What is an example of a cyber security attack?

Cyber security attacks are becoming increasingly common as more of our lives move online. From individuals to businesses to governments, no one is immune from cyber threats. One example of a major cyber attack is the 2017 WannaCry ransomware attack.

What was the WannaCry cyber attack?

WannaCry was a worldwide ransomware attack that began on May 12, 2017. It targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in Bitcoin in order to decrypt the data. It is considered one of the most damaging cyber attacks in history.

How did the WannaCry attack spread?

WannaCry spread through a Windows vulnerability that was leaked online by a hacking group called The Shadow Brokers. The ransomware worm spreads from computer to computer using the SMB protocol without user interaction. Once a system is infected, the ransomware encrypts files on the PC’s hard drive, making them inaccessible, as well as any networked drives the PC has access to.

Who was impacted by WannaCry?

WannaCry impacted over 200,000 computers across 150 countries. Major organizations affected included:

  • The National Health Service in the UK – At least 16 NHS organizations were hit, causing hospitals to turn away patients and cancel appointments.
  • Deutsche Bahn – The German railway company was impacted causing electronic displays and other systems to fail.
  • Renault – The French automobile maker was forced to halt production at sites in France and its factory in Slovenia as the virus spread through their networks.
  • FedEx – The delivery service was affected, impeding services and leading to losses of around $300 million.

In addition to large organizations, WannaCry also spread rapidly through university networks, manufacturing and energy companies, and other networked systems. Experts estimate that total losses from the attack ranged from hundreds of millions to billions of dollars.

How did WannaCry work?

WannaCry was able to infect and spread rapidly through systems that were vulnerable to a Windows SMB exploit called EternalBlue. Here’s a high-level overview of how the attack worked:

  1. The ransomware worm uses EternalBlue to exploit vulnerable Windows computers without user interaction.
  2. Once exploited, DoublePulsar backdoor is installed on the system.
  3. DoublePulsar backdoor injects the WannaCry ransomware payload onto the infected PC.
  4. WannaCry encrypts files on the hard drive and any connected network shares that the user account has access to.
  5. After encryption, it displays a ransom note demanding $300-$600 in Bitcoin to decrypt the files.

Even for systems that had installed the MS17-010 security patch that fixed EternalBlue, WannaCry was still able to exploit any systems that did not have it through its worm-like capabilities. This allowed it to rapidly affect outdated and vulnerable systems.

What was the impact?

The WannaCry ransomware attack caused widespread damage globally. Beyond the direct financial costs, the attack had other significant impacts:

  • Disrupted critical infrastructure like hospitals, transportation, and telecom systems
  • Led to cancelled medical procedures and diverted ambulances in the UK’s NHS
  • Caused production outages for companies like Renault and FedEx
  • Created widespread confusion and panic
  • Diverted resources as IT teams worked to contain infections and restore systems
  • Exposed vulnerabilities in legacy Windows protocols like SMB

In the aftermath, companies and organizations scrambled to update their systems and install the MS17-010 patch to prevent further WannaCry infections.

Could it have been prevented?

While effective once unleashed, the WannaCry attack could have been largely prevented through some basic cyber security practices:

  • Patching – WannaCry exploited vulnerabilities in older Windows systems that were fixed with updates over two months before the attack. Keeping systems patched and updated could have significantly reduced its impact.
  • Network segmentation – The ransomware worm spread rapidly through connected networks. Properly segmenting networks could have prevented its spread across full corporate networks.
  • Anti-malware – Signature-based anti-malware tools were able to effectively block WannaCry. Keeping anti-malware tools up-to-date helps identify and stop ransomware attacks.
  • Backups – While inconvenient, infected systems could have been restored relatively quickly from recent backups. Maintaining offline backups makes it possible to recover encrypted data.
  • User awareness – Education helps people identify risky emails and suspicious links that often distribute malicious software like WannaCry.

No single method can prevent all attacks but taking basic steps dramatically decreases the attack surface. Unfortunately many organizations still had not taken actions that could have greatly reduced WannaCry’s impact.

