The security issues
What vulnerability does the attack exploit? The malicious software exploited a vulnerability in the Microsoft Windows operating system, called EternalBlue, which Forbes reported, was recently stolen from the NSA’s cyber-tools repository. While Microsoft issued a patch for this vulnerability in March, not everyone has had a chance to install it.
Has the ransomware been stopped? A MalwareTech researcher realised that the WannaCry code demands infected computers to regularly contact a certain non-existing Internet domain, and registered a domain to create the map of infected computers. It appeared however, that this served as a kill-switch for the malware spread, which might have been built in by the criminals to be able to abandon the infection process if needed. While the infection has been accidentally stopped, experts warn that a new form of ransomware will emerge very soon, and are therefore encouraging users, institutions, and companies to update their Windows promptly.
Why is it called a ransomware? Ransomware is performed by a type of malicious software that blocks access to a computer system or data, usually by encrypting it, and demands a payment to release the files. Similarly to other malicious software, WannaCry encrypts data on the device and demands a ransom of USD$300 to be paid to a given bitcoin wallet within three days or USD$600 within seven days. Unlike other viruses however, WannaCry propagates through the network and infects computers like a worm, which means that their users do not have to activate the infected file or link for the software to continue spreading.
The economic issues
In recent years, there has been a shift in ransomware targets. In search for larger financial gains, perpetrators turned individuals to businesses. According to researchers at Kaspersky, attacks on businesses increased threefold in 2016, compared to a twofold rate of increase in attacks on individuals. Last year, the services sector, with 38% of organisational infections, was markedly the most affected business sector. Manufacturing, with 17%, along with finance, insurance and real estate, and public administration (at 10%) also figured highly.
Business targets have been small to medium-sized organizations with immature IT infrastructures and a limited ability to recover from such an attack. Currently, larger businesses controlling sensitive data, such as the healthcare industry and hospitals, in particular, have been increasingly targeted by perpetrators, because of their ‘life and death’ need for immediate access to information, which increases their propensity to pay. Moreover, hospitals have specific vulnerabilities exploited by the criminals, such as legacy systems (antiquated back-end systems that IT staff integrates with new technology) and medical devices with weak security.
Who are WannaCry’s targets? The targets range from end-users to state hospitals, from government departments to businesses worldwide. Between January 2015 and April 2016, the USA was the region most affected by ransomware, with 28% of global infections. Canada, Australia, India, Japan, Italy, the UK, Germany, the Netherlands, and Malaysia were among the Top 10. Around 43% of ransomware victims were employees in organisations.
How much is the cost of ransomware, in general? According to estimates based on the flow of resources to ransomware-related bitcoin wallets, in 2016, ransomware attacks cost more than USD$1 billion. Some experts say that this value may be underestimated, since many companies will not reveal that their systems have been compromised by ransomware, especially if they have paid the criminals. Moreover, the criminals started to hide the transactions across a large number of wallets, making the transfers more difficult to track. The average ransom demand has more than doubled, from USD$294 at the end of 2015, to USD$679 in 2016. Bitcoin’s open ledger allows anyone interested to trace the payments being made to the criminals in the WannaCry ransomware attack.
What other financial losses have been registered? Losses usually go well beyond the amount of the ransom, and may even include the loss of human lives, as with the major disruption of the hospital system in the UK. Other negative consequences to businesses include:
- temporary or permanent loss of sensitive or proprietary information;
- financial losses from the disruption to business operations;
- financial losses incurred to restore the systems and files;
- potential harm to reputation.
Ransomware can also disrupt digital commerce, either in direct or on indirect ways. In 2016, the Magento e-commerce platform, used for backend management, was infected with ransomware. Files were encrypted and a ransom in the range of USD$140 to USD$415 was asked for decryption. Indirectly, ransomware impacts consumer trust, causing chilling effects on e-commerce.
How much money did the perpetrators generate in bitcoin? Not much. By 23:59 CEST (15 May 2017), the three bitcoin wallets tied to the ransomware received 216 payments totalling BTC34.6200695 (USD$58,821.36). Despite the attack’s large scale, the amount of gathered funds is not a significant amount, and has not disrupted the bitcoin market. The Twitter account @actual_ransom is providing live updates on payments made to the bitcoin wallets.
The three bitcoin wallets tied to the WannaCry ransomware, and the payments they each received
Is cryptocurrency used for criminal activities? Due to its anonymity, cryptocurrency is often criticised for its prevalent use among criminals for money laundering and other criminal activities. Coupled with anonymising tools like Tor, criminals can hide behind an additional layer of privacy. One of the main counter arguments is that technology is neutral, as opposed to the way in which technology is used.
Are the perpetrators known? Not yet. The global community of security experts is looking closely for any movements related to the bitcoin wallets. If the criminals’ intent is to collect the money going into the bitcoin wallets, receiving money through a distributed open ledger is not quite the ‘safest’ option. In addition, based on past ransomware cases, many infected hard drives are unlikely to be decrypted (after paying the ransom) and will likely be permanently lost.