CyberScout

What Businesses Need to Know About WannaCry Ransomware

WannaCry
Getty Images

WannaCry is a well known form of ransomware that first made headlines in May 2017 after infecting between 200,000 and 300,000 computers located in more than 150 countries. Although WannaCry’s spread was largely halted after about four days, the total damages were estimated to tally up to $4 billion, and affected companies and organizations including FedEx, the UK National Health Service, Nissan, the Russian government, Hitachi, and many others

Outside of the widespread damage WannaCry caused within a relatively short window of time, what makes this variant of ransomware noteworthy is what made it possible. The hack  exploited a flaw in the Windows operating system. The problem’s discovery and resulting hack came out of the U.S. National Security Agency (NSA) and was called EternalBlue. This famous bit of NSA know-how was stolen in 2016 and leaked online in 2017 by a hacking group calling themselves the Shadow Brokers. EternalBlue has also been repurposed into other related ransomware variants, including NotPetya and BadRabbit.

In the wake of the WannaCry attack, the NSA was heavily criticized for failing to disclose a key vulnerability in the Windows XP operating system for more than five years, opting instead to leverage it within their own set of hacking tools. 

“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” wrote Microsoft President Brad Smith on the company’s blog following the WannaCry attacks. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”

The damage caused by these WannaCry hacks was much more expensive than the ransom demanded to decrypt infected systems--$300 to $600 in BitCoin. WannaCry’s code wasn’t designed for extortion, and therefore lacked a way to link BitCoin payments to specific computers, which meant that few, if any, victims who opted to pay the ransom got their data back.

Data collected from a bot tracking ransom payments found that only a few hundred targets paid the ransom, and that the total haul for the hackers was roughly $140,000. Security specialists and the U.S. government tracked the ransomware activity back to the Lazarus Group, a hacking team with ties to North Korea. 

“The attack was widespread and cost billions, and North Korea is directly responsible,” wrote Thomas P. Bossert, a security adviser to the Trump administration in the Wall Street Journal.

“We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either. Other governments and private companies agree.”

There were fortunately two factors that helped to prevent WannaCry from spreading to millions of computers. First, security researchers examining its code found a “kill switch” that deactivated it on infected computers. Second, Microsoft responded quickly and released emergency patches to address the vulnerability.

Regularly patching software is key to preventing cybersecurity incidents, according to CyberScout founder and chairman Adam Levin.

“Microsoft had released a patch back in March [2017], but not everyone had applied it, particularly on older Windows XP systems… those were the companies affected,” he wrote. “All businesses can reduce their risk by knowing what applications and versions are in their networks.”

While ransomware has been in circulation for decades, the scale and number of computers affected by WannaCry’s spread arguably helped raise awareness of the threat it continues to pose to businesses, organizations, and individuals alike. 

Despite the mitigation of the ransomware’s initial spread, it still remains active and accounted for no less than 40 percent of all ransomware detections in Q1 2020, primarily affecting unpatched systems in Thailand, Turkey, and Indonesia.