The excesses of the WannaCry crypto worm
Author
Nicolai OberthürThe incident
There was widespread panic when a new piece of malware called WannaCry emerged four years ago, on 12th May 2017. Within a very short time, it managed to infect more than 230,000 computers in 150 countries worldwide. Among the attack victims were well-known organisations such as Deutsche Bahn, the British National Health Service (NHS) and even two Russian ministries. The concept was simple: through a recently discovered backdoor, Windows computers that did not have the necessary updates could be infected. The network worm then tried to spread to other vulnerable computers in the same network before it started to do its damage on the host computer. In the process, almost all files on the hard drive and connected storage devices were encrypted so that the original users no longer had access to them. In a window, the user was then asked to pay a ransom of around 300 USD in the cryptocurrency Bitcoin to the blackmailers within three days in order to regain access to their own files. WannaCry thus counts as so-called ransomware.
In the UK, ambulances had to be diverted and patients with non-life-threatening problems had to be turned away from hospitals; at Deutsche Bahn, various display boards at railway stations and even a regional control centre failed; and in many companies worldwide, production came to a standstill. The economic damage is estimated at up to 4 billion USD, and in the NHS alone it is said to be up to 92 million pounds.
As luck would have it, the spread of the malware was contained the same day a researcher found an emergency switch for the program and took the necessary steps to execute it. A cat-and-mouse game ensued between hackers and cybersecurity researchers around the world for more and more kill switches. Finally, two days later, a version was distributed that no longer had a kill switch. By this time, however, many vulnerable systems had already been protected by the necessary updates, so that the spread could be contained. Without the discovery of the kill switch, the extent of the attack could have been much greater. But despite all this, outbreaks continued to occur in the years that followed, such as at a Taiwanese chip manufacturer in August 2018.
The answer to the riddle
But how did it get this far in the first place? In retrospect, many explosive details became known that read like an international thriller. The security vulnerability through which WannaCry spread was discovered by the US intelligence agency NSA and used for espionage over several years. Only after the NSA became aware that the information surrounding the vulnerability had been stolen was Microsoft informed. They published a patch as quickly as possible in mid-March 2017 to close the gap. In April 2017, the exploit was then made public by a hacker group called "The Shadow Brokers". When the cyberattack finally took off almost two months after the patch was released, many systems still had not installed the necessary updates and were therefore at risk. In the months and years that followed, there were repeated similar attacks that successfully exploited the same vulnerability (e.g. NotPetya), and it was estimated that even in 2018, millions of systems worldwide were still vulnerable.
The origin of the WannaCry worm itself was traced back to the North Korean Lazarus group based on some circumstantial evidence, and then in December 2017, North Korea was officially blamed for the attack by the US government.
The moral of the story
The global scale of the WannaCry attack clearly shows that when it comes to information security, it is up to each individual or organisation to protect themselves effectively against cyberattacks. After all, only systems that had not received the security update even after two months were vulnerable to the attack in the first place.
The President of the Federal Office for Information Security (BSI), Arne Schönbohm, put it in a nutshell: "The current attacks show how vulnerable our digitalised society is. They are a renewed wake-up call for companies to finally take IT security seriously and to take sustainable protective measures. The current vulnerability has been known for months and corresponding security updates are available. We urgently recommend installing them."1
Therefore, effective self-protection should always consist of promptly applying the necessary security updates and keeping regular backups. Of course, the data carriers of the backups should only be connected to the internet during the backup so that they are not also infected in the event of an attack. To this end, every person should have a conscious approach to other ways of attack, such as phishing attacks via emails. This is the only way to ensure that one's own organisation is not caught in the next wave of attacks.
1Zivadinovic, D. (2017, 13th May). WannaCry: BSI ruft Betroffene auf, Infektionen zu melden. heise online. www.heise.de/newsticker/meldung/WannaCry-BSI-ruft-Betroffene-auf-Infektionen-zu-melden-3713442.html