WannaCry Ransomware Attack: A Comprehensive Cyber Analysis

Verified

Added on 2021/02/24

AI Summary

Word Count: 2468
Contents
ABSTRACT……………………………………………………………………………………………...3
INTRODUCTION……………………………………………………………………………......................3
CASE STUDY
The potentialvulnerabilities that have led to thespeci ic cyber attack………….………...……4
The type ofaccess rights required to exploit avulnerability……………………….....…………4
Entry point of the attack………………………………………………………….………..…….....4
The overall low of the cyber-attack conduction…………….………………………..…………..4
The parts of the systemthat failed………………………………………………………...………4
The impact ontheassets affected, inancial, reputation, data and third parties…...…….....…...5
The cyber security principle(s) wereaffectedand in what ways…………………………..……5
The type ofattacker behind the attack and potential motivations…………………………...….5
The level of technical sophistication required toexploit a vulnerability………………….….....6
The laws affected by the attack and whichlawswill be complied with inthe future……....…..6
Three ethical frameworks to assess the incidentfrom avictim/adversary point of view...…....7
The Prevention/Detection/MitigationTechniques….………………………...………...…...……7
CONCLUSION….………………………………………………………………………………………..8
GROUP SUMMARY……………………………………………………………………………………..8
REFERENCES…………………………………………………………………………………………..8
2

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Abstract
With the rapid increasing useof technology,the extensive collection and online storage of data,
and the ability to also make online payments,cyber security is integral to protecting our
personal data and even our inances. Through ourinvestigation of the 2017WannaCry attack,
we have overviewed possible techniques hackersmay have used to break into the systems’ of
organisations and individuals, the way these techniques may havedamaged/affected data of
organisations or individuals, the possible motivations behind theattack and how the attack was
solved. Thus,we have learntpossible ways toprevent or reduce the severity of suchattacks and
ways of inding a kill switch to treat these incidents.
Introduction
This report aims to investigate one of themost famous ransomware attacks in history: the May
2017 WannaCryattack. This incident is a perfect representation of an active cyber-dependent
attack which threatened integrity and availability of data acrossmultiple computer systems
world-wide, as this fraudulent attack involved ile manipulation, through encryption, with
further maliciousintentions, if crypto money wasn’tpaid to the attackers.
In particular, this report will examine the vulnerabilities exploited, the techniques and technical
degree of these used, as well as the motivatorsbehind the attack. Furthermore, this reportwill
overview the impact on groups ofindividuals and various large organisationsacross different
countries, the laws violated, in addition to the preventivemeasures and individuals involved at
the recovery stage of the attack. Moreover, thisreport will address the ethical moralityimplied
from avictim’s and adversary’s perspective.
Given our gained knowledge from the module in conjunction with further online research, this
report will: assess the effectiveness of the attack, outline how theattack could have caused a
bigger impact and propose furtherprevention measuresthat could have taken place for future
potential attacksof the same kind.Finally, this reportwill include the learning outcomes and
personal indings gained from our research on thecasestudy.
3

Case Study
The potential vulnerabilities that havecyber
Potential vulnerabilities highlighted, include the fact that WannaCry was able to access
organisations cybersecurity that did not have patches provided by Microsoft or that were ‘using
older Windows systems that were past their end-of-life’. End-of-life refers to the ‘signi icance in
the production supportability & purchaseof soft/hardwareproducts. Some argue that if it had
not been forthe lackof education around the need toupdate the software this attack could have
been avoided. Itwas able to spread through corporate computers as it had a security exploit
(Eternal Blue). which resulted in more than 200,000 computers over 150countries left
damaged
The type of access rights requiredto exploit a vulner
Access control is a formof sec that manages whoand what can view or use resources within a
computing environment it is essential in any businessor organisation. The incident began with
the U. SNational Security Agency (NSA). The exploit was said to be stolen from someone within
the agency, However, instead of reporting the event to Microsoft they decided to use it for their
own personal gain and its ‘offensive work’. This meansthat they used it for ‘operations intended
to project power bythe application offorce in and through cyberspace’. Eventually, Microsoft
caught the light ofthe threat andin March 2017, issued a securitybulletin ‘MS17-010.
Entry pointof the attack
Tens of thousands of computers had the DoublePulsar installed into their software meaning
that there was a high chance of vulnerability. This allowed the WannaCrycode to take
advantage of the existing infection by Double Pulsar or install it. Once the malware is in the
computer it checks the “kill switch”. The “kill switch” was a feature in Windows applications
that disabled system-wide internet access if the VPN connection suddenly broke off or you
disconnected manually. That way, it protected all the apps without terminating them. If the
Malware was unable to detect this switch it would beginto encrypt the data of the computer.
This attempts to exploit the SMB (Service MessageBlock) vulnerability and spreadit out
(randomly) to thousands of computers, globally.
The overall low ofthe cyber-attack conduction
Friday 12 May 2017, the attack commenced. This was down to an exposed vulnerable SMB port
rather than emailphishing which everyone thought itwas in the beginning. Aswith modern
ransomware, the payload displayed a message telling the user that their iles had been
compromised and alongside this would demand a sum of ‘US$300 in Bitcoinwithin three days
or US$600 within seven days’. Once the victim cooperated with these demands, their money
would be deposited in “wallets” or hardcoded bitcoin addresses. Through these wallets it
allowed the perpetrators to remain unknown, making the possibility of getting money back
virtually impossible.
The parts of thesystem that failed
The reignof the WannaCry came to an end after Marcus Hutchins found a ‘kill switch domain
hardcoded in the malware’. Hutchins registered a domain name for the DNS sinkhole used, this
helped stop the attack spreading as this worm. The ransomware hadonly been able to encrypt
the computer's iles if it had failed to connect to that domain. This did not help systemsthat had
4

