WannaCry ransomware attack: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
→‎List of affected organizations: WP:NULL. Thanks, IP editor, for fixing my mistake.
→‎Attack: remove speculation that contradicts well-sourced statement in the beginning of the section, as well as its following sentence; remove another duplicate paragraph
Tag: references removed
(6 intermediate revisions by the same user not shown)
Line 45: Line 45:
| blank_label = Status
| blank_label = Status
| blank_data = Mostly under control<ref>{{cite news|last1=Wattles|first1=Jackie|title=Ransomware attack: Who got hurt|url=http://money.cnn.com/2017/05/13/technology/ransomware-attack-who-got-hurt/|accessdate=14 May 2017|work=CNNMoney|date=13 May 2017}}</ref>}}
| blank_data = Mostly under control<ref>{{cite news|last1=Wattles|first1=Jackie|title=Ransomware attack: Who got hurt|url=http://money.cnn.com/2017/05/13/technology/ransomware-attack-who-got-hurt/|accessdate=14 May 2017|work=CNNMoney|date=13 May 2017}}</ref>}}
'''WannaCry''' (or '''WannaCrypt''',<ref name="microsoftreleases" >{{cite web|last1=MSRC Team|title=Customer Guidance for WannaCrypt attacks|url=https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/|publisher=[[Microsoft]]|access-date=13 May 2017}}</ref> '''WanaCrypt0r 2.0''',<ref>{{cite web|author1=Jakub Kroustek|title=Avast reports on WanaCrypt0r 2.0 ransomware that infected NHS and Telefonica.|url=https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today|website=Avast Security News|publisher=Avast Software, Inc|date=12 May 2017}}</ref><ref name=":0">{{Cite news|url=https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/|title=An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak|last=Fox-Brewster|first=Thomas|work=Forbes|access-date=12 May 2017}}</ref> '''Wanna Decryptor'''<ref>{{Cite news|url=http://www.wired.co.uk/article/wanna-decryptor-ransomware|title=Wanna Decryptor: what is the 'atom bomb of ransomware' behind the NHS attack?|last=Woollaston|first=Victoria|work=WIRED UK|access-date=2017-05-13|language=en-GB}}</ref> or similar{{efn|Also known by similar names.}}) is a [[ransomware]] program targeting [[Microsoft Windows]].<ref>{{cite web|last1=The GenX Times Team|title=WannaCry Ransomware attack computers worldwide, using NSA exploit codenamed Eternalblue|url=http://www.thegenxtimes.com/world/wannacry-ransomware-attack-computers-worldwide-using-nsa-exploit-codenamed-eternalblue/|access-date=13 May 2017}}</ref> On Friday, 12 May 2017, a large [[cyber-attack]] using it was launched, infecting over 230,000 computers in 150 countries, demanding ransom payments in [[bitcoin]] in 28 languages.<ref>{{cite web|title=WannaCry Infecting More Than 230,000 Computers In 99 Countries|url=https://www.eyerys.com/articles/timeline/wannacry-infecting-more-230000-computers-99-countries|website=Eyerys|date=12 May 2017}}</ref> The attack has been described by [[Europol]] as unprecedented in scale.<ref name=":3">{{Cite news|url=http://www.bbc.com/news/world-europe-39907965|title=Cyber-attack: Europol says it was unprecedented in scale|date=2017-05-13|work=BBC News|access-date=2017-05-13|language=en-GB}}</ref>

'''WannaCry''' (or '''WannaCrypt''',<ref name="microsoftreleases" >{{cite web|last1=MSRC Team|title=Customer Guidance for WannaCrypt attacks|url=https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/|publisher=[[Microsoft]]|access-date=13 May 2017}}</ref> '''WanaCrypt0r 2.0''',<ref>{{cite web|author1=Jakub Kroustek|title=Avast reports on WanaCrypt0r 2.0 ransomware that infected NHS and Telefonica.|url=https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today|website=Avast Security News|publisher=Avast Software, Inc|date=12 May 2017}}</ref><ref name=":0">{{Cite news|url=https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/|title=An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak|last=Fox-Brewster|first=Thomas|work=Forbes|access-date=12 May 2017}}</ref> '''Wanna Decryptor'''<ref name="auto">{{Cite news|url=http://www.wired.co.uk/article/wanna-decryptor-ransomware|title=Wanna Decryptor: what is the 'atom bomb of ransomware' behind the NHS attack?|last=Woollaston|first=Victoria|work=WIRED UK|access-date=2017-05-13|language=en-GB}}</ref>) is a [[ransomware]] program targeting [[Microsoft Windows]].<ref>{{cite web|last1=The GenX Times Team|title=WannaCry Ransomware attack computers worldwide, using NSA exploit codenamed Eternalblue|url=http://www.thegenxtimes.com/world/wannacry-ransomware-attack-computers-worldwide-using-nsa-exploit-codenamed-eternalblue/|access-date=13 May 2017}}</ref> On Friday, 12 May 2017, a large [[cyber-attack]] using it was launched, infecting over 230,000 computers in 150 countries, demanding ransom payments in [[bitcoin]] in 28 languages.<ref>{{cite web|title=WannaCry Infecting More Than 230,000 Computers In 99 Countries|url=https://www.eyerys.com/articles/timeline/wannacry-infecting-more-230000-computers-99-countries|website=Eyerys|date=12 May 2017}}</ref> The attack spreads by multiple methods include [[phishing]] emails<ref>{{cite news|last1=Gayle|first1=Damien|last2=Topping|first2=Alexandra|last3=Sample|first3=Ian|last4=Marsh|first4=Sarah|last5=Dodd|first5=Vikram|title=NHS seeks to recover from global cyber-attack as security concerns resurface|url=https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack|accessdate=14 May 2017|work=The Guardian|date=13 May 2017|quote=One NHS worker, who asked to remain anonymous, said the attack began at about 12.30pm and appeared to have been the result of phishing. "The computers were affected after someone opened an email attachment. We get a lot of spam and it looks like something was sent to all the trusts in the country. Other hospitals have now been warned not to open these emails – all trusts communicate with each other."}}</ref> and on unpatched systems as a [[computer worm]]. The attack has been described by [[Europol]] as unprecedented in scale.<ref name=":3">{{Cite news|url=http://www.bbc.com/news/world-europe-39907965|title=Cyber-attack: Europol says it was unprecedented in scale|date=2017-05-13|work=BBC News|access-date=2017-05-13|language=en-GB}}</ref>


