WannaCry ransomware attack

While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end of life.

These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

[8] WannaCry is a ransomware cryptoworm, which targets computers running the Microsoft Windows operating system by encrypting (locking) data and demanding ransom payments in the Bitcoin cryptocurrency.

[13][21][22] On 9 May 2017, private cybersecurity company RiskSense released code on GitHub with the stated purpose of allowing legal white hat penetration testers to test the CVE-2017-0144 exploit on unpatched systems.

[30] Several organizations released detailed technical write-ups of the malware, including a senior security analyst at RiskSense,[31][32] Microsoft,[33] Cisco,[13] Malwarebytes,[27] Symantec, and McAfee.

[44][45][46] Experts quickly advised affected users against paying the ransom due to no reports of people getting their data back after payment and as high revenues would encourage more of such campaigns.

[citation needed] The head of Microsoft's Cyber Defense Operations Center, Adrienne Hall, said that "Due to the elevated risk for destructive cyber-attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt [alternative name to WannaCry]".

[67][68][69][70] On 19 May, it was reported that hackers were trying to use a Mirai botnet variant to effect a distributed denial-of-service attack on WannaCry's kill-switch domain with the intention of knocking it offline.

The cybersecurity companies[86] Kaspersky Lab and Symantec have both said the code has some similarities with that previously used by the Lazarus Group[87] (believed to have carried out the cyberattack on Sony Pictures in 2014 and a Bangladesh bank heist in 2016—and linked to North Korea).

[87] This could also be either simple re-use of code by another group[88] or an attempt to shift blame—as in a cyber false flag operation;[87] but a leaked internal NSA memo is alleged to have also linked the creation of the worm to North Korea.

[89] Brad Smith, the president of Microsoft, said he believed North Korea was the originator of the WannaCry attack,[90] and the UK's National Cyber Security Centre reached the same conclusion.

[92] President Donald Trump's Homeland Security Advisor, Tom Bossert, wrote an op-ed in The Wall Street Journal about this charge, saying "We do not make this allegation lightly.

[102] One of the largest agencies struck by the attack was the National Health Service hospitals in England and Scotland,[103][104] and up to 70,000 devices—including computers, MRI scanners, blood-storage refrigerators and theatre equipment—may have been affected.

[120] The following is an alphabetical list of organisations confirmed to have been affected: A number of experts highlighted the NSA's non-disclosure of the underlying vulnerability, and their loss of control over the EternalBlue attack tool that exploited it.

[117] Microsoft president and chief legal officer Brad Smith wrote, "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.

[152] On 17 May 2017, United States bipartisan lawmakers introduced the PATCH Act[167] that aims to have exploits reviewed by an independent board to "balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process".

[169] Two subpanels of the House Science Committee were to hear the testimonies from various individuals working in the government and non-governmental sector about how the U.S. can improve its protection mechanisms for its systems against similar attacks in the future.

[55] Later globally dispersed security researchers collaborated online to develop open-source tools[172][173] that allow for decryption without payment under some circumstances.

[171][175][176] Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations, stated that "the patching and updating systems are broken, basically, in the private sector and in government agencies".

[117] Arne Schönbohm, president of Germany's Federal Office for Information Security (BSI), stated that "the current attacks show how vulnerable our digital society is.

[177] The effects of the attack also had political implications; in the United Kingdom, the impact on the National Health Service quickly became political, with claims that the effects were exacerbated by government underfunding of the NHS; in particular, the NHS ceased its paid Custom Support arrangement to continue receiving support for unsupported Microsoft software used within the organization, including Windows XP.

[179] Others argued that hardware and software vendors often fail to account for future security flaws, selling systems that—due to their technical design and market incentives—eventually won't be able to properly receive and apply patches.

Map of the countries initially affected [ 101 ]