already been infected but avoided and slowed thespread of initial infection in others. With this
other defensive measures were able to be deployedinternationally. On May 14th, 2017, Matt
Suiche registered a new and second kill switch, followed by a second variant with the third and
last kill switch onthe 15th of May2017.
The impact on the assets affecinancial, reputation,
parties and the scalabilityof the attack
perspective
56 organisations, including some large multinational corporations, around the world were
affected bythe WannaCry attack. This includes; Boeing,Dacia, FedEx, Hitachi, Honda, the NHS,
O2, Renault and 4 state governments of India. 200,000 devices were affectedacross 150
countries and the 4 most affected countries were Russia, Ukraine, India and Taiwan. As
mentioned, the NHSwas one of the most affected organisations –up to 70,000 devices in
English and Scottish hospitals were attacked. The estimated cost to the NHS fromthis attack was
£92 million and 19,000 appointments were cancelled ashospitals didn't have access to patients'
data. As the NHS isa state-run organisation, this caused major debate between major political
parties on how to handle and recover from the attack. Other public organisations were also
affected by the attack, including4 stategovernments of India - Gujarat, Kerala, Maharashtra and
West Bengal. In one district in Kerala, they were using pirated versions of Windows and other
affected devices across India did not have the latest security patchesinstalled, forcing them to
later do so. AlthoughWannaCry's impact in India was minimal, many state of icials and police
departments were forced to temporarily workof line.
The cyber security principle(s) wereaffected and in
In terms ofwhether the con identiality, integrity or availability of the data was compromised –
the con identiality of the data was notcompromised as the attackers did not directly access any
of the dataat any point. The integrity of the data was also not compromised as the data was not
modi ied or alteredat any point, although, the availability of the data wascompromised, as data
was held at a ransom and wasinaccessible until the organisation paidthe ransom (or for some
organisations, restored previous backups ofthe data). Thus, datawas unavailable.
The type of attacker behind thepotential motiva
Although the "Lazarus Group" are consideredmajor suspects as the perpetrators behind this
cyber-attack, hitherto, there is no concreteevidence to tie any groupor individual to the attack
and no arrestsor convictions have beenmade in relation to this attack. The "Lazarus Group" are
considered by western countries to be a "North Korean state-sponsored hacking organization",
thus, some western countries have asserted that the DPRK is behind the attack, but there is no
serious evidence to back upthis claim. Also, taking into consideration that the DPRK of course
does not have many diplomatic allies, Russia is considered the DPRK’s second closest ally in the
world and was oneof thecountries most affected by WannaCry, it seems unlikely thatNorth
Korea would initiate such anattack againsta close ally. Itseems more likelythat the US were
trying to de lect their ownfailures of containing the exploit used toinitiate the attack onto an
easy target and demonise them further. As WannaCry was a ransomware attack, an estimated
54.4 BTC were withdrawn as ransom,at the time of attack. This was worth an estimated £108k.
Taking the worldwide effectof this attackinto consideration, £108k does not seem like a large
sum. It would seemas if the main goal ofthis attack was to purely create disruption, although
this is pure speculation and themain goal behind the attackis still unclear. Considering that this
attack mainly targeted large organisations who would have backups of their data thus would not
need to pay a ransom to retrieve their data rather than individuals whowould be more likely to
5

