The global cyberattack of 2017 has been found in 150 countries around the world and has affected more than 200,000 computers, according to Europol, the European law enforcement agency. It’s one of the largest attacks of its kind ever carried out.
This was a ransomware attack, using software called WanaCrypt0r 2.0 or WannaCry, which exploits a vulnerability in Windows. Microsoft released a software update that fixes the problem in March, but computers that had not installed the security update were vulnerable.
There are several well-known and noteworthy institutions who have fallen victim to this attack, including the likes of FedEx, Nissan, the UK’s National Health Service, Deutsche Bahn, the Russian Central Bank, Russian Railways, Russia's Interior Ministry, Megafon and Telefónica.
How successful was this cyberattack?
Well, to be honest, it depends on from whose perspective you look at it. Certainly, there has been significant disruption caused by the event. In the UK, for example, hospitals were crippled by the cyberattack, forcing operations to be cancelled and ambulances to be diverted. That would suggest the attack was a success. However, on the flip side, it’s been reported that the ransom paid so far is only around the $55,000 mark (at the time of writing), which doesn’t particularly sound like a successful days work for the perpetrators, if their intention was purely to extort money.
The spread of the attack was brought to a sudden halt when one UK cybersecurity researcher, Marcus Hutchins, tweeting as @malwaretechblog, accidentally discovered a ‘kill switch’ in the malicious software, which he then activated.
The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second.
Mr Hutchins explained that he bought the domain because his company, Kryptos logic, an LA-based threat intelligence company, tracks botnets, and by registering these domains they can get an insight into how the botnet is spreading. ‘The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain’, he said.
Mr Hutchins said he planned to hold onto the URL, and he and colleagues were collecting the IPs and sending them off to law enforcement agencies so they can notify the infected victims, not all of whom may be aware that they have been affected.
The perpetrators ransom demands are for $300 in Bitcoin to be paid for the release of files on each computer that has been affected. With around 200,000 computers affected, this points to a potential payout of $60,000,000. However, as previously mentioned, only $55,000 has been paid so far, around 0.09% of the possible total.
The request for payments to be made in Bitcoin makes sense on the one hand, as payments can be made without the need to reveal an identity. However, every Bitcoin transaction is recorded in the blockchain, allowing authorities to add an identifier to the payer and payee so they can build up a picture of the payment patterns between two identifiers, or addresses. In a ransom situation such as this one it means that if the payee (victim) reveals their identity it makes it easier to identify the payer (perpetrator), and further transactions from that address can then be monitored in the hope that they can be traced and caught.
How to prevent a cyberattack
When the cyberattack first came to light, Microsoft were quick to release a ‘patch’ that defends against the malware used, even on older versions of Windows.
The National Crime Agency (NCA) in the UK has been working in collaboration with their international partners, such as Europol, Interpol and the FBI, to identify who is behind the attack. In the meantime, they’ve offered advice to firms and individuals to help them prevent an attack of this type occurring again:
- make sure your security software patches are up-to-date
- make sure that you are running anti-virus software
- back-up your data in multiple locations, including offline
- avoid opening unknown email attachments or clicking on links in spam emails
- victims of fraud should report it to Action Fraud
- we encourage the public not to pay any ransom demand.
How can ICT help?
ICA qualifications are a globally recognised benchmark of competence & excellence in the fields of anti money laundering, compliance and financial crime prevention. There are courses to suit all levels of knowledge and experience.
View the full list of courses here