WannaCry ransomware appeared in May of 2017, starting with a massive attack on vulnerable SMB services, railways, telcos, universities, the UK's NHS, and so on. The ransomworm strain infected over 300,000 computers in over 150 countries, making the criminals $90,000 which is really not that much compared to the amount of infections. WannaCry was to date the biggest ransomware outbreak in history and really caused the world to take notice of ransomware.
The IT systems of around 40 National Health System hospitals across the UK were affected by this attack. Non-emergency operations had to be suspended and ambulances were diverted as a result of the infection. Cybersecurity experts have long used the phrase "where bits and bytes meet flesh and blood," which signifies a cyberattack in which someone is physically harmed.
A North Korean attack?
A North Korean hacking group is suspected to be behind the worldwide WannaCry attack that caused 1 billion dollars in damage, targeting mainly un-patched Windows 7 machines. Symantec and Kaspersky malware labs are investigating technical evidence that possibly suggests the North’s involvement, claiming they found some code in an earlier version of the WCry ransomware that had also been used in programs deployed by the Lazarus Group, which is reportedly run by the Norks. The below graph from Symantec shows how quickly WannaCry spread:
This is spy territory and the best way to approach attribution is to deal in probabilities and intelligence estimates that are never 100%, unless you can hack into the machines of the actual coders behind an attack, which is very unlikely. That said, there's a 70–80% chance that WannaCry originated in North Korea based on forensic evidence we've seen so far.
Short ransomware deadline
The ransom starts at $300 if you pay within 6 hours, then it doubles to $600 for up to 3 days later. The ransomware threatens to delete the files completely If you don't pay within a week, and includes an ominous countdown timer to your files being deleted. Note the social engineering aspect here too: a sense of urgency is created to prompt people into action. A sense of hope is granted by virtue of the ability to decrypt a sample selection of the files.
Infection vector NOT phishing - this is a powerful ransomworm
Security experts initially thought the infection vector was a mass phishing campaign sending its potential victims fake invoices. However, SophosLabs VP Simon Reed said this looks like a worm from start to finish: "There were no outlook.exe files anywhere, nothing but a compromised Windows SMB driver as the starting point. So far, we haven’t found anything but evidence of a network worm."
So this outbreak was a throwback to those of the early 2000s. But instead of just noise and network downtime, a much more damaging payload of ransomware ground many organizations to a halt.
The infection - an NSA 0-day exploit
WannaCry uses what was originally NSA 0-day ETERNALBLUE and DOUBLEPULSAR exploits which were made public earlier this year by a group calling itself the ShadowBrokers. There are recent patches available but many have not applied them yet.
Edward Snowden pointed the finger at the NSA, implying the agency was responsible for exploiting a weakness in Windows.It is unclear how the ShadowBrokers may have gotten their hands on these NSA tools – conspiracy theories range from a contractor leak to a Russian counter-espionage trying to hint American intelligence should back off.
What you can do if you are infected:
The Register has a good write-up with more in-depth technical details.