The attack affected [[Telefónica]] and several other large companies in [[Spain]], as well as parts of Britain's [[National Health Service]] (NHS),<ref>{{cite web|url=https://www.theguardian.com/society/2017/may/12/global-cyber-attack-nhs-trusts-malware|title=The NHS trusts hit by malware – full list|first=Sarah|last=Marsh|date=12 May 2017 |access-date=12 May 2017 |work=[[The Guardian]] |location=London}}</ref> [[FedEx]] and [[Deutsche Bahn]].<ref name="BBC news">{{Cite news|url=http://www.bbc.co.uk/news/health-39899646|title=NHS cyber-attack: GPs and hospitals hit by ransomware|date=12 May 2017|work=BBC News|access-date=12 May 2017|language=en-GB}}</ref><ref>{{Cite news|url=https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20|title=What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS?|last=Hern|first=Alex|date=12 May 2017 |work=[[The Guardian]] |location=London|access-date=12 May 2017|last2=Gibbs|first2=Samuel |issn=0261-3077}}</ref><ref>{{Cite web|url=https://digital.nhs.uk/article/1491/Statement-on-reported-NHS-cyber-attack|title=Statement on reported NHS cyber attack|website=digital.nhs.uk|language=en-GB|access-date=12 May 2017}}</ref> Other targets in at least 99 countries were also reported to have been attacked around the same time.<ref>{{Cite web|url=https://motherboard.vice.com/en_us/article/a-massive-ransomware-explosion-is-hitting-targets-all-over-the-world|title=A Massive Ransomware 'Explosion' Is Hitting Targets All Over the World|website=Motherboard|first=Joseph|last=Cox|date=12 May 2017|language=en-us|access-date=12 May 2017}}</ref><ref name="cnn99countries">{{Cite news |url=http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/ |title=Massive ransomware attack hits 99 countries |last=Larson |first=Selena |date=12 May 2017 |work=CNN |access-date=12 May 2017}}</ref>
The attack affected [[Telefónica]] and several other large companies in [[Spain]], as well as parts of Britain's [[National Health Service]] (NHS),<ref>{{cite web|url=https://www.theguardian.com/society/2017/may/12/global-cyber-attack-nhs-trusts-malware|title=The NHS trusts hit by malware – full list|first=Sarah|last=Marsh|date=12 May 2017 |access-date=12 May 2017 |work=[[The Guardian]] |location=London}}</ref> [[FedEx]] and [[Deutsche Bahn]].<ref name="BBC news">{{Cite news|url=http://www.bbc.co.uk/news/health-39899646|title=NHS cyber-attack: GPs and hospitals hit by ransomware|date=12 May 2017|work=BBC News|access-date=12 May 2017|language=en-GB}}</ref><ref>{{Cite news|url=https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20|title=What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS?|last=Hern|first=Alex|date=12 May 2017 |work=[[The Guardian]] |location=London|access-date=12 May 2017|last2=Gibbs|first2=Samuel |issn=0261-3077}}</ref><ref>{{Cite web|url=https://digital.nhs.uk/article/1491/Statement-on-reported-NHS-cyber-attack|title=Statement on reported NHS cyber attack|website=digital.nhs.uk|language=en-GB|access-date=12 May 2017}}</ref> Other targets in at least 99 countries were also reported to have been attacked around the same time.<ref>{{Cite web|url=https://motherboard.vice.com/en_us/article/a-massive-ransomware-explosion-is-hitting-targets-all-over-the-world|title=A Massive Ransomware 'Explosion' Is Hitting Targets All Over the World|website=Motherboard|first=Joseph|last=Cox|date=12 May 2017|language=en-us|access-date=12 May 2017}}</ref><ref name="cnn99countries">{{Cite news |url=http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/ |title=Massive ransomware attack hits 99 countries |last=Larson |first=Selena |date=12 May 2017 |work=CNN |access-date=12 May 2017}}</ref>


WannaCry is believed to use the [[EternalBlue]] [[Exploit (computer security)|exploit]], which was developed by the U.S. [[National Security Agency]] (NSA)<ref name="independent">{{cite web|title=NHS cyber attack: Edward Snowden says NSA should have prevented cyber attack|url=http://www.independent.co.uk/news/uk/home-news/nhs-cyber-attack-edward-snowden-accuses-nsa-not-preventing-ransomware-a7733941.html|publisher=[[The Independent]]|access-date=13 May 2017}}</ref><ref name="telegraph">{{cite web|title=NHS cyber attack: Everything you need to know about 'biggest ransomware' offensive in history|url=http://www.telegraph.co.uk/news/2017/05/13/nhs-cyber-attack-everything-need-know-biggest-ransomware-offensive/|publisher=[[The Daily Telegraph]]|access-date=13 May 2017}}</ref> to attack computers running [[Microsoft Windows]] operating systems.<ref name=":0" /><ref>{{Cite web|url=http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html|title=Massive ransomware attack hits 74 countries|last=Larson|first=Selena|date=12 May 2017|website=CNNMoney|access-date=12 May 2017}}</ref> Although a patch to remove the underlying vulnerability for supported systems had been issued on 14 March 2017,<ref name="microsoft.com"/> delays in applying security updates and lack of support by Microsoft of legacy versions of Windows left many users vulnerable.<ref>{{cite web|url=https://www.theregister.co.uk/2017/05/12/spain_ransomware_outbreak/|title=WanaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain|first1=12 May 2017 at|last1=15:58|first2=John Leyden|last2=tweet_btn()|website=theregister.co.uk|access-date=12 May 2017}}</ref> Due to the scale of the attack, to deal with the unsupported Windows systems, Microsoft has taken the unusual step of releasing updates for all older unsupported operating systems from [[Windows XP]] onwards.<ref name="microsoftreleases"/><ref name="unsupported">{{cite news|last1=Surur|title=Microsoft release Wannacrypt patch for unsupported Windows XP, Windows 8 and Windows Server 2003|url=https://mspoweruser.com/microsoft-release-wannacrypt-patch-unsupported-windows-xp-windows-8-windows-server-2003/|access-date=13 May 2017|date=13 May 2017}}</ref>
WannaCry is believed to use the [[EternalBlue]] [[Exploit (computer security)|exploit]], which was developed by the U.S. [[National Security Agency]] (NSA)<ref name="independent">{{cite web|title=NHS cyber attack: Edward Snowden says NSA should have prevented cyber attack|url=http://www.independent.co.uk/news/uk/home-news/nhs-cyber-attack-edward-snowden-accuses-nsa-not-preventing-ransomware-a7733941.html|publisher=[[The Independent]]|access-date=13 May 2017}}</ref><ref name="telegraph">{{cite web|title=NHS cyber attack: Everything you need to know about 'biggest ransomware' offensive in history|url=http://www.telegraph.co.uk/news/2017/05/13/nhs-cyber-attack-everything-need-know-biggest-ransomware-offensive/|publisher=[[The Daily Telegraph]]|access-date=13 May 2017}}</ref> to attack computers running [[Microsoft Windows]] operating systems.<ref name=":0" /><ref>{{Cite web|url=http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html|title=Massive ransomware attack hits 74 countries|last=Larson|first=Selena|date=12 May 2017|website=CNNMoney|access-date=12 May 2017}}</ref> Although a patch to remove the underlying vulnerability had been issued on 14 March 2017,<ref name="microsoft.com"/> users who delayed in applying security updates, or use unsupported versions of Windows, were left vulnerable.<ref>{{cite web|url=https://www.theregister.co.uk/2017/05/12/spain_ransomware_outbreak/|title=WanaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain|first1=12 May 2017 at|last1=15:58|first2=John Leyden|last2=tweet_btn()|website=theregister.co.uk|access-date=12 May 2017}}</ref> Microsoft has taken the unusual step of releasing updates for the unsupported [[Windows XP]] and [[Windows Server 2003]] and patches for [[Windows 8]] operating systems.<ref name="microsoftreleases"/><ref name="unsupported">{{cite news|last1=Surur|title=Microsoft release Wannacrypt patch for unsupported Windows XP, Windows 8 and Windows Server 2003|url=https://mspoweruser.com/microsoft-release-wannacrypt-patch-unsupported-windows-xp-windows-8-windows-server-2003/|access-date=13 May 2017|date=13 May 2017}}</ref>