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

pay the ransom, it does seem more likely that theattack was not money-driven and was purely
trying to causedisruption.
The levelof technical sophisticationvulnerability
The attack was done by simply utilising an exploit developed by the U.S. National Security
Agency (NSA) called "EternalBlue". EternalBlue exploits a vulnerability in Windows, and the
NSA did not alert Microsoft of this vulnerability, so it would not be patched. Although Microsoft
were eventually able to patchthis security vulnerability, hackergroup "Shadow Brokers" leaked
the vulnerability just a month later which was used to attack older unsupported systems
(Windows XP systems,etc.) and other machines that had notyet installed the security patch.
The laws affected by the attackcompliedwith
in thefuture
Firstly, the WannaCryattack is considereda cyber-crime as it violates the UK “1990 Computer
Misuse Act” under the“modi ication of computer material” principle. During the WannaCry
attack, users were blocked from their computer system’s iles which had been
modi ied/corrupted and made unavailable until a bitcoin transfer was processed to the
attackers. The victims werethreatened of further offenses such as iledeletion, if this transfer
was notmade, again, complying to this law breech.
Furthermore, the WannaCry attack is considered a crime underthe UK “2007/2015 Serious
Crime Act” law, as this violation is an example of fraudulent activity. Under the eyes of this law,
this crime couldhave led to bigger risk/damagesif the large organizations, suchas NHS, didn’t
apply back-up preventive measures,to recover the corrupted iles of patient’s records.
Moreover, the WannaCry attack violates multiple principles of the UK “1998 Data Protection
Act”, not onlyfrom an adversary’s perspective, but from the organizations affectedas well. The
NSA identi ied Microsoft’s vulnerability and warned it’s OS users to keep “personal data up to
date” and carry out“appropriate technical processing incase of data destruction” so that it
could be “processedlawfully”.Organizations that failed todo so, are argued tobeto blamed1.
Finally, theWannaCry act could have violated theUK “2016/2018 GDPR” law,if it were of icially
implemented at the time of theattack. Other UKlaws studieddo not comply with this attack as it
was halted before theywould comply, or are irrelevant tothe scenario.
Three ethicalframeworks toassess the incia
victim/adversary point of view
From a Deontological ethicalpoint of view, where ethics are based entirely based on the eyes of
the law, orwhat is seen as correct in thecode of conduct, the victim is right in criminalizing the
attackers, as the incident complies to multiple law violations, as analyzed above.
In addition, if the attack was reviewed with a Utilitarianmindset, where ethics are judged
against what bene its the majority of the peopleinvolved, the attackers are still seen as
criminals since more than 150countries in the worldwere affected by theattack and not just
the majority, but all ofthem could argue, this act was not bene icialfor anyone other than the
attackers themselves, in any way .
Finally, if the event is viewed from a Virtue ethical way andanalyzed the scenario entirely based
on the situation and notjust focusing on the law, thisact would still be considered morally
6

unethical. If the cyber hack was carried out to warn Microsoft users of the vulnerability and
easiness to attackthe system, like the NSAdid, it could be seenas morally ethical.
The Prevention/Detection/Mitigation Techniques
Prevention techniques are those that are imposed before an attack occurs, to avoid being
affected. In the WannaCry attack, most large organizations were barely impacted bythe incident
as they had backed up their data,updated their systems, or irewalls blocked SMB as part of
their preventive security measures. Other organizations or individuals that were actually
affected mighthave not taken such measures as they can be costly in terms of storage, where
external memory servers might be required, and time consuming, which from the CIAs
perspective, sometimes security measures might suppose slower performance and higher
economic expenditure.
Regardless ofhaving high prevention measures, detection measures are those required so that if
a system is actually hacked, the incoming attackcan easily be detected/foreseen and avoided.
The NSA had already detected the existing vulnerabilities in Microsoft systems, through
EternalBlue and DoublePulsar tools, but as the CIAargues, individuals mightnot have run these
updates for comfort/economical reasons. However, unlike other ransomware attacks, ile
extension/naming detection techniques or the use of Intrusion Detection Systems were not
detection possible techniques since the worm was spread automatically across vulnerable
systems rather than iledownloads, making the attack hard to avoid.
Mitigation techniques are those that are imposed once a computer system has successfully been
hacked and are required as part of the recovery stage ofthe attack, to reduce the severity. As a
mitigation technique, large organizationswere advised to completely shut down their systems,
and various security experts investigated the attackto try and ind a kill switch. The recovery
technique that actually solved the WannaCry attack involved reviewing the attack’s code itself,
where it was discovered that if you register a speci ic domain, the attack would shut down.
Conclusion
The WannaCry 2017 attackis one of the mostfamous world-wide ransomwareattacks in
history, despiteit not being as effective or damaging to largeorganisations as it could havebeen,
thanks to the prevention, detection and mitigationmeasures takenby these companies. The
attack has de initely served as alesson to everyone, by reminding the importance of havingan
updated operatingsystem, creatingback ups and being aware of malicious links/ ile downloads
to avoidgetting hacked. The cost ofnot taking thesepreventive measures may result in higher
inconveniences than if they are implemented in theirst place.
Group Summary
We have learnt that inthe information system context, no organization or system is immune
from cyber-attack.
The main measure toprevent oursystem from cyber-attacks is to change our mindset when it
comes to security byimproving our methods by learning new IT skills and getting to know new
technology trends.
Every organizationsize should have strong cybersecurity measures available, not just for the
fact that their data needs to beprotected regardless but is for the sake of their customers'
con identiality, availability and integrity. Although the WannaCry attack was notaimed at one
7

