The WannaCry attack was a global computer attack that spread via the internet. The attack happened in May 2017 and targeted computers running the Microsoft Windows operating system. WannaCry was a ransomware that encrypted data on infected computers and demanded ransom in Bitcoins to decrypt the data. The attack is estimated to have involved 300,000 computers and across 150 countries and caused estimated damages ranging from hundreds of millions to billions of dollars . The attack led to the disruption of activities in hospitals particularly in Britain, banks and others companies across the world. The attack was stopped by a security patch developed by Microsoft to correct the exploit that WannaCry spread through.
The U.S government attributed the attack to the Lazarus Group which is a hacking entity that works on behalf of the North Korean Government.
Gain entry into computers running Microsoft Windows by the use of EternalBlue exploit which takes advantage of a vulnerability of Microsoft in the implementation of the Server Message Block protocol.
Encrypt files in the infected computer.
Demand ransom payment in the form of bitcoin to decrypt the data.
Skills and/or training: this attack relied on an exploit known as EternalBlue which was developed by the National Security Agency (NSA) to exploit weaknesses and gain entry into the Microsoft Windows operating system. The exploit was leaked to the internet by the hacking group calling themselves ‘The Shadow Brokers.’ The skills required were; Microsoft Windows operating system knowledge, knowledge on how to exploit computer networks and how to start programs on remote computers.
Preparation time: None, upon downloading the leaked EternalBlue exploit, an individual was ready to launch an attack.
Personnel: At least one with knowledge on Microsoft Windows operating system, knowledge on how to exploit computer networks and how to start programs on remote computers.
Equipment: A computer that is connected to the internet or local area networks.
Timing constraints: The NSA had informed Microsoft about the exploit and Microsoft had developed a patch to fix the exploit. The exploit could thus only work on computers in which the patch had not installed.
How it happened: The hacker group ‘The Shadow Broker’ stole an exploit that the NSA had developed and leaked it to the internet. The exploit known as EternalBlue was used to gain entry into computers that run on the Microsoft Windows operating system. The Lazarus Group obtained EternalBlue and used it to spread the WannaCry ransomware. The Lazarus Group used a transport code which detected computers on the internet that could be exploited using EternalBlue, once a computer was accessed, WannaCry installed itself by the use of DoublePulsar tool and executed a copy of itself. WannaCry then encrypted the files on the infected computer and displayed a message demanding payment of an equivalent of$300 in bitcoins within three days or $600 within seven days or else the user will lose their data. WannaCry then attempted to spread itself through the internet or to other computers in the same network which were vulnerable to the EternalBlue exploit.
Collateral result: WannaCry only achieved the above-stated goals.
Recommended mitigation: Microsoft blamed the NSA for not informing them of the EternalBlue exploit in time. If Microsoft had known of the exploit in time, they would have released a patch that would have prevented WannaCry from infecting computers.
This attack can be justifiably blamed on the NSA and its practice of stockpiling known computer vulnerabilities to exploit them for its benefits. There is little that Microsoft could have done based on the steps of the risk management structure to prevent the attack because it relied on an exploit developed by the NSA. More pressure should be applied to government agencies to reveal weaknesses they find to software companies for the weaknesses to be patched and such attacks to be prevented.
- Langde, R. (2017). WannaCry Ransomware: A Detailed Analysis of the Attack
Retrieved from https://techspective.net/2017/09/26/wannacry-ransomware-detailed-analysis-attack/
- Microsoft. (2017). Microsoft Security Bulletin MS17-010 – Critical.Retrieved from https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
- Volz, D. (2017). U.S. blames North Korea for ‘WannaCry’ cyber attack.Retrieved from https://www.reuters.com/article/us-usa-cyber-northkorea/u-s-blames-north-korea-for-wannacry-cyber-attack-idUSKBN1ED00