WannaCry Attack – What we learnt

Following the Global Cyber Attack dubbed “WannaCry”, and the large amount of coverage it received, it’s worth taking a look at what actually happened in the attack that introduced the word “Ransomware” to the general public.


In April 2017, a hacking group called “The Shadow Brokers” released for free a set of hacking tools they had stolen from the NSA’s Equation Group. The NSA is the US equivalent to MI6.

Some of these tools were designed to exploit Windows Security holes, which the NSA had discovered but hadn’t told Microsoft about. This allowed the NSA to exploit these security vulnerabilities but also stopped Microsoft from producing a patch to secure end user machines.

The toolkit put into anyone’s hands – from teenagers in their bedroom to hardened criminal groups – a set of highly classified nation-state-level weaponry that can potentially compromise and commandeer systems around the world. This is the same powerful toolkit the NSA used to hack into and secretly snoop on foreign governments, telcos, banks, and other organisations.

The Shadow Brokers had tried auctioning off the stolen cyber-weapons to the highest bidder, but when that sale flopped with no buyers, the team started releasing them online for free anyway.

When the tools were released, Microsoft released a security patch to fix the vulnerabilities in the Windows operating systems. However, not everyone applied the critical security patch from Microsoft.

Fast forward 2 months…

Friday 12th May 2017

Late on the Friday afternoon, news broke that the NHS were suffering IT issues with surgeries and hospitals being told to switch off their computers. Within 30 minutes of the news breaking, images showing a Ransomware screen began circulating from within the NHS. The Ransomware was a version known as WannaDecrypt (aka WannaCry) and requested $300 to decrypt the data on each infected machine.

Unlike most Ransomware which relies on end users to click links on infected e-mails to infect their machines, WannaDecrypt utilised one of the vulnerabilities from the NSA leak and replicates itself across the network.. This means that infected machines look for other machines on the network and then uses network traffic to jump from machine to machine.

With the public seeing the NHS affected, TV and Radio news reports focused on the issue of patient data and whether this was breached.

It’s important to understand that Ransomware doesn’t steal information.

Ransomware encrypts the data on the infected device and then centrally stores the decryption key. You then have a set time to pay the ransom and get the decryption key, before the key is destroyed and your data lost.

Looking at various tweets referencing WannaDecrypt it transpired that Spain and Portugal had been victims to the Ransomware earlier on Friday morning. Companies affected included Vodafone, Natural Gas and Telefonica, who seem to have been hit hardest. (Telefonica are also the parent company of O2)

Telefonica provide some network connectivity into the UK and into the NHS. The NHS, who took the biggest hit in the UK, were a victim and not an intended target. What didn’t help the NHS was that 20% of their estate still runs Windows XP which is an end of life/end of support product, and the extended support they did have for security updates wasn’t renewed in 2016

Saturday 13th May 2017

On Saturday, a security blogger was looking at the code used by WannaCry and discovered that it tried to connect back to a website. When he checked the website domain didn’t exists, so he registered it with the aim of seeing what data was being sent back. It turns out that the website acted as a “Killswitch” and once the ransomware could see the site it stopped replicating.

Whilst the world rejoiced that the attack had been thwarted, companies across the globe were busy ensuring their systems were patched. Microsoft also release a security patch for their old unsupported operating systems to protect them as well (Windows XP, Windows 2003, Vista etc).

Future / Fallout

On the Sunday (14th May) the second wave of attacks started with two new variants of the Ransomware released into the wild. The first of these also had the killswitch code and so was easily stopped by registering the kill domain. The second didn’t have the killswitch code, however the developer had made a mistake in their code so that although it went after machines it couldn’t actually encrypt their data.

WannaCry affected over 250,000 machines in 150 countries. 333 people had paid the $300 ransom as of 25 May, but NONE of them had received a decryption key to gain access back to their files.

Wannacry Infographic

Comment (21)