific vulnerability which was known to it.[2] In the UK, the attack provoked the NHS into being more aware of threats residing in the cyber realm.[8]
Relevance Scenario 07: Leak of State-developed hacking tools
Scenario 12: Cyber operations against computer data

Collected by: Mihkel Pikkat