Shortly after the attack began a researcher found an effective [[kill switch]], which prevented many new infections. This greatly slowed the spread. However, it has been reported that subsequently new versions of the attack have been detected which lack the kill switch, thus able to spread to systems in which the vulnerability has not been patched.<ref>{{Cite news|url=http://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html|title=It’s Not Over, WannaCry 2.0 Ransomware Just Arrived With No 'Kill-Switch'|last=Khandelwal|first=Swati|work=The Hacker News|access-date=2017-05-14|language=en-US}}</ref>
Shortly after the attack, several lines of code were found by an anti-malware researcher to function as a [[kill switch]], and was activated by the researcher. This temporarily stopped the spreading of the virus. The code was initially reported in the media as a built-in [[kill switch]]; however, some analysts concluded that it was a programming mistake.<ref name="malwaretech">Malware Tech's blog: [https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html How to Accidentally Stop a Global Cyber Attacks]</ref> The next day, a variant of the malware without the kill-switch was discovered.<ref>{{Cite news|url=http://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html|title=It’s Not Over, WannaCry 2.0 Ransomware Just Arrived With No 'Kill-Switch'|last=Khandelwal|first=Swati|work=The Hacker News|access-date=2017-05-14|language=en-US}}</ref>


==Background==
==Background==
Line 68: Line 67:
The Windows [[vulnerability (computing)|vulnerability]] is not a [[zero-day (computing)|zero-day]] flaw, but one for which Microsoft had made available a [[Patch (computing)#Security patches|security patch]] on 14 March 2017,<ref name="microsoft.com"/> nearly two months before the attack. The patch was to the Server Message Block (SMB) protocol used by Windows.<ref name=exploit>{{cite news|url=http://www.eweek.com/security/wannacry-ransomware-attack-hits-victims-with-microsoft-smb-exploit|title=WannaCry Ransomware Attack Hits Victims With Microsoft SMB Exploit|work=[[eWeek]]|access-date=13 May 2017}}</ref><ref name="hei">{{cite web|title=WannaCry: BSI ruft Betroffene auf, Infektionen zu melden|url=https://www.heise.de/newsticker/meldung/WannaCry-BSI-ruft-Betroffene-auf-Infektionen-zu-melden-3713442.html|publisher=heise online|accessdate=14 May 2017|language=de-DE}}</ref> Organizations that lacked this security patch were affected for this reason, although there is so far no evidence that any were specifically targeted by the ransomware developers.<ref name=exploit/> Any organization still running the older [[Windows XP]]<ref name=vicexp>{{cite web|url=https://motherboard.vice.com/en_us/article/nhs-hospitals-are-running-thousands-of-computers-on-unsupported-windows-xp|title=NHS Hospitals Are Running Thousands of Computers on Unsupported Windows XP|website=Motherboard|access-date=13 May 2017}}</ref> were at particularly high risk because until 13 May,<ref name="microsoftreleases"/> no security patches had been released since April 2014.<ref>{{cite web|url=https://www.microsoft.com/en-gb/windowsforbusiness/end-of-xp-support|title=Windows XP End of Support|website=www.microsoft.com|access-date=13 May 2017}}</ref> Following the attack, Microsoft released a security patch for Windows XP.<ref name="microsoftreleases" />
The Windows [[vulnerability (computing)|vulnerability]] is not a [[zero-day (computing)|zero-day]] flaw, but one for which Microsoft had made available a [[Patch (computing)#Security patches|security patch]] on 14 March 2017,<ref name="microsoft.com"/> nearly two months before the attack. The patch was to the Server Message Block (SMB) protocol used by Windows.<ref name=exploit>{{cite news|url=http://www.eweek.com/security/wannacry-ransomware-attack-hits-victims-with-microsoft-smb-exploit|title=WannaCry Ransomware Attack Hits Victims With Microsoft SMB Exploit|work=[[eWeek]]|access-date=13 May 2017}}</ref><ref name="hei">{{cite web|title=WannaCry: BSI ruft Betroffene auf, Infektionen zu melden|url=https://www.heise.de/newsticker/meldung/WannaCry-BSI-ruft-Betroffene-auf-Infektionen-zu-melden-3713442.html|publisher=heise online|accessdate=14 May 2017|language=de-DE}}</ref> Organizations that lacked this security patch were affected for this reason, although there is so far no evidence that any were specifically targeted by the ransomware developers.<ref name=exploit/> Any organization still running the older [[Windows XP]]<ref name=vicexp>{{cite web|url=https://motherboard.vice.com/en_us/article/nhs-hospitals-are-running-thousands-of-computers-on-unsupported-windows-xp|title=NHS Hospitals Are Running Thousands of Computers on Unsupported Windows XP|website=Motherboard|access-date=13 May 2017}}</ref> were at particularly high risk because until 13 May,<ref name="microsoftreleases"/> no security patches had been released since April 2014.<ref>{{cite web|url=https://www.microsoft.com/en-gb/windowsforbusiness/end-of-xp-support|title=Windows XP End of Support|website=www.microsoft.com|access-date=13 May 2017}}</ref> Following the attack, Microsoft released a security patch for Windows XP.<ref name="microsoftreleases" />


Although another ransomware was spread through messages from a bank about a money transfer around the same time, no evidence for an initial email phishing campaign has been found in this case.<ref>{{Cite news|url=https://www.theregister.co.uk/2017/05/12/jaff_ransomware/|title='Jaff' argh snakes: 5m emails/hour ransomware floods inboxes|last=Leyden|first=John|work=The Register|access-date=2017-05-14|language=en-US}}</ref>
According to ''[[Wired (magazine)|Wired]]'', affected systems will also have had the [[DOUBLEPULSAR]] [[Backdoor (computing)|backdoor]] installed; this will also need to be removed when systems are decrypted.<ref name="auto"/>

==WannaCry functionality==
{{Expand section|date=May 2017}}
It is speculated that WannaCry first spread through a massive email phishing campaign by which email attachments were used to infect machines.<ref name=cio>{{cite web|last1=Kan|first1=Michael|title=A 'kill switch' is slowing the spread of WannaCry ransomware|url=http://www.cio.com/article/3196511/security/a-kill-switch-is-slowing-the-spread-of-wannacry-ransomware.html|publisher=CIO|accessdate=14 May 2017|language=en}}</ref> Although another ransomware was spread through messages from a bank about a money transfer around the same time<ref>{{Cite news|url=https://www.theregister.co.uk/2017/05/12/jaff_ransomware/|title='Jaff' argh snakes: 5m emails/hour ransomware floods inboxes|last=Leyden|first=John|work=The Register|access-date=2017-05-14|language=en-US}}</ref>, no evidence for an initial email phishing campaign has been found in this case.

WannaCrypt would then attempt to install via the leaked backdoor DoublePulsar. If that backdoor wasn't present on the target Windows system it would attempt to exploit a vulnerability in [[Server Message Block]] v1 (SMBv1), an outdated network file sharing protocol.<ref name=forb>{{cite web|last1=Fox-Brewster|first1=Thomas|title=How One Simple Trick Just Put Out That Huge Ransomware Fire|url=https://www.forbes.com/sites/thomasbrewster/2017/05/13/wannacry-ransomware-outbreak-stopped-by-researcher/|publisher=Forbes|accessdate=14 May 2017}}</ref>

Then, as any other typical ransomware strain, it would infect the computer and [[Full Disk Encryption|encrypt all its data]]. Once this process is completed it locks the computer to show a demand for ransom.<ref name=forb/> Limited time to gather the required ~$300 worth of [[bitcoin]] and pay the ransom is given to the victim with a countdown of a few days being displayed on the screen.

