On 12 May 2017, the cryptoworm WanaCrypt0r 2.0, also known as WannaCry, infected hundreds of thousands of computers around the world. Our investigation into this ransomware reveals some worrying trends.
An unprecedented attack
It has been over two weeks since WannaCrypt0r 2.0 burst onto the scene. This cyber worm exploits EternalBlue, a vulnerability in the Windows operating system which was identified by the NSA and leaked to the public. In what Europol called an “unprecedented” ransomware attack, WannaCry infected more than 200,000 victims in 150 countries (1).
In the days that followed the initial attack, variants targeting new victims began to emerge, helping to spread the malware.(2). Examples included “DarkoderCrypt0r” and “WannaCrypt 4.0”, which featured customisable interfaces and languages such as Thai, which were not supported by the original worm.
Fortunately, a kill switch was discovered – a domain name which, once registered, slowed the spread of the virus. However, during the weekend that followed the launch of WannaCry, new threats appeared: variants with new domain names or without kill switches. Then talk about another worm, Adylkuzz, began circulating. This worm is less invasive than WannaCry, but much more profitable for hackers. Finally, one week after the original attack, researchers identified EternalRocks, a worm integrating not two but seven of the NSA’s leaked tools. This latest virus could be the most serious of them all.
The North Korean connection
After Symantec revealed the probable connections between WannaCry and the Lazarus hacking group, all eyes have turned to North Korea. Could one country be behind an attack that infected the entire world? Are hackers aiming to destabilise the economy or simply earn profits? WannaCry comes at a time when questions are being asked about government influence in the American and French elections. Is this an attempt to threaten democracy by using opportunities created by the Internet and new technologies? These types of concerns are fuelling fears of a global cyberwar.
Several groups are responsible for this destructive ransomware:
- The first group includes the hackers responsible for designing the worm, whose identity is currently unknown, although they are suspected to have links to the Lazarus hacking group which is very probably connected to North Korea;
- The second group is the ShadowBrokers, who hacked and leaked a number of powerful exploits which could only have been developed by an institution with the technical resources of the NSA, and which were later exploited by WannaCry;
- The final group is the NSA itself, which discovered these vulnerabilities but kept them secret for its own purposes, designing the exploits that led to the creation of the worm.
However, responsibility is also shared with Internet users. Despite acting in good faith, they do not always adopt good practices. These users include:
- Windows users who did not update their machines or apply corrective patches, even when they had the latest version of the operating system. This made them vulnerable to the attack.
- To a lesser extent, companies and institutions like Renault and the NHS. For economic or compatibility reasons, they did not switch to new operating systems after older versions were abandoned by Microsoft. As a result, they did not apply the corrective patches released one month prior to the attack (however, according to Kaspersky Lab, 98% of infected machines were running Windows 7 (3)).
- Microsoft itself, for failing to identify and patch these vulnerabilities. It had patches for systems it no longer supported (such as Windows XP) but these were only provided to clients after the attack. Meanwhile, patches for operating systems it still supported were published well before the attack.
Clearly, this large-scale attack raises a number of delicate questions. To better understand these issues, we have written a series of articles covering the main subjects.
Other articles in this series: