Over the weekend, a virus infected thousands of computers around the world, locking up their data until a ransom was paid. Experts believe the virus uses tools stolen from the NSA to infect computers running the Microsoft Windows operating system.
The impact of the attack, using a virus known as ‘WannaCry’, appears limited in the United States so far, although security analysts fear that could change in the coming days. The virus has been running wild across Europe and Asia, inflicting an untold amount of financial damage and putting lives in danger, since one of the biggest targets was Britain’s National Health System.
Following are 15 important facts about WannaCry, including tips on how to protect vulnerable systems.
The virus infected some 200,000 computer systems in 150 countries in a single weekend. The first known infection was reported early Friday morning. WannaCry – also known as WCry, WannaCrypt, or Wana Decryptor – spread like wildfire over the next three days.
Investigators do not know the full extent of the attack because a huge number of systems are believed to have been infected in China – almost 30,000 different companies, government agencies, shops, and academic institutions, according to one estimate.
The virus was tailored to work across the globe, with ransom messages in dozens of different languages. When a theater chain in South Korea was infected, movie screens began displaying the ransom message in Korean, instead of the paid advertising they normally show before a movie.
Europol chief Rob Wainwright said much of the world was in “disaster recovery mode” after the weekend’s far-reaching attacks.
WannaCry is a ransomware virus. The primary objective of this viral infection is to encrypt all of the data on targeted systems, rendering the data inaccessible until the owner pays a ransom to the hackers. The ransom is generally paid with an untraceable digital “crypto-currency” like Bitcoin. Once payment is received, the hackers give their victim a code that will unlock their hijacked data.
This type of attack is known as “ransomware,” and it has been alarmingly successful over the past few years. Ransomware virus packages are sold in secret “dark web” marketplaces for a pittance. Some are available for less than the price of a video game. Virus creators hawk their wares to hacker customers with promises of easy setup, adaptability, and sure-fire income from blackmail victims. Satisfied customers leave Amazon.com-style testimonials like, “Up and running within a couple of days! Hopefully start getting some money in now. :)”
Some of the more alarming estimates say ransomware infections are growing at a rate of 36 percent per year, with over 100 different strains of ransom virus currently active on the Internet. WannaCry is, by nearly universal acclamation, the largest ransomware heist ever recorded.
The hackers reportedly only made about $50,000 from plunging the world into panic. A key feature of successful ransomware is that the ransom is usually a modest sum – far less than the cost of paying a team of security experts to try to defeat the encryption attack. The ransom demanded from WannaCry victims reportedly ranged from $300 to $600, with a threat that higher payments would be demanded if victims did not pay up quickly.
The total haul for the criminals responsible for the attack has been estimated at just $50,000, but the financial damage to victims around the world will be several orders of magnitude higher by the time all is said and done. For example, the China National Petroleum corporation took 20,000 gas stations offline to control the spread of the virus, while India shut down some financial networks in an apparently successful bid to minimize WannaCry damage. The total cost of dealing with this viral attack will probably run into billions of dollars worldwide.
Analysts told CNBC on Monday that the hackers’ take could increase dramatically as the first cutoff time for increased ransom payments is reached, desperate victims give up on trying to fight the virus, and baffled businessmen figure out how Bitcoin works so they can meet the criminals’ demands.
Victims often pay the ransom demanded. Security analysts say that over 200 of the WannaCry victims who promptly paid the ransom have gotten their data back. However, cybersecurity experts advise against paying the ransom, noting that historically only about two-thirds of compliant ransomware victims get their data back after meeting hacker demands.
Cybersecurity expert Peter Coroneos summed up the difficult position of ransomware victims by telling the UK Guardian, “As a matter of principle, the answer should always be no… based on the simple dynamics of perpetuating bad conduct. However, as a matter of practicality and necessity, the situation is somewhat more complex.”
Even Microsoft’s answer to the frequently asked question of “should I just go ahead and pay to regain access?” is not an unequivocal “no.” Instead, the computer giant says: “There is no one-size-fits-all response if you have been victimized by ransomware. There is no guarantee that handing over the ransom will give you access to your files again. Paying the ransom could also make you a target for more malware.”
A vulnerability in Microsoft Windows allowed the WannaCry hackers to strike. The WannaCry virus exploits a bug in Windows networking protocol, which Microsoft patched in March, possibly after receiving a heads-up from the U.S. intelligence community.
Some blame Microsoft for enabling this global ransomware attack with poor product design and for abandoning users running older versions of the Windows operating system. In particular, users of Windows XP, which Microsoft officially stopped supporting in 2014, were vulnerable to attack. The company provides very limited support to XP users who pay for special service, but no longer provides Windows XP patches to the general public. That means most of the world’s XP users had no idea they needed a security patch, and no way to get one if they were somehow aware of the WannaCry vulnerability.
Microsoft has said end users must take some responsibility for failing to install critical security patches. Some observers blame the slow rollout of security updates on corporate inertia – it can be difficult to get a large number of users in a network to install updates in a timely manner, let alone upgrade an entire corporation or government agency to upgrade to a new version of Windows. Also, some observers believe part of the problem is a sizable number of users run illegal or pirated copies of Windows, and cannot easily obtain security updates.
An emergency security update was made available for Windows XP, Windows 8, and Windows Server 2003 users on Friday, as the extent of the WannaCry threat became clear. Over a million computers around the world are said to remain vulnerable to the virus.
Britain’s National Health System was among the biggest victims. The NHS still runs Windows XP on many of its computers, so it became one of the biggest ransomware victims. The situation became so dire that doctors sent text messages to patients, informing them critical services such as x-rays and blood tests were unavailable until further notice. Some clinics shut off their computers and reverted to pen and paper. Hospital websites notified patients that medical records were unavailable, so prescriptions could not be dispensed.
NHS facilities have been criticized for using outdated Windows software, even though funding for upgrades was provided years ago. Observers have castigated the British government for failing to provide essential cybersecurity training to its employees.
Other notable victims of the attack included automaker Renault in France, Spanish telecommunications firm Telefonica, German railway operator Deutsche Bahn (whose passengers snapped photos of arrival and departure screens displaying the ransom message), Russia’s Interior Ministry, Russia’s state-owned Sberbank financial group, and FedEx in the United States.
Microsoft blames the National Security Agency and other intel services for hoarding exploits. Microsoft’s chief legal officer and president, Brad Smith, wrote a blog post on Sunday in which he said the ransomware employed “exploits stolen from the National Security Agency, or NSA, in the United States.”
Smith said the attack was an “example of why the stockpiling of vulnerabilities by governments is such a problem.”
“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” he wrote.
Smith said the WannaCry crime spree should serve as a “wake-up call” for the governments of the world, calling for a “digital Geneva Convention” and a resolution for all of the world’s intelligence agencies to “report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”
Russian President Vladimir Putin cited Smith’s letter to blame the U.S. government for enabling the WannaCry attack on Monday. “Microsoft said it directly: the initial source of this virus is the U.S.’s security agencies. Russia’s got absolutely nothing to do with it,” he said.
The “Shadow Brokers” disclosed the NSA code used in WannaCry. Several weeks ago, a hacker group called the Shadow Brokers published a set of powerful malware tools purportedly stolen from the NSA, generating considerable excitement in the hacking community. Russian cybercriminals and Chinese hackers buzzed about the possibility of using these tools to create a super-powerful ransomware virus in mid-April.
The Shadow Brokers have leaked over a gigabyte of information from the NSA over the past year. The mid-April dump included some 300 megabytes of the most dangerous material the group has released. One analyst called it the “most powerful cache of exploits ever released.”
The Shadow Brokers accompanied this dangerous inventory of hacking tools with the message: “Is being too bad nobody deciding to be paying theshadowbrokers for just to shutup and going away. TheShadowBrokers rather being getting drunk with McAfee on desert island with hot babes.” McAfee is a reference to anti-virus software pioneer John McAfee, whose colorful life is soon to be dramatized in a movie starring Johnny Depp.
The stolen NSA code appears to be the reason WannaCry spread so quickly. The ransomware used in this weekend’s attack has been described by programmers as an older, much less effective program that was “souped up” or “turbocharged” with the NSA’s tools – in particular, an exploit called EternalBlue, which allows it to propagate using a now-patched flaw in Windows file sharing software.
Hackers traditionally spread ransomware infections with “phishing” emails, designed to trick users into opening a virus-laced document or clicking on a link that infects their computer with malicious code. WannaCry appears to be capable of jumping between computers on its own. Security experts say there is little evidence that phishing techniques were employed to spread this particular worm.
A British IT expert temporarily halted the spread of the virus. As bad as the virus attack was, it could have been far worse without the quick action of a British computer tech who prefers to be called “MalwareTech.” He wants to remain anonymous to avoid reprisals from cybercriminals, but the British media seems determined to expose his identity.
MalwareTech carefully examined WannaCry’s code and determined that it was programmed to contact a particular website whose name was an incomprehensible string of letters and numbers. He discovered this website did not exist yet, and registered its name for himself, thinking the virus might be attempting to contact the site to report on its activities or upload data – a common tactic with worms and “bot” programs.
Instead, the mystery website was a “kill switch,” a way the creators of the virus could shut it down if they wanted to stop it from reproducing. WannaCry was designed to stop spreading as soon as attempts to contact the kill-switch website became successful. For the cost of a $10.69 registration fee, MalwareTech halted an infection that was spreading across the world.
Intriguingly, MalwareTech says that shortly after he registered the kill-switch website, Chinese hackers tried to steal it from him. This does not necessarily mean the Chinese group is the WannaCry perpetrator, however. Cybercrime experts deemed it more likely they wanted the kill switch as a trophy, or to analyze the incoming messages from WannaCry infestations around the world.
New versions of WannaCry appeared soon after the kill switch was thrown. It did not take long for new instances of the virus to appear with the kill switch code removed.
“We are in the second wave. As expected, the attackers have released new variants of the malware. We can surely expect more,” said Matthieu Suiche of cybersecurity firm Comae Technologies.
“This is probably version 2.1, and it has the potential to be much more effective, assuming security defenders haven’t spent all weekend patching,” said Allan Liska of another security firm, Recorded Future.
The Department of Homeland Security is involved in the U.S. response. The DHS released a statement on Friday acknowledging reports of WannaCry infections “affecting multiple global entities.”
“We are actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally. DHS has a cadre of cybersecurity professionals that can provide expertise and support to critical infrastructure entities,” said Homeland Security.
DHS officials stated on Monday that “limited number” of American companies were affected, adding that the victims “represent many different sectors of the U.S. economy.”
President Donald Trump ordered Homeland Security adviser Tom Bossert to convene an emergency meeting Friday night to assess the WannaCry threat. Another meeting was held in the White House Situation Room on Saturday. Administration officials said the FBI and NSA are attempting to determine the identity of the hackers.
“I think people heading to work this morning should be thinking about this as an attack that for right now we’ve got under hold,” Bossert said on Monday.
Bossert said the virus was weaponized and distributed by criminals, who created “something that is holding ransom data but putting at risk lives and hospitals.”
The next wave of WannaCry attacks does not seem as bad as experts feared. There was great apprehension that a new wave of attacks would hit on Monday, as business computers were brought online after a weekend off, American users interfaced with infected European and Asian systems, and people began opening virus-laced emails received on Saturday and Sunday.
However, the second wave does not seem as bad as the worst-case scenarios, at least not yet. The simple explanation would be that MalwareTech’s kill switch was even more effective than he originally thought, vulnerable systems are receiving vital security patches at a good pace, and the initial burst of “WannaCry 2.1” modified versions aren’t as powerful as the original.
Bossert stressed that “we’re not yet out of the woods,” and pessimistic analysts warn it might simply be taking a few days for cybercriminals to create a full-strength new version of WannaCry that ignores the kill switch. On Sunday, a firm called Heimdal Security reported discovering a ransomware variant called Uiwix that “can be worse than Wannacry,” because it spreads just as quickly but lacks the kill switch code.
The WannaCry perpetrators were sloppy. One reason the attack is tapering off quickly after a terrifying weekend is that the perpetrators were “sloppy” cybercriminals who made “amateur mistakes at practically every turn,” as Wired puts it.
Besides the above-mentioned kill switch, Wired zings the gang for careless handling of their bitcoin payments, poor communications with copies of their virus in the field, and a ridiculously low profit margin for unleashing a global pandemic that turned them into some of the most wanted criminals on Earth.
Apparently, the gang is manually tracking who pays the ransom and issuing decryption keys, rather than configuring the virus to automatically know if they paid the money. That is a lot of work to collect a measly $300 payment, and they’re leaving Bitcoin footprints for investigators to follow.
Far more subtle, less risky ransom capers have brought in million-dollar paydays. As Errata Security consultant Rob Graham memorably put it to Wired, “It looks impressive as hell, because you think they must be genius coders in order to integrate the NSA exploit into a virus. But in fact, that’s all they know how to do, and they’re basket cases otherwise.”
Defending against WannaCry and other ransomware. Everyone, from Microsoft to private cybersecurity analysts to the Department of Homeland Security, agrees that the most important defense against WannaCry is installing the latest Windows security updates. Resolving the flaw that allows this virus to propagate is vital.
Although WannaCry does not appear to have relied on phishing emails to spread, most ransomware viruses do, so the second most important tip is to avoid opening suspicious attachments or clicking mystery links in emails. Note that phishing emails are often sent by virus-infested computers and camouflaged with personal information to make them look realistic – they’re not always easy to spot.
Ransomware encrypts data, so one of the best defenses against ransom attacks is to maintain good backups of valuable data. That way, if a ransomware virus strikes, the system can be cleaned off, and a safe backup copy of the data installed. Backups of important data should be kept safe from contamination, so the best protection strategies don’t rely entirely on backup devices that are constantly connected to your computer, like those popular external hard drives.
Good password security is also important for defense against ransom attacks. Users often rely on a single password that isn’t difficult for hackers to guess, used on many different websites. If one of those sites is compromised, hackers may begin attempting to hit other online accounts with variations on the same password.