speci ic organisation, it highly exposed vulnerability and an urgent need for the information
system improvement across theindustry.
Since the WannaCry attack, many organisations havefollowed recommendations to strengthen
their system and make them ableto respond and to prevent the cyberthreat. Alongside with this
many companies across the world have takenseveral additional activities to strengthen their
resilience in the case when the next attackoccurs. To make thispossible every cybersecurity
entity is accountable to provide the necessary actions and measures suchas providing alerts
concerning new threats, technical expertise, resources,monitoring and management services
before and during theincidents.
References
Naveen Goud‘Microsoft not to entertain lawsuits onWannacry relatedCyber Attack’. Available
at:
https://www.cybersecurity-insiders.com/microsoft-not-to-entertain-lawsuits-on-wannacry-rel
ated-cyber-attack/
Trend Micro (2019) ‘Indicators showing interception orblocking ofWCRY (WannaCry)
Ransomware’. Available at:
https://success.trendmicro.com/solution/1117402-indicators-showing-interception-or-blockin
g-of-wcry-wannacry-ransomware
The Conversation Trust (2017) ‘Here’s how theransomware attack was stopped– andwhy it
could soon startagain’. Available at:
https://theconversation.com/heres-how-the-ransomware-attack-was-stopped-and-why-it-coul
d-soon-start-again-77745
Lily HayNewman (2017) ‘How an Accidental 'Kill Switch'Slowed Friday's Massive Ransomware
Attack’ Available at:
https://www.wired.com/2017/05/accidental-kill-switch-slowed-fridays-massive-ransomware-
attack/
Indeed (2020) ‘Five Key Risk Mitigation Strategies (WithExamples)’ Availableat:
https://www.indeed.com/career-advice/career-development/risk-mitigation-strategies
The Compliance and Ethics Blog (2016) ‘If Ransomware Is theQuestion, Then InformationRisk
Management Is the Answer’. Available at:
8

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

https://complianceandethics.org/ransomware-information-risk-management/#:~:text=Ranso
mware%20is%20malicious%20software%20that,to%20bene it%20from%20the%20proceeds.
Mohit Kumar(2018) ‘ TSMC Chip Maker Blames WannaCryMalware for Production
Halt’ Availableat:
https://thehackernews.com/2018/08/tsmc-wannacry-ransomware-attack.html
BBC News (2017) ‘Cyber-attack: Europol says it was unprecedented in scale’ Available
at:
https://www.bbc.co.uk/news/world-europe-39907965
CBS News (2017)’ Global cyberattack strikesdozens of countries, cripples U.K.
hospitals’ Available at:
https://www.cbsnews.com/news/hospitals-across-britain-hit-by-ransomware-cyberatt
ack/
Neeta Sharma, Sneha Mary Koshy(2017) ’Monday's Ransomware Attack Fails to Dent
India, Says Minister: 10 Facts’. Available at:
https://www.ndtv.com/india-news/ransomware-wannacry-surfaces-in-kerala-bengal-1
0-facts-1693806
Chris Smyth (2018) ‘ Everyhospital testedfor cybersecurity has failed’. Available at:
https://www.thetimes.co.uk/article/every-hospital-tested-for-cybersecurity-has-failed-
97vc6rqkq
Jonathan Berr (2017) "WannaCry" ransomware attack losses could reach$4 billion’.
Available at:
https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losse
s/
theconversation,(2017)Here’s how the ransomware attack was stopped – andwhy it could soon
start again
9

Here's how the ransomwareattack was stopped – and why it could soon start again
Lily HayNewman(2017)How an Accidental 'Kill Switch'Slowed Friday'sMassive Ransomware
Attack
The WannaCry Ransomware 'Kill Switch' That Saved Untold PCs From Harm
Andy Greenberg (2020)The Confessions of Marcus Hutchins,the HackerWho Saved theInternet
https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/
national cyber security centre(2017) Finding the kill switch to stopthe spreadof ransomware
https://www.ncsc.gov.uk/blog-post/ inding-kill-switch-stop-spread-ransomware-0
10