What was the role of SMB in spreading WannaCry?

The Server Message Block (SMB) protocol allowed WannaCry to spread rapidly across networks. SMB operates on port 445 and allows systems to share files and resources on the same network.

Without proper security in place, SMB gave WannaCry several advantages:

  • Scanning for open SMB ports allowed it to identify vulnerable systems
  • Access to shared drives and file servers helped it spread quickly across networked devices
  • No user interaction was required for replication between systems
  • Outdated SMBv1 implementations were vulnerable to EternalBlue

Once on a network, WannaCry could scan for devices to infect and then use SMB to replicate itself and encrypt files on other unpatched Windows systems.

How SMB was involved in WannaCry’s propagation

Here is a high-level overview of how WannaCry leveraged SMB to spread:

  1. WannaCry uses EternalBlue to gain access to the first vulnerable system
  2. It checks for and installs DoublePulsar backdoor
  3. DoublePulsar is used to inject and run the ransomware payload
  4. Now on the system, WannaCry scans the internal network for open SMB ports
  5. Any unpatched systems are exploited using EternalBlue via SMB
  6. More DoublePulsar backdoors are installed to repeat the process of spreading the worm and installing the ransomware on additional systems

This self-replication through SMB allowed WannaCry to act like a computer worm, spreading quickly from system to system once an initial infection gained a foothold on the network.

How was WannaCry stopped?

The spread of WannaCry was eventually slowed by a combination of efforts:

  • Accidental kill switch – A security researcher discovered a kill switch domain that halted WannaCry. It was likely meant as a way for the creators to stop the attack, but it accidentally helped limit the damage.
  • Patches – Microsoft released emergency patches even for unsupported systems like Windows XP and Server 2003 to close EternalBlue.
  • Sinkholing – The kill switch domain was sinkholed by researchers to redirect infections to a safe server.
  • Antivirus updates – Antivirus vendors released updates to block WannaCry based on samples of the malware.
  • Firewalls and segmentation – IT teams blocked SMB ports, isolated infected systems, and separated networks to control its spread.

While effective at limiting broader infection, these actions generally occurred after significant damage had already been done. However, they likely reduced the ultimate impact and helped protect newly patched systems.

Takeaways for defending against ransomware

The WannaCry attack provides important lessons for defending against destructive cyber attacks like ransomware:

  • Patch and update systems promptly – WannaCry successfully exploited known vulnerabilities with available patches.
  • Limit network sharing and segment networks – Makes lateral movement harder.
  • Install and routinely update anti-malware – Helps quickly detect malicious programs.
  • Train employees about cyber risks – Helps identify social engineering and risky links.
  • Require strong passwords – Makes brute force attacks harder.
  • Regularly back up critical data – Enables restoring data without paying ransom.
  • Control access to administrative tools – Limits damage accounts can do if compromised.
  • Limit use of old legacy protocols like SMBv1 – Modern alternatives avoid risks.

Taking steps to improve overall cyber hygiene remains the most effective way to prevent broad attacks like WannaCry. Cyber security is ultimately about risk reduction rather than eliminating risk entirely.

Conclusion

The WannaCry ransomware attack was an unprecedented global event that caused widespread disruption and billions in losses. It highlighted the ability for cyber risks to spill over into the physical world by crippling hospital systems, transportation networks, manufacturers, and businesses. While mistakenly halted in its spread, it showed just how vulnerable many networks still remain to attacks on legacy protocols and how quickly ransomware can propagate once inside a network.

The lessons from WannaCry demonstrate the importance of vigilant patching, network segmentation, anti-malware tools, controlled access, and effective backups. No single solution can prevent all attacks, but organizations who had prudently applied basics security practices suffered significantly less damage from WannaCry. As with many cyber incidents, simple preventative measures could have greatly reduced its impact. But the inter-connectedness of systems and organizations means we are often collectively vulnerable even if individually secure. WannaCry exemplifies why broadly improving cyber security needs to be a shared responsibility.