A couple of things about the WannaCry cyberattack are certain – it was the biggest in history and it’s a scary preview of things to come.
The ransomware infected over 200,000 systems in more than 150 countries demanding payments of $300 in bitcoin per victim within three days for decrypting the files taken hostage. If the victims did not pay, the demand doubled and if no ransom was paid, the victim’s data would be deleted.
Thankfully, the danger from the global cyberattack is fading. After two security researchers greatly slowed down the attack, which effectively held people’s documents, photos and other digital files hostage, hard-hit organisations such as the UK’s National Health Service are bouncing back.
Though relatively few of those affected were desperate enough to actually pay the ransom, the attack has served as a live demonstration of a new type of global threat, one that could encourage future hackers.
Researchers are still puzzling out how WannaCry got started. The malware spread rapidly inside computer networks by taking advantage of vulnerabilities in mostly older versions of Microsoft Windows. That weakness was purportedly identified and stockpiled for use by the US National Security Agency; it was subsequently stolen and published on the internet.
But it remains unclear how WannaCry got onto computers in the first place. Experts said its rapid global spread suggests it did not rely on phishing, in which fake emails tempt the unwary to click on infected documents or links. Analysts at the European Union cybersecurity agency said the hackers likely scanned the internet for systems that were vulnerable to infection and exploited those computers remotely.
Once established, WannaCry encrypted computer files and displayed a message demanding $300 to $600 worth of the digital currency bitcoin to release them. Failure to pay would leave the data scrambled and likely beyond repair unless users had unaffected backup copies.
Typical ransomware generates a unique bitcoin account for each payment to make tracing difficult. Though it wasn’t done in this case, investigators are closely watching three bitcoin accounts associated with WannaCry, where its victims were directed to send ransom payments.
Bitcoins are anonymised, but it’s possible to track funds as they move from place to place until they end up with an identifiable person. So far, there have been no withdrawals from those accounts.
Given the scope of the attack, relatively few people appear to have actually paid the ransom. According to a Twitter account that monitors those accounts, they’ve received, as of Friday, less than $100,000.
Several sets of investigators have now reported tentative findings that suggest hackers linked to North Korea may be involved.
Russian security firm Kaspersky Lab said portions of the WannaCry program use the same code as malware previously distributed by the Lazarus Group. Another security company, Symantec, related the same findings, which it characterised as intriguing but “weak” associations, since the code could have been copied from the Lazarus malware.
Two law enforcement officials likewise said US investigators suspect North Korea based on code similarities; though the finding is preliminary.
The exact nature of Lazarus Group, a serious player in the cybercrime world, is cloudy. It is thought to be a mixture of North Korean hackers operating in cahoots with Chinese ‘cyber-mercenaries’ willing to at times do Pyongyang’s bidding.
The group, referred to as an ‘advanced persistent threat’, has been connected to some very sophisticated operations, including an attempt to breach the security of dozens of banks this year, an attack on the Bangladesh central bank that netted $81 million last year, the 2014 Sony wiper hack and DarkSeoul, which targeted the South Korean government and businesses.
“The Lazarus Group’s activity spans multiple years, going back as far as 2009,” Kaspersky Labs said in a report last year. “Their focus, victimology, and guerrilla-style tactics indicate a dynamic, agile and highly malicious entity, open to data destruction in addition to conventional cyberespionage operations.”
WannaCry could also serve as a kind of template for future cyberattacks. Salim Neino, CEO of Kryptos Logic, for instance, said the leak of the NSA hacking tools have significantly narrowed the gap between nations and cyber gangs.
“The concern has always been, when the real bad guys, the ones that don’t care about rules of engagement, the ones who are really out to hurt us, become cyber-capable?” he told The Associated Press.
James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, said, the rush to blame North Korea distracts from bigger issues — software vulnerabilities resulting from manufacturers’ refusal to incorporate security into their software development, organisations’ failure to protect their systems and client data and the responsibility of governments to “manage, secure, and disclose discovered vulnerabilities. Global attacks are the new normal.”