WannaCry: The ransomware cyber attack explained

On 12 May 2017, a new version of ransomware, dubbed WannaCry, hit Spanish mobile operator Telefonica, followed by hospitals and clinics across the UK, forcing the National Health Service to accept only the most urgent patients. Within a few hours, the ransomware malicious software spread quickly across almost 100 countries, including Russia and the USA. It was said to be the biggest ransomware outbreak detected until then.

WannaCry webinar

Read the digest and view the recording of our webinar

This is an 17s video of the attack. View a more detailed visualisation


The attack in detail

Security issues - Digital Watch observatoryThe security issues  

What vulnerability does the attack exploit? The malicious software exploited a vulnerability in the Microsoft Windows operating system, called EternalBlue, which Forbes reported, was recently stolen from the NSA’s cyber-tools repository. While Microsoft issued a patch for this vulnerability in March, not everyone has had a chance to install it.

Has the ransomware been stopped? A MalwareTech researcher realised that the WannaCry code demands infected computers to regularly contact a certain non-existing Internet domain, and registered a domain to create the map of infected computers. It appeared however, that this served as a kill-switch for the malware spread, which might have been built in by the criminals to be able to abandon the infection process if needed. While the infection has been accidentally stopped, experts warn that a new form of ransomware will emerge very soon, and are therefore encouraging users, institutions, and companies to update their Windows promptly.

Why is it called a ransomware? Ransomware is performed by a type of malicious software that blocks access to a computer system or data, usually by encrypting it, and demands a payment to release the files. Similarly to other malicious software, WannaCry encrypts data on the device and demands a ransom of USD$300 to be paid to a given bitcoin wallet within three days or USD$600 within seven days. Unlike other viruses however, WannaCry propagates through the network and infects computers like a worm,  which means that their users do not have to activate the infected file or link for the software to continue spreading.

How ransomware works

Economic issues - Digital Watch observatoryThe economic issues 

In recent years, there has been a shift in ransomware targets. In search for larger financial gains, perpetrators turned individuals to businesses. According to researchers at Kaspersky, attacks on businesses increased threefold in 2016, compared to a twofold rate of increase in attacks on individuals. Last year, the services sector, with 38% of organisational infections, was markedly the most affected business sector. Manufacturing, with 17%, along with finance, insurance and real estate, and public administration (at 10%) also figured highly.

Business targets have been small to medium-sized organizations with immature IT infrastructures and a limited ability to recover from such an attack. Currently, larger businesses controlling sensitive data, such as the healthcare industry and hospitals, in particular, have been increasingly targeted by perpetrators, because of their ‘life and death’ need for immediate access to information, which increases their propensity to pay. Moreover, hospitals have specific vulnerabilities exploited by the criminals, such as legacy systems (antiquated back-end systems that IT staff integrates with new technology) and medical devices with weak security.

Who are WannaCry’s targets? The targets range from end-users to state hospitals, from government departments to businesses worldwide. Between January 2015 and April 2016, the USA was the region most affected by ransomware, with 28% of global infections. Canada, Australia, India, Japan, Italy, the UK, Germany, the Netherlands, and Malaysia were among the Top 10. Around 43% of ransomware victims were employees in organisations.

How much is the cost of ransomware, in general? According to estimates based on the flow of resources to ransomware-related bitcoin wallets, in 2016, ransomware attacks cost more than USD$1 billion. Some experts say that this value may be underestimated, since many companies will not reveal that their systems have been compromised by ransomware, especially if they have paid the criminals. Moreover, the criminals started to hide the transactions across a large number of wallets, making the transfers more difficult to track. The average ransom demand has more than doubled, from USD$294 at the end of 2015, to USD$679 in 2016. Bitcoin’s open ledger allows anyone interested to trace the payments being made to the criminals in the WannaCry ransomware attack.

What other financial losses have been registered? Losses usually go well beyond the amount of the ransom, and may even include the loss of human lives, as with the major disruption of the hospital system in the UK. Other negative consequences to businesses include:

  • temporary or permanent loss of sensitive or proprietary information;
  • financial losses from the disruption to business operations;
  • financial losses incurred to restore the systems and files;
  • potential harm to reputation.

Ransomware can also disrupt digital commerce, either in direct or on indirect ways. In 2016, the Magento e-commerce platform, used for backend management, was infected with ransomware. Files were encrypted and a ransom in the range of USD$140 to USD$415 was asked for decryption. Indirectly, ransomware impacts consumer trust, causing chilling effects on e-commerce.

