2017 was a year that changed the modern cyber world, as a global cyber attack shocked the world. The cyberattack later became known as WannaCry, which still worries security researchers to this day.
The time was 07:44 on 12 May 2017. WannaCry began spreading like wildfire, encrypting hundreds of thousands of computers in more than 150 countries in a matter of hours. It was the first time that ransomware, a form of malware that encrypts a user's files and demands a ransom to unlock them, had spread across the world, in what looked like a coordinated cyberattack.
Some of the first countries to be hit were Spain and the UK. Hospitals across the UK declared they had been hit by a "major incident" after their systems went offline due to the malware. Public systems, rail networks and private companies worldwide were also affected.
All victims had their files and systems locked and had to pay a ransom in Bitcoin to stop the ransomware attack. They were told that all their files would be deleted if they did not pay within three days.
How was WannaCry possible?
Security researchers quickly realised that the WannaCry ransomware was spreading like a worm across computers and networks using the Windows SMB protocol. Suspicion then quickly fell on a batch of highly classified hacking tools developed by the National Security Agency (NSA), which weeks earlier had been stolen and published online for anyone to use. They were leaked by the hacker group The Shadow Brokers.
The NSA had developed a security hole called EthernalBlue to exploit systems on older Windows computers. They had further developed a tool called DoublePulsar that could create and install copies of itself.
Microsoft, already aware of the theft of hacking tools targeting its operating systems, had released security patches to remedy the problem. But consumers and businesses alike took too long to install the patches. And many did not install them at all.
An unknown hacker group, believed to be from North Korea, had downloaded the released NSA cyberweapons and launched their attack. The hackers used the NSA's DoublePulsar to create a persistent "backdoor" that was used to deliver WannaCry ransomware. Using the EternalBlue security hole, the ransomware spread to every other unpatched computer on a network.
A single vulnerable and Internet-connected system was enough to cause chaos.
Trust in the intelligence community collapsed that day. Governments and individuals alike demanded to know how the NSA planned to deal with the damage it had caused. It also sparked a fierce debate about how the government creates or exploits vulnerabilities as weapons to carry out government surveillance or espionage.
In just a few hours, WannaCry had caused billions of dollars in damage. The hacker group behind WannaCry demanded ransoms from their victims in Bitcoin, and victims desperately tried to raise enough Bitcoin to pay the hackers. But many of the victims who paid the ransom did not regain access to their systems or files.
One person had the solution
Marcus Hutchins, a security researcher specialising in malware, was on holiday when the attack hit. He quickly went home from his vacation and got to work. Using data from his homegrown malware-tracking system, he found what later became WannaCry's kill switch. He found a domain name embedded in the WannaCry code, and when he registered that domain name, the Wannacry ransomware stopped spreading.
Hutchins published his kill-switch and at 3.03pm the cyber attack quickly began to stop worldwide. The attack was estimated to have affected more than 200,000 computers in the 150 countries.
The aftermath
Although the WannaCry attack caused panic around the world in 2017, it remains a concern for security researchers and businesses today. The exposed NSA tools are still publicly available and capable of infecting vulnerable computers. Following WannaCry, there have also been several cyberattacks based on the EternalBlue security hole, including NotPetya, which primarily affected Ukraine later that year.
WannaCry was a wakeup call for the whole world. It demonstrated both the importance of good cyber security and the threat that ransomware attacks pose to all kinds of businesses.
The hacker group behind WannaCry has never been identified.
Sofie Meyer
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.
View all posts by Sofie Meyer