Ransomware cyberattacks, where malicious software encrypts files on a device and demands payment to decrypt them, have been increasingly common in recent years. High-profile examples include CryptoLocker in 2013 and Locky in 2016. WannaCry was a major ransomware attack that started on May 12, 2017 and infected over 230,000 computers across 150 countries in just a few days.
The WannaCry Attack Begins
The WannaCry ransomware attack began on May 12, 2017, initially impacting organizations in Europe. According to Wikipedia, the ransomware first infected Telefonica and the National Health Service (NHS) networks in England, locking hospital staff out of their computer systems and demanding ransom payments in bitcoin in order to regain access.
Within just a few days, WannaCry had spread rapidly across organizations in over 150 countries. However, the ransomware initially hit hardest in Russia and Europe. In Spain, major companies including Telefonica, Iberdrola, and Gas Natural were impacted by the attack which disabled computers and demanded $300 in bitcoin to restore access. The UK’s National Health Service was particularly affected, causing significant disruption to hospitals and medical facilities.
How the Malware Spread
WannaCry propagated through networks by exploiting a vulnerability in Microsoft’s Server Message Block (SMB) protocol. This vulnerability, known as EternalBlue, was originally developed by the NSA and leaked online by the Shadow Brokers hacker group in April 2017.
EternalBlue allowed WannaCry to spread rapidly without user interaction across networks. The ransomware would scan for exposed SMB ports, then use EternalBlue to gain administrative privileges and execute the ransomware payload. Once infected, WannaCry would scan for other computers to infect. This worm-like capability enabled broad and fast propagation.
Despite Microsoft releasing a patch for EternalBlue in March 2017, many organizations had not yet applied it, leaving them vulnerable. WannaCry took advantage of this to proliferate widely, impacting over 200,000 systems across 150 countries within just a few days.
WannaCry’s ability to self-propagate without user interaction, leveraging a Windows vulnerability just made public, enabled its uniquely massive spread. Proper patching and network segmentation could have mitigated this propagation.
Countries and Industries Affected
The WannaCry ransomware attack spread quickly across the globe, impacting over 230,000 computers in over 150 countries. Some of the hardest hit countries included:
- Russia – The attack hit around 10% of computers in Russia, including systems of the Interior Ministry. Major companies impacted included MegaFon, telecom, and Sberbank.
- Ukraine – Ukraine was the first major victim of the attack. Key organizations affected included Ukraine’s central bank, Ukrenego national power company, and airports.
- India – Police systems across India were disabled by the attack. Major port operations in Gujarat were also disrupted.
- United Kingdom – The UK’s National Health Service was significantly affected, with appointment cancellations and ambulances diverted. Nissan’s plant in Sunderland also halted production.
In terms of industries, those dependent on legacy Microsoft operating systems and perimeter-based security were most vulnerable. Major sectors disrupted included:
- Healthcare – UK’s National Health Service, US healthcare providers, and systems in China were impacted.
- Logistics – FedEx’s TNT unit, rail systems in Germany, and port systems were affected.
- Manufacturing – Renault and Nissan plants shut down across multiple countries.
- Telecom – Telefonica in Spain, MegaFon and MTS in Russia, and other providers faced outages.
WannaCry demonstrated the global hyperconnectivity of critical infrastructure and the need for improved cyber resilience.
Ransom Demands
The WannaCry ransomware demanded ransom payments of $300-$600 in bitcoin cryptocurrency to unlock infected computers. The ransom note threatened to double the payment if it was not sent within 3 days. According to a Bitcoin monitoring website, over 300 payments totaling approximately $140,000 had been paid by victims as of May 17, 2017 [1]. The hackers behind the attack received over $50,000 in ransoms in August 2017 when they finally emptied out three bitcoin wallets associated with the attack [2]. Despite affecting hundreds of thousands of computers worldwide, the number of ransom payments was relatively low, likely due to organizations restoring from backups rather than paying the ransom.
Attribution and Motive
The WannaCry attack has been attributed by the United States government and private cybersecurity firms to North Korean state-sponsored cyber actors known as the Lazarus Group.[1] According to a White House press briefing in December 2017, the attribution was based on “careful investigation” and evidence linking the hacking tools, infrastructure, and ransom notes back to North Korea.[2]
The motive behind the attack appears to have been financial. By encrypting files on infected computers and demanding ransom payments in Bitcoin, the Lazarus Group generated approximately $140,000 in funds.[3] However, the attack was stopped when a security researcher discovered a “kill switch” in the malware code.[4] This prevented the malware from spreading further and generating more ransom payments.
Some analysts believe North Korea launched the attacks in response to tightened economic sanctions against the country. With restricted access to funds, the regime may have turned to illegal cyber activities to raise money for its weapons programs.[1] However, the exact motive remains uncertain.