How much money did the perpetrators generate in bitcoin? Not much. By 23:59 CEST (15 May 2017), the three bitcoin wallets tied to the ransomware received 216 payments totalling BTC34.6200695 (USD$58,821.36). Despite the attack’s large scale, the amount of gathered funds is not a significant amount, and has not disrupted the bitcoin market. The Twitter account @actual_ransom is providing live updates on payments made to the bitcoin wallets.

WannaCry Bitcoin payments

WannaCry Bitcoin payments

WannaCry Bitcoin payments

The three bitcoin wallets tied to the WannaCry ransomware, and the payments they each received

Is cryptocurrency used for criminal activities? Due to its anonymity, cryptocurrency is often criticised for its prevalent use among criminals for money laundering and other criminal activities. Coupled with anonymising tools like Tor, criminals can hide behind an additional layer of privacy. One of the main counter arguments is that technology is neutral, as opposed to the way in which technology is used.

Are the perpetrators known? Not yet. The global community of security experts is looking closely for any movements related to the bitcoin wallets. If the criminals’ intent is to collect the money going into the bitcoin wallets, receiving money through a distributed open ledger is not quite the ‘safest’ option. In addition, based on past ransomware cases, many infected hard drives are unlikely to be decrypted (after paying the ransom) and will likely be permanently lost.

Geopolitics: the response to WannaCry

Public-private initiatives have been developed to curb the threat of ransomware, such as the initiative No More Ransom, a co-operative effort between Europol, the Dutch National Police, McAfee and Kaspersky Lab. The online portal informs the public about the dangers of ransomware and helps victims recover data without having to pay ransom. Other organisations and institutions have also reacted.


How has Interpol reacted? Mr Jurgen Stock, Interpol Secretary-General, said that Interpol is ‘working alongside international law enforcement and private industry partners [...] to help shape a response’ to the ransomware whose creators ‘intended to create chaos which has affected vital infrastructures and services worldwide’. Interpol has offered to support affected member countries through its Global Complex for Innovation based in Singapore.


What was Europol’s reaction? In Europol’s view, the ransomware attack ‘is on an unprecedented level and will require a complex international investigation to identify the culprits’. The office announced that its European Cybercrime Centre is working with cybercrime units in affected countries, as well as the private sector, to mitigate the threat posed by the ransomware and to assist victims. The Joint Cybercrime Action Taskforce, a group of specialist international cyber investigators, will also support the EC3 investigation. Europol’s executive director, Mr Rob Wainwright, warned that the ransomware ‘sends a clear message that all sectors are vulnerable’, and that ‘all sectors should take absolutely seriously the need to run updated systems and to patch when they can do that’.

Digital Geneva ConventionWhat was Microsoft’s reaction, in the light of its proposed Digital Geneva Convention? In a blog post published on 14 May, Mr Brad Smith, Microsoft President and Chief Legal Officer, made a link between the ransomware attack and the US National Security Agency (NSA), saying that the ‘exploits used in the attack were drawn from the exploits stolen from the NSA’. He added that this ‘completely unintended but disconcerting link between [...] nation-state action and organised criminal action’ is an example of why ‘the stockpiling of vulnerabilities’ by governments is a problem that needs to be addressed.

Smith noted that, although Microsoft had released a security update to patch the vulnerability identified in its systems, many computers remained unpatched globally. The company has been assisting users affected by the incident, including users with older Microsoft Windows operating systems that are no longer supported. Microsoft now plans to carefully assess the attack through its Threat Intelligence Centre and Digital Crimes Unit, and use the lessons learnt to strengthen its capabilities.

Smith said that ‘governments of the world should treat this attack as a wake-up call’, and ‘consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits’. In this context, he made a reference to his recent proposal for a Digital Geneva Convention, which would include, among others, a ‘new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them’.

Could a Digital Geneva Convention prevent ransomware attacks? In short, most likely not, since since the current cybersecurity architecture requires much more complex measures. However, more discussions are expected to continue to shape the proposed convention.

Researchers: Adrian Quesada, Amrita Choudhury, Arvin Kamberi, Aye Mya Nyein, Barbara Rosen Jacobson, Foncham Denis Doh, Glenn McKnight, Hamza Ben Mehrez, Jovan Kurbalija, Marilia Maciel, Natalia Enciso, Nazgul Kurmanalieva, Roxana Radu, Sorina Teleanu, Stephanie Borg Psaila, Virginia (Ginger) Paque, Vladimir Radunovic.

[Last updated: 1 September 2017]