University Cyber Operations Inc. Report: WannaCry Ransomware Analysis

Verified

Added on 2022/12/03

AI Summary

This report provides a comprehensive analysis of the WannaCry ransomware attack that occurred in 2017. It begins with an introduction highlighting the widespread impact of the attack across various sectors, including government, telecommunications, and gas. The report then delves into the target of the attack, which exploited the SMB protocol used by Windows machines, and the methods employed by WannaCry to propagate and encrypt files. It details the damage caused, including significant financial losses and disruptions to critical services like the National Health Service (NHS). The report also outlines the methods used to detect the attack, such as looking for file extensions and monitoring file activity. Furthermore, it identifies the alleged perpetrators and summarizes the key findings, including the global impact and risk mitigation strategies. The report concludes by emphasizing the importance of cybersecurity and proper security policies to prevent future attacks, positioning WannaCry as a significant cybercrime event.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: CYBER OPERATIONS INC
CYBER OPERATIONS INC
Name of the Student
Name of the University
Author Note:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1CYBER OPERATIONS INC
Table of Contents
Introduction..........................................................................................................................2
Discussion............................................................................................................................2
Target...................................................................................................................................2
Working of the attack..........................................................................................................3
Damage caused by attack.....................................................................................................4
Detection of attack...............................................................................................................4
Perpetrator............................................................................................................................5
Summarize of finding..........................................................................................................6
Conclusion...........................................................................................................................6
References............................................................................................................................8

2CYBER OPERATIONS INC
Introduction
In the year 2012, a ransomware attack affected a wide range of sectors which comprises
of government, telecommunication and lastly gas. At present, WannaCry affected around
300,000 systems that are located in 150 countries (Buczak and Guven 2015). Countries like
Russia and China are affected due to this attack as a result of usage of high percentage of
software. The overall spreading of this attack is reported in two days following the launch of the
attack. This has merely taken place as a result of discovery of ‘kill switch’ in their code. The
main motive of this attack is all about encrypting the file, disk and lock-in system (Gupta,
Agrawal and Yamaguchi 2016). This particular malware demanded ransomware of 300-600,
which is paid in around three bitcoins within three days of returning. This is mainly done for
decrypting the files of the user.
The coming pages of the report help us in highlighting the fact that this report is all about
target and working of ransomware attack. After that, damage due to attack and method of
detection of attack has been provided.
Discussion
Target
WannaCry aims to spread by using SMB (Server Message Block) protocol, that operates
in between the port 445 and 139. This is used by windows machine so that they can
communicate with file system on the provided network. With successful installation, this
particular ransomware scans for and makes propagation to some other risk devices (Bada, Sasse
and Nurse 2019). WannaCry mainly tends to assure if double pulsar has already affected the
machine or not. In April, Shadow group disclosed that double Pulsar and external Blue could

3CYBER OPERATIONS INC
easily exploit the SMB vulnerability. As a result of this attack, there was around 30-40 name of
public organization which are affected. Some of the affected organization are FedEx, Russian
Interior Ministry and many other. The routine surgery and appointed of doctor were cancelled as
a result of service covers. In China, more than 40,000 organizations are affected due to this. In
this ransomware attack, Russia appears to be badly hit (Carr 2016). Later on, Kaspersky lab
concluded the point that organization in Russia were using dated and unpatched system. This
attack was designed to be launched on international platform as it looks for ransom in around 28
languages.
Working of the attack
Phishing emails are taken to be initial vector which is used for the delivery of the
malware. There were no reports concerning public accessible, vulnerable SMB for spreading this
malware in worm like way. With the starting of the infection, WannaCry beacon out to the URL
of kill switches so that they can check if the given malware working in environment of sandbox
(Carr 2016). If the URL fail to make response, then the malware will start encrypting the victim
file by using AES-128 cypher. Files that are being used by WannaCry are provided with the
extension as. wncry. WannaCry aims to encrypt the victim files along with making changes in
their name. Any kind of new files are created by the help of following infection. A proper kind of
ransom note is displayed on the machine of the victim. It is completed by making use of text
from library of text formats files (Lee, Bagheri and Jin 2016). The whole thing is chosen
depending on location of machine. Ransom aims to demand the victim to pay 300 or 500 US
dollars. As soon as the system is infected, user need to see the screen with list of instruction to
pay the ransom amount.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4CYBER OPERATIONS INC
The overall cost of operation disruption has been considered to be significant. It is
considered to be variable by sector and other organization (Syed et al. 2016). The overall cost of
the organization is still not known and will differ for every kind of victim.
Damage caused by attack
WannaCry ransomware attack resulted in a cost of 100 million dollars to National Health
Services (NHS). This particular attack resulted in cancellation of around 19000 appointments.
NHS was not the only target of this global ransomware attack but along with this, many other fell
victim of the outbreak (Anwar et al. 2017). According to Europol, around 200,000 systems were
affected in more than 150 countries. Before this day, a report was published for concentration of
the attack in Russia. Due to this attack, hospital reported an increase in risk for patient by the
help of event like cancelled operation. On successful analysis, investigator found to have three
bitcoin address which belongs to the criminals. Investigator concluded that overall earning of the
criminals was around 35,000 dollars found on Sunday. At present, WannaCry is considered to be
the biggest threat ever which target the organization which have low IT security like hospital. In
this attack, only a small number of victim agree to pay for the ransom (Martin et al. 2018). Most
of the damage is caused as a result of low productivity and even result in loss of revenue due to
customers. After the attack, WannaCry aims to spread around 300,000 systems based in 150
different countries. Russia and China are two countries which were affected the most due to
usage of high percentage of legacy software.

5CYBER OPERATIONS INC
Detection of attack
The first variety of Ransomware makes use of small and specific file extension like.
Crypt. In this, each of the variety tends to make use of different extension and keep the name of
the file intact (Sahi 2017). There are five ways by which the attack can be detected like
Looking for File Extension: The overall list of file extension of ransomware is growing
at a rapid rate, but still it is the best method of detecting the suspicious activity (Huang, Siegel
and Stuart 2018). User needs to have file activity monitoring, which is used for real time and
historic record of the file.
Increase in names of the file: Renaming of file is not a common action when the activity
on the network shares the file (Lee, Bagheri and Jin 2016). In case of ransomware attack, it will
merely increase the rename of files as it gets the required data encrypted.
Building a sacrifice network share: As soon as the ransomware strikes the system, it
merely looks up for local files and then moves it to the network share. Sacrificial network can
easily share and act like a warning system (Chen and Bridges 2017). It will also delay the
ransomware for getting access to some of the crucial data.
Update of IDS system: Most of the IDS and firewall come up exploiting detection
feature. Exploit kits are mainly used for getting a way to the ransomware by the help of
compromised website and malspam.
Using client based anti-ransomware program: In the last few years, organization like
Malwarebytes have come up with anti-software application. It has been mainly designed so that
they can run on the background and block the attempt made by ransomware for encrypting data
(Buczak and Guven 2015). It also aims to monitor the windows registry for strings which are

6CYBER OPERATIONS INC
associated with the ransomware. The biggest issue with this kind of approach is that they need to
install client software on every network-based device.
Perpetrator
US official charged many of Alleged WannaCry hackers during this attack. One of the
alleged perpetrators behind this attack has been charged by US officials (Gupta, Agrawal and
Yamaguchi 2016). The report of NAO has discovered that this attack affected around 81 out of
236 trusts in whole of England directly and indirectly.
Summarize of finding
Details of Attack On 12 May 2017, ransomware affected on a variety of industries
like telecommunication and healthcare domains (Knowles et al.
2015). WannaCry aims to spread around 300,000 systems based in
150 countries.
Global Impact Around 30-40 public firms were affected by WannaCry Attack. Some
of the affected organization are Telefonica, FedEx and Russian interior
ministry.
Working of
WannaCry
Phishing mails were considered as the initial vector used in the
delivery of the malware. Files used by WannaCry come up with file
extension of. wncry (Bada, Sasse and Nurse 2019). After the infection,
WannaCry beacons out to the given URL of ‘kill switch’ so that they
can see if the malware is working in environment of sandbox.
Risk Mitigation User needs to check that the vulnerability management is robust in
nature. There is need for maintaining backup for the critical data of the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7CYBER OPERATIONS INC
account and overall rate of data generation (Carr 2016). Organization
need to come up with effective incident response plan.
Conclusion
The report helps us in reaching to the point about analysing and making aware of both
cyber-crime and ransomware. It is mainly done so that they do not become victim of crime next
time. This kind of crime can be prevented by making use of proper security policies. The report
helped in reaching the conclusion that WannaCry Ransomware attack 2017 is one of prestigious
attack that took place in last few years. Ransomware can be stated as a malicious code which is
being used by cyber-criminals so that they can launch lock screen and kidnapping data. More
than 30 public firm were impacted due to this attack. Some of them are are Russia Interior
Ministry, Telefonica (The largest telecommunication organization of Spain). Apart from this,
organization like FedEx were also affected due to this cyber-attack.

8CYBER OPERATIONS INC
References
Anwar, M., He, W., Ash, I., Yuan, X., Li, L. and Xu, L., 2017. Gender difference and employees'
cybersecurity behaviors. Computers in Human Behavior, 69, pp.437-443.
Bada, M., Sasse, A.M. and Nurse, J.R., 2019. Cyber security awareness campaigns: Why do they
fail to change behaviour?. arXiv preprint arXiv:1901.02672.
Buczak, A.L. and Guven, E., 2015. A survey of data mining and machine learning methods for
cyber security intrusion detection. IEEE Communications Surveys & Tutorials, 18(2), pp.1153-
1176.
Carr, M., 2016. Public–private partnerships in national cyber-security strategies. International
Affairs, 92(1), pp.43-62.
Chen, Q. and Bridges, R.A., 2017, December. Automated behavioral analysis of malware: A
case study of wannacry ransomware. In 2017 16th IEEE International Conference on Machine
Learning and Applications (ICMLA) (pp. 454-460). IEEE.
Gupta, B., Agrawal, D.P. and Yamaguchi, S. eds., 2016. Handbook of research on modern
cryptographic solutions for computer and cyber security. IGI global.
Huang, K., Siegel, M. and Stuart, M., 2018. Systematically understanding the cyber attack
business: A survey. ACM Computing Surveys (CSUR), 51(4), p.70.
Knowles, W., Prince, D., Hutchison, D., Disso, J.F.P. and Jones, K., 2015. A survey of cyber
security management in industrial control systems. International journal of critical
infrastructure protection, 9, pp.52-80.
Lee, J., Bagheri, B. and Jin, C., 2016. Introduction to cyber manufacturing. Manufacturing
Letters, 8, pp.11-15.

9CYBER OPERATIONS INC
Martin, G., Ghafur, S., Kinross, J., Hankin, C. and Darzi, A., 2018. WannaCry-a year on. BMJ:
British Medical Journal (Online), 361.
Sahi, S.K., 2017. A Study of WannaCry Ransomware Attack. International Journal of
Engineering Research in Computer Science and Engineering, 4(9), pp.5-7.
Syed, Z., Padia, A., Finin, T., Mathews, L. and Joshi, A., 2016, March. UCO: A unified
cybersecurity ontology. In Workshops at the Thirtieth AAAI Conference on Artificial
Intelligence.