It'll also attempt to spread to other machines on the same [[local network]] and scan the Internet for more vulnerable machines.<ref name=cio/>


==Impact==
==Impact==
Line 121: Line 110:
}}
}}


==Response==
==Defensive response==
Several hours after the initial release of the ransomware on 12 May 2017, a researcher with the Twitter handle 'MalwareTech' discovered what amounted to be a "[[kill switch]]" [[Hard coding|hardcoded]] in the malware.<ref>{{cite web|url=http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hackers-demanding-ransom/|title=Government under pressure after NHS crippled in global cyber attack as weekend of chaos looms}}</ref><ref>{{cite web|url=https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/|title=74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+|first=Iain|last=Thomson}}</ref><ref>{{cite web|url=https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack|title='Accidental hero' halts ransomware attack and warns: this is not over|first=Nadia Khomami Olivia Solon in San|last=Francisco|date=13 May 2017|publisher=|via=The Guardian}}</ref> This allowed the spread of the initial infection to be halted by registering a [[domain name]].<ref>{{cite news|last1=Solon|first1=Olivia|title='Accidental hero' finds kill switch to stop spread of ransomware cyber-attack|url=https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack|access-date=13 May 2017 |work=[[The Guardian]] |location=London|date=13 May 2017}}</ref> However, variants without the kill switch were detected the next day.<ref>{{Cite news|url=http://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html|title=It’s Not Over, WannaCry 2.0 Ransomware Just Arrived With No 'Kill-Switch'|last=Khandelwal|first=Swati|work=The Hacker News|access-date=2017-05-14|language=en-US}}</ref><ref>{{cite web|url=http://www.bbc.co.uk/news/technology-39907049|title=Global cyber-attack: Security blogger halts ransomware 'by accident'|date=13 May 2017|first=Chris|last=Foxx|website=www.bbc.co.uk|accessdate=13 May 2017}}</ref><ref>{{cite web|last1=Kan|first1=Micael|title=A 'kill switch' is slowing the spread of WannaCry ransomware|url=http://www.pcworld.com/article/3196515/security/a-kill-switch-is-slowing-the-spread-of-wannacry-ransomware.html|website=PC World|access-date=13 May 2017}}</ref> In an unusual move, Microsoft created security patches for several now-unsupported versions of Windows, including Windows XP, Windows 8 and Windows Server 2003.<ref>{{Cite news|url=https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/|title=Customer Guidance for WannaCrypt attacks|work=MSRC|access-date=2017-05-13|language=en-US}}</ref>
Antivirus companies have updated their software to prevent phishing attacks.


[[Prime Minister of the United Kingdom|British Prime Minister]] [[Theresa May]] said of the ransomware, "This is not targeted at the NHS. It is an international attack. A number of countries and organizations have been affected."<ref>{{cite web|url=http://www.cnn.com/2017/05/12/health/uk-nhs-cyber-attack/index.html|title=UK prime minister: Ransomware attack is global|first=Laura Smith-Spark, Milena Veselinovic and Hilary McGann|last=CNN|website=CNN|access-date=13 May 2017}}</ref> However, tech experts have said that the effects of the hack were exacerbated by Conservative underfunding of the NHS as part of [[United Kingdom government austerity programme|the government's austerity measures]], in particular the [[Department of Health]]'s refusal to pay extra to Microsoft in order to keep protecting outdated [[Windows XP]] systems from such attacks.<ref>{{cite news|title=The ransomware attack is all about the insufficient funding of the NHS|url=https://www.theguardian.com/commentisfree/2017/may/13/nhs-computer-systems-insufficient-funding|accessdate=14 May 2017|work=The Guardian|date=13 May 2017}}</ref> Home secretary [[Amber Rudd]] refused to say whether patient data had been backed up, and shadow health secretary [[Jonathan Ashworth]] accused health secretary [[Jeremy Hunt]] of refusing to act on a critical note from Microsoft two months previously, as other warnings from the [[National Cyber Security Centre]] and [[National Crime Agency]].<ref>{{cite news|title=Jeremy Hunt 'ignored warning signs' before cyber-attack hit NHS|url=https://www.theguardian.com/society/2017/may/13/jeremy-hunt-ignored-warning-signs-before-cyber-attack-hit-nhs|accessdate=14 May 2017|work=The Guardian|date=13 May 2017}}</ref>
Several hours after the initial release of the ransomware on 12 May 2017, while trying to establish the size of the attack, a researcher, who goes by the twitter handle 'MalwareTech' , accidentally discovered what amounted to be a "[[kill switch]]" [[Hard coding|hardcoded]] in the malware.<ref>{{cite web|url=http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hackers-demanding-ransom/|title=Government under pressure after NHS crippled in global cyber attack as weekend of chaos looms}}</ref><ref>{{cite web|url=https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/|title=74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+|first=Iain|last=Thomson}}</ref><ref>{{cite web|url=https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack|title='Accidental hero' halts ransomware attack and warns: this is not over|first=Nadia Khomami Olivia Solon in San|last=Francisco|date=13 May 2017|publisher=|via=The Guardian}}</ref> Registering a [[domain name]] for a [[DNS sinkhole]] stopped the attack spreading as a worm. While this didn't help already infected systems, it slowed the spread of the initial infection and gave time for defensive measures to be deployed worldwide, particularly in the United States and Asia which hadn't been attacked much yet. Analysis of the kill switch suggested that it may in fact be a bug in the malware whose code was originally intended to make the attack harder to analyse.<ref>{{Cite news|url=https://www.wired.com/2017/05/accidental-kill-switch-slowed-fridays-massive-ransomware-attack/|title=How an Accidental ‘Kill Switch’ Slowed Friday’s Massive Ransomware Attack|last=Newman|first=Lily Hay|work=Wired Security|access-date=2017-05-14|language=en-US}}</ref><ref>{{cite news|last1=Solon|first1=Olivia|title='Accidental hero' finds kill switch to stop spread of ransomware cyber-attack|url=https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack|access-date=13 May 2017 |work=[[The Guardian]] |location=London|date=13 May 2017}}</ref><ref>{{cite web|url=http://www.bbc.co.uk/news/technology-39907049|title=Global cyber-attack: Security blogger halts ransomware 'by accident'|date=13 May 2017|first=Chris|last=Foxx|website=www.bbc.co.uk|accessdate=13 May 2017}}</ref><ref>{{cite web|last1=Kan|first1=Micael|title=A 'kill switch' is slowing the spread of WannaCry ransomware|url=http://www.pcworld.com/article/3196515/security/a-kill-switch-is-slowing-the-spread-of-wannacry-ransomware.html|website=PC World|access-date=13 May 2017}}</ref> However, the kill switch domain needs to be available locally, and the response must be able to reach the malware to effectively work. Some network configurations may prevent the kill switch from working.<ref>{{Cite news|url=http://www.nbcnews.com/tech/internet/after-huge-global-cyberattack-countries-scramble-halt-spread-ransomware-n759121|title=After Huge Global Cyberattack, Countries Scramble to Halt Spread of Ransomware|last1=McCausland|first1=Phil|last2=Petulla|first2=Sam|work=NBC News|access-date=2017-05-14|language=en-US}}</ref>


===Reactions===
In an unusual move, Microsoft created security patches for several now-unsupported versions of Windows, including Windows XP, Windows 8 and Windows Server 2003.<ref>{{Cite news|url=https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/|title=Customer Guidance for WannaCrypt attacks|work=MSRC|access-date=2017-05-13|language=en-US}}</ref>

Traditional [[anti-virus software]] can only clean known threats, however when malware mutates the signature changes, often making such software useless. In order to solve this problem, some companies invented [[Heuristic (computer science)|heuristics]] and [[Behavior informatics|behavior analysis]] mechanisms to detect the actual attack instead of the infection method.{{citation needed|date=May 2017}}

==Reactions==<!--could be renamed to something like "Reactions and countermeasures" (reactions in the form of preventive/constructive actions) or "Reactions and analysis"; alternatively it could be split-->
Upon learning about the impact on the NHS, [[Edward Snowden]] said that had the NSA "[[Responsible disclosure|privately disclosed]] the flaw used to attack hospitals when they ''found'' it, not when they lost it, [the attack] may not have happened".<ref>{{cite web|url=https://www.theguardian.com/technology/2017/may/12/global-cyber-attack-ransomware-nsa-uk-nhs|title=Massive ransomware cyber-attack hits 74 countries around the world|first1=Julia Carrie|last1=Wong|first2=Olivia|last2=Solon|date=12 May 2017|publisher=|access-date=12 May 2017|via=The Guardian}}</ref>
Upon learning about the impact on the NHS, [[Edward Snowden]] said that had the NSA "[[Responsible disclosure|privately disclosed]] the flaw used to attack hospitals when they ''found'' it, not when they lost it, [the attack] may not have happened".<ref>{{cite web|url=https://www.theguardian.com/technology/2017/may/12/global-cyber-attack-ransomware-nsa-uk-nhs|title=Massive ransomware cyber-attack hits 74 countries around the world|first1=Julia Carrie|last1=Wong|first2=Olivia|last2=Solon|date=12 May 2017|publisher=|access-date=12 May 2017|via=The Guardian}}</ref>


British cybersecurity expert [[Graham Cluley]] also sees "some culpability on the part of the U.S. intelligence services". According to him and others "they could have done something ages ago to get this problem fixed, and they didn't do it". Furthermore he notes that most people "are living an online life," and that these agencies, despite obvious uses for such tools [[targeted surveillance|to spy on people of interest]], have a duty to protect their countries' citizens in that realm as well.<ref>{{cite web|last1=Heintz|first1=Sylvia Hui, Allen G. Breed and Jim|title=Lucky break slows global cyberattack; what's coming could be worse|url=http://www.chicagotribune.com/news/nationworld/ct-nsa-cyberattacks-20170513-story.html|accessdate=14 May 2017}}</ref>
British cybersecurity expert [[Graham Cluley]] also sees "some culpability on the part of the U.S. intelligence services". According to him and others "they could have done something ages ago to get this problem fixed, and they didn't do it". Furthermore he notes that most people "are living an online life," and that these agencies, despite obvious uses for such tools [[targeted surveillance|to spy on people of interest]], have a duty to protect their countries' citizens in that realm as well.<ref>{{cite web|last1=Heintz|first1=Sylvia Hui, Allen G. Breed and Jim|title=Lucky break slows global cyberattack; what's coming could be worse|url=http://www.chicagotribune.com/news/nationworld/ct-nsa-cyberattacks-20170513-story.html|accessdate=14 May 2017}}</ref> The Guardian wrote that the attack shows that the practice of intelligence agencies to stockpile exploits for offensive purposes rather than disclosing them for defensive purposes may be problematic.<ref name=guard1/> The article argued that the U.K. government's apparent inability to secure vulnerabilities "opens a lot of questions about backdoors and access to encryption that the government argues it needs from the private sector for security".<ref name=guard1/>

This attack shows that the practice of intelligence agencies to stockpile exploits for offensive purposes rather than disclosing them for defensive purposes may be problematic.<ref name=guard1/>

In addition the government's apparent inability to secure vulnerabilities "opens a lot of questions about backdoors and access to encryption that the government argues it needs from the private sector for security".<ref name=guard1/>


Arne Schönbohm, President of Germany's [[Federal Office for Information Security]] (BSI) states that "the current attacks show how vulnerable our [[digital society]] is. It's a wake up call for companies to finally take IT-security serious".<ref name="hei"/>
Arne Schönbohm, President of Germany's [[Federal Office for Information Security]] (BSI) states that "the current attacks show how vulnerable our [[digital society]] is. It's a wake up call for companies to finally take IT-security serious".<ref name="hei"/>


James Scott from the Institute of Critical Infrastructure Technology, stated that ransomware emerged "as an epidemic" in 2016 with the healthcare sector being particularly vulnerable. He states that "the staff have no [[Cyber hygiene|cyber-hygiene training]], they click on phishing links all the time. The sad thing is they weren't backing up their data properly either, so that's a big problem."<ref>{{cite web|title=WannaCry: What is ransomware and how to avoid it|url=http://www.aljazeera.com/news/2017/05/ransomware-avoid-170513041345145.html|publisher=Al Jazeera|accessdate=14 May 2017}}</ref>
[[Adam Segal]], director of the digital and cyberspace policy program at the [[Council on Foreign Relations]] states that "the patching and updating systems are broken, basically, in the private sector and in government agencies" and notes that "there's no assurance that even if the government reveals a vulnerability people are going to move quickly enough to make and apply the patch".<ref name=guard1/>

According to James Scott from the Institute of Critical Infrastructure Technology ransomware emerged "as an epidemic" back in 2016 with the healthcare sector being particularly vulnerable. He states that "the staff have no [[Cyber hygiene|cyber-hygiene training]], they click on phishing links all the time. The sad thing is they weren't backing up their data properly either, so that's a big problem. They should be doing that all the time." He also notes that "you're only as strong as your weakest link within your organisation from a cyber-perspective".<ref>{{cite web|title=WannaCry: What is ransomware and how to avoid it|url=http://www.aljazeera.com/news/2017/05/ransomware-avoid-170513041345145.html|publisher=Al Jazeera|accessdate=14 May 2017}}</ref>

It is conceivable that the establishment of industry-wide, national and international organizations to identify and help with fixing vulnerabilities, appropriate [[cyber-security regulation]]s as well as new mechanisms, protocols, standards and software to comprehensively ease and enforce swift software updates may significantly mitigate such malware attacks.{{citation needed|date=May 2017}}

[[Prime Minister of the United Kingdom|British Prime Minister]] [[Theresa May]] said of the ransomware, "This is not targeted at the NHS. It is an international attack. A number of countries and organizations have been affected."<ref>{{cite web|url=http://www.cnn.com/2017/05/12/health/uk-nhs-cyber-attack/index.html|title=UK prime minister: Ransomware attack is global|first=Laura Smith-Spark, Milena Veselinovic and Hilary McGann|last=CNN|website=CNN|access-date=13 May 2017}}</ref> However, tech experts have said that the effects of the hack were exacerbated by Conservative underfunding of the NHS as part of [[United Kingdom government austerity programme|the government's austerity measures]], in particular the [[Department of Health]]'s refusal to pay extra to Microsoft in order to keep protecting outdated [[Windows XP]] systems from such attacks.<ref>{{cite news|title=The ransomware attack is all about the insufficient funding of the NHS|url=https://www.theguardian.com/commentisfree/2017/may/13/nhs-computer-systems-insufficient-funding|accessdate=14 May 2017|work=The Guardian|date=13 May 2017}}</ref> Home secretary [[Amber Rudd]] refused to say whether patient data had been backed up, and shadow health secretary [[Jonathan Ashworth]] accused health secretary [[Jeremy Hunt]] of refusing to act on a critical note from Microsoft two months previously, as other warnings from the [[National Cyber Security Centre]] and [[National Crime Agency]].<ref>{{cite news|title=Jeremy Hunt 'ignored warning signs' before cyber-attack hit NHS|url=https://www.theguardian.com/society/2017/may/13/jeremy-hunt-ignored-warning-signs-before-cyber-attack-hit-nhs|accessdate=14 May 2017|work=The Guardian|date=13 May 2017}}</ref>


==See also==
==See also==

Revision as of 13:59, 14 May 2017

WannaCry cyber attack
Screenshot of the ransom note left on an infected system
Date12 May 2017 (2017-05-12) (ongoing)
LocationWorldwide
Also known asWannaCrypt, WanaCrypt0r. WCRY
TypeCyber-attack
ThemeRansomware encrypting hard disk with $300 demand
CauseEternalBlue exploit
ParticipantsUnknown
OutcomeMore than 230,000 computers infected[1]
StatusMostly under control[2]

WannaCry (or WannaCrypt,[3] WanaCrypt0r 2.0,[4][5] Wanna Decryptor[6] or similar[a]) is a ransomware program targeting Microsoft Windows.[7] On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting over 230,000 computers in 150 countries, demanding ransom payments in bitcoin in 28 languages.[8] The attack has been described by Europol as unprecedented in scale.[9]

The attack affected Telefónica and several other large companies in Spain, as well as parts of Britain's National Health Service (NHS),[10] FedEx and Deutsche Bahn.[11][12][13] Other targets in at least 99 countries were also reported to have been attacked around the same time.[14][15]

WannaCry is believed to use the EternalBlue exploit, which was developed by the U.S. National Security Agency (NSA)[16][17] to attack computers running Microsoft Windows operating systems.[5][18] Although a patch to remove the underlying vulnerability had been issued on 14 March 2017,[19] users who delayed in applying security updates, or use unsupported versions of Windows, were left vulnerable.[20] Microsoft has taken the unusual step of releasing updates for the unsupported Windows XP and Windows Server 2003 and patches for Windows 8 operating systems.[3][21]

Shortly after the attack, several lines of code were found by an anti-malware researcher to function as a kill switch, and was activated by the researcher. This temporarily stopped the spreading of the virus. The code was initially reported in the media as a built-in kill switch; however, some analysts concluded that it was a programming mistake.[22] The next day, a variant of the malware without the kill-switch was discovered.[23]

Background

The purported infection vector, EternalBlue, was released by the hacker group The Shadow Brokers on 14 April 2017,[24][25] along with other tools apparently leaked from Equation Group, which is believed to be part of the United States National Security Agency.[26][27]

EternalBlue exploits vulnerability MS17-010[19] in Microsoft's implementation of the Server Message Block (SMB) protocol. Microsoft had released a "Critical" advisory, along with an update patch to plug the vulnerability a month before, on 14 March 2017.[19] This patch only fixed Windows Vista and later operating systems but not the older Windows XP.

Starting from 21 April 2017, security researchers started reporting that computers with the DOUBLEPULSAR backdoor installed were in the tens of thousands.[28] By April 25, reports estimated the number of infected computers to be up to several hundred thousands, with numbers varying between 55,000 to nearly 200,000, growing everyday.[29][30]

Attack

Countries initially affected[31]

On 12 May 2017, WannaCry began affecting computers worldwide.[32] The initial infection might have been either through a vulnerability in the network defenses or a very well-crafted spear phishing attack.[33] When executed, the malware first checks the "kill switch" website. If it is not found, then the ransomware encrypts the computer's hard disk drive,[34][35] then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet,[36] and "laterally" to computers on the same Local Area Network (LAN).[37] As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of $300 in bitcoin within three days.

The Windows vulnerability is not a zero-day flaw, but one for which Microsoft had made available a security patch on 14 March 2017,[19] nearly two months before the attack. The patch was to the Server Message Block (SMB) protocol used by Windows.[38][39] Organizations that lacked this security patch were affected for this reason, although there is so far no evidence that any were specifically targeted by the ransomware developers.[38] Any organization still running the older Windows XP[40] were at particularly high risk because until 13 May,[3] no security patches had been released since April 2014.[41] Following the attack, Microsoft released a security patch for Windows XP.[3]

Although another ransomware was spread through messages from a bank about a money transfer around the same time, no evidence for an initial email phishing campaign has been found in this case.[42]

Impact

The ransomware campaign was unprecedented in scale according to Europol.[9] The attack affected many National Health Service hospitals in the UK,[43] and up to 70,000 devices – including computers, MRI scanners, blood-storage refrigerators and theatre equipment – may have been affected.[44] On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.[11][45] In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.[40] Nissan Motor Manufacturing UK in Tyne and Wear, one of Europe's most productive car manufacturing plants, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.[46][47]

According to experts the attack's impact could have been much worse if no kill-switch was built in by the malware's creators.[48][49]

Cybersecurity expert Ori Eisen notes that the attack appears to be "low-level" stuff, given the ransom demands of $300 and states that the same thing could be done to crucial infrastructure, like nuclear power plants, dams or railway systems.[50]

List of affected organizations

3

Response

Several hours after the initial release of the ransomware on 12 May 2017, a researcher with the Twitter handle 'MalwareTech' discovered what amounted to be a "kill switch" hardcoded in the malware.[72][73][74] This allowed the spread of the initial infection to be halted by registering a domain name.[75] However, variants without the kill switch were detected the next day.[76][77][78] In an unusual move, Microsoft created security patches for several now-unsupported versions of Windows, including Windows XP, Windows 8 and Windows Server 2003.[79]

British Prime Minister Theresa May said of the ransomware, "This is not targeted at the NHS. It is an international attack. A number of countries and organizations have been affected."[80] However, tech experts have said that the effects of the hack were exacerbated by Conservative underfunding of the NHS as part of the government's austerity measures, in particular the Department of Health's refusal to pay extra to Microsoft in order to keep protecting outdated Windows XP systems from such attacks.[81] Home secretary Amber Rudd refused to say whether patient data had been backed up, and shadow health secretary Jonathan Ashworth accused health secretary Jeremy Hunt of refusing to act on a critical note from Microsoft two months previously, as other warnings from the National Cyber Security Centre and National Crime Agency.[82]

Reactions

Upon learning about the impact on the NHS, Edward Snowden said that had the NSA "privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, [the attack] may not have happened".[83]

British cybersecurity expert Graham Cluley also sees "some culpability on the part of the U.S. intelligence services". According to him and others "they could have done something ages ago to get this problem fixed, and they didn't do it". Furthermore he notes that most people "are living an online life," and that these agencies, despite obvious uses for such tools to spy on people of interest, have a duty to protect their countries' citizens in that realm as well.[84] The Guardian wrote that the attack shows that the practice of intelligence agencies to stockpile exploits for offensive purposes rather than disclosing them for defensive purposes may be problematic.[49] The article argued that the U.K. government's apparent inability to secure vulnerabilities "opens a lot of questions about backdoors and access to encryption that the government argues it needs from the private sector for security".[49]

