Unprecedented: how the WannaCry cyber-attack brought thousands to a standstill

WannaCry is ransomware on a level that has never been seen before. Predictions of its arrival have been long standing, but the rapid spread of infections caused frustration, anger and fear among the general public when it hit our computers last week. While in the UK the NHS was one of the organisations worst hit by the malware; over 200,000 victims have been logged across the globe.

The failure of the NHS and other organisations around the world to keep their software and operating systems updated means that criminals can take advantage of these types of situations. Countries around the world are now alert to these security concerns and will move financial resources into securing these systems. But that is only half the solution. In the UK, much of the blame has fallen on the NHS and the government respectively, for failing to keep critical infrastructure secure. Certainly, some blame should be placed there, but there is also a real need to improve cyber-security training at all levels within society to ensure that attacks like these are unable to proliferate with such rapidity in future.

The perpetrators are still unknown, though initial reports from British blogger, MalwareTech suggested that hackers using Chinese IPs were attempting to gain access to his kill switch domain. The attacks have since been linked by experts to North Korea, as the code replicates some used by the country’s agents in the past. However, no definitive link has been made yet.

What is ransomware?

Ransomware is a form of software that installs itself on a computer; typically this is done when one opens a malicious website or an attachment on an email. The software works quickly to encrypt the files and limit access to them. A ransom is demanded, in this case $300, usually payable through Bitcoin or other cryptocurrencies that are difficult to trace. Upon payment, the attacker states that the files will be released, though with criminals, any assurances could be questioned.

WannaCry takes advantage of security flaws that were made public in April 2017 by Shadow Brokers, a group of hackers, which infiltrated the NSA. WannaCry’s coding uses holes in the safety net of operating systems to install itself and then move to infecting other computers on the same network. Microsoft itself patched this specific flaw in an update in April, though it appears a large number of computers were not updated by their administrators. A number of machines in the NHS case were running Windows XP, an operating system that saw its official Microsoft support end in April 2014. While Windows XP may not have been the root cause of the rapid spread of the cyber-attack through the NHS, it is certainly a symptom of a wider problem.

The day after the attack, MalwareTech helped stem the flow by registering a domain name found within the WannaCry malware’s code. With the kill switch activated, it is unlikely that this particularly nasty version will continue to proliferate. It was a relatively simple solution to a serious problem and while it does not help many of the computers that have already been infected, it certainly aids in limiting the damage.

What could come next?

Some cyber security experts have stated that a more serious attack is likely within the next week. Indeed, a number of copycat and second variant attacks have been released in recent days. It is difficult to say with any certainty why a further attack would be likely. One could argue that criminals will take advantage of our present vulnerability, though with a heightened awareness of cyber-attacks, hopefully a potential attack would be stopped before the infection spreads.

Conor McKenna
Doctoral Researcher in Cyberwarfare, Department of Political Science and International Studies, University of Birmingham