References:
[1] Wikipedia, “WannaCry ransomware attack”
[2] The White House, “Press Briefing on the Attribution of the WannaCry Malware Attack to North Korea”
[3] W Alraddadi, “A Comprehensive Analysis of WannaCry”
[4] Wikipedia, “WannaCry ransomware attack”
Economic Impact
The WannaCry ransomware attack caused significant economic damages across the world. According to one estimate, the malware infected over 230,000 computers across 150 countries, with total losses ranging from hundreds of millions to billions of dollars (https://en.wikipedia.org/wiki/WannaCry_ransomware_attack).
The United Kingdom’s National Health Service (NHS) was among the hardest hit by WannaCry. The attack disabled MRI machines, blood-storage refrigerators, and other critical pieces of medical equipment. As a result, hospitals had to turn away patients, cancel surgeries and appointments, and divert ambulances to other facilities. According to a National Audit Office report, the NHS spent over £92 million responding to the attack (https://www.zdnet.com/article/this-is-how-much-the-wannacry-ransomware-attack-cost-the-nhs/).
Major corporations around the world also suffered losses from WannaCry. Renault had to temporarily shut down factories across France, Spain, Slovenia, and Morocco, resulting in estimated damages of $112 million. Shipping giants FedEx and Maersk each reported hundreds of millions in losses as operations were disrupted across dozens of ports and terminals. Overall, the total cost to the private sector likely ranged in the billions of dollars (https://en.wikipedia.org/wiki/WannaCry_ransomware_attack).
Response and Containment
Once the WannaCry ransomware began spreading rapidly across systems, a concerted global effort from cybersecurity researchers and professionals emerged to contain and stop the malware. A key development was the discovery of a “kill switch” domain that could prevent the ransomware from executing if registered. Security researcher Marcus Hutchins registered this domain, effectively stopping the malware from infecting further systems (https://asprtracie.hhs.gov/technical-resources/86/cybersecurity/0).
Microsoft also took swift action, releasing emergency patches for unsupported operating systems like Windows XP to block WannaCry. Law enforcement agencies including Europol and the FBI began investigations into the attack, while the UK National Cyber Security Centre advised organizations on mitigation strategies. By May 14th, the initial wave of infections had been contained through these collective efforts, though isolated infections would continue (https://www.drizgroup.com/driz_group_blog/category/ransomware/4).
Lessons Learned
The WannaCry attack highlighted several critical lessons about cybersecurity, ransomware prevention, and response protocols that organizations worldwide learned from and acted upon after the incident. Some of the main takeaways included:
Microsoft released emergency patches for unsupported operating systems like Windows XP and Server 2003 to limit the spread of WannaCry and protect users still on these outdated platforms (1). Many organizations realized the importance of prompt patching and updating systems, even if end of life, to maintain security.
Anti-virus and security firms began blocking the kill-switch domain that Marcus Hutchins registered, preventing WannaCry from activating in new systems. Firms improved protections and threat intelligence sharing to better respond to future ransomware (2).
NHS trusts in the UK received targeted funding to upgrade outdated systems and shore up IT security defenses after struggling to contain WannaCry (3). Healthcare systems worldwide assessed infection controls, legacy platforms, backup systems and staff training to harden environments.
Europol and other law enforcement agencies formed task forces and working groups for improved collaboration and tracing of cyber threats across borders after difficulties coordinating early in the WannaCry response.
Organizations of all kinds re-evaluated disaster recovery plans, network segmentation, system backups, employee education and emergency procedures to ensure better readiness for ransomware events. Maintaining reliable backups and restoring from them proved one of the best ways to recover from WannaCry.
While organizations worldwide made significant security improvements and investments following WannaCry, ransomware remains a serious threat. Continued vigilance, training and system hardening represent key lessons from the attack that are still relevant today.
Sources:
(1) https://www.nature.com/articles/s41746-019-0161-6
(2) https://asprtracie.hhs.gov/technical-resources/resource/11087/a-retrospective-impact-analysis-of-the-wannacry-cyberattack-on-the-nhs
(3) https://www.linkedin.com/pulse/wannacry-unveiled-comprehensive-analysis-ransomware-attack-saha
Conclusion
The WannaCry ransomware attack in May 2017 was a massive and disruptive cyberattack that affected hundreds of thousands of computers across 150 countries. Launching through an exploit in unpatched Microsoft Windows systems, WannaCry encrypted files on infected computers and demanded ransom payments in bitcoin to decrypt them. Major industries and critical infrastructure like healthcare, logistics, and transportation were significantly impacted by the attack. While attribution is still not definitive, evidence points to North Korean state-sponsored hackers as the likely culprits behind WannaCry. Though it leveraged stolen NSA hacking tools, the attack was most likely motivated by financial gain rather than espionage. WannaCry vividly demonstrated the global havoc that ransomware can wreak as well as the importance of cybersecurity readiness and patching known software vulnerabilities before they can be exploited. Though it caused billions in economic damage, the harm from WannaCry could have been much worse. Its containment was aided by the discovery of a kill switch domain that slowed its spread. While ransomware will remain a threat, the lessons from WannaCry highlight the need for proactive security measures and emergency response planning to mitigate future attacks.