Arne Schönbohm, President of Germany's Federal Office for Information Security (BSI) states that "the current attacks show how vulnerable our digital society is. It's a wake up call for companies to finally take IT-security serious".[39]

James Scott from the Institute of Critical Infrastructure Technology, stated that ransomware emerged "as an epidemic" in 2016 with the healthcare sector being particularly vulnerable. He states that "the staff have no cyber-hygiene training, they click on phishing links all the time. The sad thing is they weren't backing up their data properly either, so that's a big problem."[85]

See also

2

References

  1. ^ Cameron, Dell. "Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It". Retrieved 13 May 2017.
  2. ^ Wattles, Jackie (13 May 2017). "Ransomware attack: Who got hurt". CNNMoney. Retrieved 14 May 2017.
  3. ^ a b c d MSRC Team. "Customer Guidance for WannaCrypt attacks". Microsoft. Retrieved 13 May 2017.
  4. ^ Jakub Kroustek (12 May 2017). "Avast reports on WanaCrypt0r 2.0 ransomware that infected NHS and Telefonica". Avast Security News. Avast Software, Inc.
  5. ^ a b Fox-Brewster, Thomas. "An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak". Forbes. Retrieved 12 May 2017.
  6. ^ Woollaston, Victoria. "Wanna Decryptor: what is the 'atom bomb of ransomware' behind the NHS attack?". WIRED UK. Retrieved 13 May 2017.
  7. ^ The GenX Times Team. "WannaCry Ransomware attack computers worldwide, using NSA exploit codenamed Eternalblue". Retrieved 13 May 2017.
  8. ^ "WannaCry Infecting More Than 230,000 Computers In 99 Countries". Eyerys. 12 May 2017.
  9. ^ a b "Cyber-attack: Europol says it was unprecedented in scale". BBC News. 13 May 2017. Retrieved 13 May 2017.
  10. ^ Marsh, Sarah (12 May 2017). "The NHS trusts hit by malware – full list". The Guardian. London. Retrieved 12 May 2017.
  11. ^ a b "NHS cyber-attack: GPs and hospitals hit by ransomware". BBC News. 12 May 2017. Retrieved 12 May 2017.
  12. ^ Hern, Alex; Gibbs, Samuel (12 May 2017). "What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS?". The Guardian. London. ISSN 0261-3077. Retrieved 12 May 2017.
  13. ^ "Statement on reported NHS cyber attack". digital.nhs.uk. Retrieved 12 May 2017.
  14. ^ Cox, Joseph (12 May 2017). "A Massive Ransomware 'Explosion' Is Hitting Targets All Over the World". Motherboard. Retrieved 12 May 2017.
  15. ^ a b Larson, Selena (12 May 2017). "Massive ransomware attack hits 99 countries". CNN. Retrieved 12 May 2017.
  16. ^ "NHS cyber attack: Edward Snowden says NSA should have prevented cyber attack". The Independent. Retrieved 13 May 2017.
  17. ^ "NHS cyber attack: Everything you need to know about 'biggest ransomware' offensive in history". The Daily Telegraph. Retrieved 13 May 2017.
  18. ^ Larson, Selena (12 May 2017). "Massive ransomware attack hits 74 countries". CNNMoney. Retrieved 12 May 2017.
  19. ^ a b c d "Microsoft Security Bulletin MS17-010 – Critical". technet.microsoft.com. Retrieved 13 May 2017.
  20. ^ 15:58, 12 May 2017 at; tweet_btn(), John Leyden. "WanaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain". theregister.co.uk. Retrieved 12 May 2017. {{cite web}}: |last1= has numeric name (help)CS1 maint: numeric names: authors list (link)
  21. ^ Surur (13 May 2017). "Microsoft release Wannacrypt patch for unsupported Windows XP, Windows 8 and Windows Server 2003". Retrieved 13 May 2017.
  22. ^ Malware Tech's blog: How to Accidentally Stop a Global Cyber Attacks
  23. ^ Khandelwal, Swati. "It's Not Over, WannaCry 2.0 Ransomware Just Arrived With No 'Kill-Switch'". The Hacker News. Retrieved 14 May 2017.
  24. ^ Menn, Joseph (17 February 2015). "Russian researchers expose breakthrough U.S. spying program". Reuters. Retrieved 24 November 2015.
  25. ^ "NSA-leaking Shadow Brokers just dumped its most damaging release yet". Ars Technica. Retrieved 15 April 2017.
  26. ^ Fox-Brewster, Thomas (16 February 2015). "Equation = NSA? Researchers Uncloak Huge 'American Cyber Arsenal'". Forbes. Retrieved 24 November 2015.
  27. ^ "Latest Shadow Brokers dump — owning SWIFT Alliance Access, Cisco and Windows". Medium. 14 April 2017. Retrieved 15 April 2017.
  28. ^ Goodin, Dan. ">10,000 Windows computers may be infected by advanced NSA backdoor". ARS Technica. Retrieved 14 May 2017.
  29. ^ Goodin, Dan. "NSA backdoor detected on >55,000 Windows boxes can now be remotely removed". ARS Technica. Retrieved 14 May 2017.
  30. ^ Broersma, Matthew. "NSA Malware 'Infects Nearly 200,000 Systems'". Silicon. Retrieved 14 May 2017.
  31. ^ "Cyber-attack: Europol says it was unprecedented in scale". 13 May 2017 – via www.bbc.com.
  32. ^ Newman, Lily Hay. "The Ransomware Meltdown Experts Warned About Is Here". Wired.com. Retrieved 13 May 2017.
  33. ^ Goodin, Dan. "An NSA-derived ransomware worm is shutting down computers worldwide". ARS Technica. Retrieved 14 May 2017.
  34. ^ "Russian-linked cyber gang blamed for NHS computer hack using bug stolen from US spy agency". The Telegraph. Retrieved 12 May 2017.
  35. ^ Bilefsky, Dan; Perlroth, Nicole (12 May 2017). "Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool". The New York Times. ISSN 0362-4331. Retrieved 12 May 2017.
  36. ^ Clark, Zammis. "The worm that spreads WanaCrypt0r". Malwarebytes Labs. malwarebytes.com. Retrieved 13 May 2017.
  37. ^ Samani, Raj. "An Analysis of the WANNACRY Ransomware outbreak". McAfee. Retrieved 13 May 2017.
  38. ^ a b "WannaCry Ransomware Attack Hits Victims With Microsoft SMB Exploit". eWeek. Retrieved 13 May 2017.
  39. ^ a b "WannaCry: BSI ruft Betroffene auf, Infektionen zu melden" (in German). heise online. Retrieved 14 May 2017.
  40. ^ a b "NHS Hospitals Are Running Thousands of Computers on Unsupported Windows XP". Motherboard. Retrieved 13 May 2017.
  41. ^ "Windows XP End of Support". www.microsoft.com. Retrieved 13 May 2017.
  42. ^ Leyden, John. "'Jaff' argh snakes: 5m emails/hour ransomware floods inboxes". The Register. Retrieved 14 May 2017.
  43. ^ "Global cyberattack strikes dozens of countries, cripples U.K. hospitals". cbsnews.com. Retrieved 13 May 2017.
  44. ^ Ungoed-Thomas, Jon; Henry, Robin; Gadher, Dipesh (14 May 2017). "Cyber-attack guides promoted on YouTube". The Sunday Times. Retrieved 14 May 2017.
  45. ^ Wong, Julia Carrie; Solon, Olivia (12 May 2017). "Massive ransomware cyber-attack hits 74 countries around the world". The Guardian. London. Retrieved 12 May 2017.
  46. ^ Sharman, Jon (13 May 2017). "Cyber-attack that crippled NHS systems hits Nissan car factory in Sunderland and Renault in France". www.independent.co.uk. Retrieved 13 May 2017.
  47. ^ Rosemain, Mathieu; Le Guernigou, Yann; Davey, James (13 May 2017). "Renault stops production at several plants after ransomware cyber attack as Nissan also hacked". www.mirror.co.uk. Retrieved 13 May 2017.
  48. ^ "Lucky break slows global cyberattack; what's coming could be worse". Retrieved 14 May 2017.
  49. ^ a b c Helmore, Edward (13 May 2017). "Ransomware attack reveals breakdown in US intelligence protocols, expert says". The Guardian. Retrieved 14 May 2017.
  50. ^ "The Latest: Researcher who helped halt cyberattack applauded". Star Tribune. Retrieved 14 May 2017.
  51. ^ a b "WannaCry no Brasil e no mundo". O Povo (in Portuguese). 13 May 2017. Retrieved 13 May 2017.
  52. ^ "Ontario health ministry on high alert amid global cyberattack - Toronto Star". thestar.com.
  53. ^ "Bank of China ATMs Go Dark As Ransomware Attack Cripples China | Zero Hedge". www.zerohedge.com. 13 May 2017. Retrieved 14 May 2017.
  54. ^ a b c d e "Global cyber attack: A look at some prominent victims". elperiodico.com (in Spanish). 13 May 2017. Retrieved 14 May 2017.
  55. ^ "Instituto Nacional de Salud, entre víctimas de ciberataque mundial". 13 May 2017.
  56. ^ "France's Renault hit in worldwide 'ransomware' cyber attack". france24.com (in Spanish). 13 May 2017. Retrieved 13 May 2017.
  57. ^ "Weltweite Cyberattacke trifft Computer der Deutschen Bahn". faz.net (in German). 13 May 2017. Retrieved 13 May 2017.
  58. ^ Balogh, Csaba (12 May 2017). "Ideért a baj: Magyarországra is elért az óriási kibertámadás". HVG (in Hungarian). Retrieved 13 May 2017.
  59. ^ "Andhra police computers hit by cyberattack". Times of India. 13 May 2017. Retrieved 13 May 2017.
  60. ^ "Il virus Wannacry arrivato a Milano: colpiti computer dell'università Bicocca". repubblica.it (in Italian). 12 May 2017. Retrieved 13 May 2017.
  61. ^ "Parkeerbedrijf Q-Park getroffen door ransomware-aanval". Nu.nl (in Dutch). 13 May 2017. Retrieved 14 May 2017.
  62. ^ "PT Portugal alvo de ataque informático internacional". Observador (in Portuguese). 12 May 2017. Retrieved 13 May 2017.
  63. ^ Template:Ro icon "Atacul cibernetic global a afectat și Uzina Dacia de la Mioveni. Renault a anunțat că a oprit producția și în Franța". Pro TV. 13 May 2017.
  64. ^ Template:Ro icon "UPDATE. Atac cibernetic la MAE. Cine sunt hackerii de elită care au falsificat o adresă NATO". Libertatea. 12 May 2017.
  65. ^ "Massive cyber attack creates chaos around the world". news.com.au. Retrieved 13 May 2017.
  66. ^ "Researcher 'accidentally' stops spread of unprecedented global cyberattack". ABC News. Retrieved 13 May 2017.
  67. ^ "Компьютеры РЖД подверглись хакерской атаке и заражены вирусом". Radio Liberty. Retrieved 13 May 2017.
  68. ^ a b "Un ataque informático masivo con 'ransomware' afecta a medio mundo". elperiodico.com (in Spanish). 12 May 2017. Retrieved 13 May 2017.
  69. ^ "เซิร์ฟเวอร์เกม Blade & Soul ของ Garena ประเทศไทยถูก WannaCrypt โจมตี". blognone.com (in Thai). 13 May 2017. Retrieved 14 May 2017.
  70. ^ a b ""Cyber-attack that crippled NHS systems hits Nissan car factory in Sunderland and Renault in France"". The Independent. 13 May 2017. Retrieved 13 May 2017.
  71. ^ "What is Wannacry and how can it be stopped?". Ft.com. 12 May 2017. Retrieved 13 May 2017.
  72. ^ "Government under pressure after NHS crippled in global cyber attack as weekend of chaos looms".
  73. ^ Thomson, Iain. "74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+".
  74. ^ Francisco, Nadia Khomami Olivia Solon in San (13 May 2017). "'Accidental hero' halts ransomware attack and warns: this is not over" – via The Guardian.
  75. ^ Solon, Olivia (13 May 2017). "'Accidental hero' finds kill switch to stop spread of ransomware cyber-attack". The Guardian. London. Retrieved 13 May 2017.
  76. ^ Khandelwal, Swati. "It's Not Over, WannaCry 2.0 Ransomware Just Arrived With No 'Kill-Switch'". The Hacker News. Retrieved 14 May 2017.
  77. ^ Foxx, Chris (13 May 2017). "Global cyber-attack: Security blogger halts ransomware 'by accident'". www.bbc.co.uk. Retrieved 13 May 2017.
  78. ^ Kan, Micael. "A 'kill switch' is slowing the spread of WannaCry ransomware". PC World. Retrieved 13 May 2017.
  79. ^ "Customer Guidance for WannaCrypt attacks". MSRC. Retrieved 13 May 2017.
  80. ^ CNN, Laura Smith-Spark, Milena Veselinovic and Hilary McGann. "UK prime minister: Ransomware attack is global". CNN. Retrieved 13 May 2017. {{cite web}}: |last= has generic name (help)CS1 maint: multiple names: authors list (link)
  81. ^ "The ransomware attack is all about the insufficient funding of the NHS". The Guardian. 13 May 2017. Retrieved 14 May 2017.
  82. ^ "Jeremy Hunt 'ignored warning signs' before cyber-attack hit NHS". The Guardian. 13 May 2017. Retrieved 14 May 2017.
  83. ^ Wong, Julia Carrie; Solon, Olivia (12 May 2017). "Massive ransomware cyber-attack hits 74 countries around the world". Retrieved 12 May 2017 – via The Guardian.
  84. ^ Heintz, Sylvia Hui, Allen G. Breed and Jim. "Lucky break slows global cyberattack; what's coming could be worse". Retrieved 14 May 2017.{{cite web}}: CS1 maint: multiple names: authors list (link)
  85. ^ "WannaCry: What is ransomware and how to avoid it". Al Jazeera. Retrieved 14 May 2017.

External links



Cite error: There are <ref group=lower-alpha> tags or {{efn}} templates on this page, but the references will not show without a {{reflist|group=lower-alpha}} template or {{notelist}} template (see the help page).

Retrieved from "https://en.wikipedia.org/w/index.php?title=WannaCry_ransomware_attack&oldid=780349473"