May 12, 2017 CONFIDENTIAL & PROPRIETARY

Overview



Wikimedia Commons

Wikimedia Commons


On May 12, 2017, a massive, worldwide ransomware attack occurred. The first major news coverage involved attacks on Telefonica services in Spain and the National Health System (NHS) in the United Kingdom. As of 1530 PDT, a total of 80,975 attacks had occurred in 205 countries. The widespread nature of the attack lead the Internet Storm Center at SANS Institute to upgrade their threat level to Yellow for the first time since 2015, and the 23rd time since 2002.

The ransomware being used is known by several names, the most common being WannaCry and WanaCrypt0r 2.0. Once a system is encrypted with WannaCry, it locks the system and demands a ransom of USD 300 (EUR 275) to be paid in Bitcoin for the release of the files. Users have a total of seven days to either pay the ransom or the files are deleted. After three days, the ransom amount will be doubled according to the lock screens on infected machines.

WannaCry was able to infect many of the machines because they are utilizing outdated Microsoft operating systems, and have not run recent security updates and patches. The method of exploitation used is being referred to as EternalBlue which was divulged by a hacking crew known as Shadow Brokers. The exploitation allegedly was part of a tool suite used by the United States National Security Agency (NSA). Microsoft created a security patch for the vulnerability on March 14, 2017.

Although many forms of ransomware have had their encryption keys broken, which allows for free distribution resulting in users decrypting their files without paying a ransom, WannaCry’s encryption has not yet been broken. As such, users of infected systems are left with two options, to pay the ransom or lose their data.

Return to top

Timeline of Attacks


The initial attacks of WannaCry appear to have struck in Spain and the United Kingdom at approximately 0145 PDT. Over the following 14 hours, WannaCry had infected a total of 80,975 systems in 205 countries worldwide and was continuing to generate new attacks. Based on available data from a variety of security research companies, it appears that although the attacks began in the United Kingdom and Spain, the country which received the most attacks as of 1530 PDT was Russia.

Return to top

Effects of Attacks


The massive scale of the WannaCry attacks has far-reaching effects, both economically and logistically. Due to the attacks on the NHS, one of the primary concerns when the attacks initially occurred was access to patient medical files. While systems were locked down under ransom, all files were encrypted and inaccessible. Additionally, systems used for management of communications systems or infrastructure that were infected can also cause significant operational impediments due to lack of access.

If all 80,975 machines infected as of 1530 PDT were to pay the ransom, the attacker(s) would generate USD 24,292,500 (EUR 22,218,411). Given that the attacks are ongoing as of this writing, as well as the potential for users to wait until their files are about to be deleted to pay (resulting in a higher ransom rate) the attacker(s) could yield considerably more.

An interesting side effect of the attacks is the rapid rate at which anti-malware program vendors updated their sites to ensure that prevention of WannaCry was mentioned on their main pages. Also, many data backup companies and data storage companies were using the events surrounding the ransomware attack to emphasize the importance of regularly backing up data as well as storing it at remote sites to maintain a safe backup.

Return to top

Analyst Comment


The attacker(s) is currently unknown. The use of Bitcoin wallets to receive ransom payment makes it more difficult to track the funds being transferred. Based on information currently available, the attacker(s) appears to have gambled on a high number of machines which were vulnerable to the EternalBlue exploit not having installed the security update and patch which was made available eight weeks ago. Additionally, there appears to be no specific area targeted in these attacks, which are occurring on an unprecedented scale. Typically attacks of this type target a specific country or industry, whereas WannaCry appears to target indiscriminately. Pinkerton assesses that although EternalBlue is the only vector of infection being mentioned, there are likely multiple methods of infection which are aiding in the rapid and worldwide spread of WannaCry. Further, Pinkerton advises against paying ransoms on ransomware, as there is no guarantee that your data will be properly unencrypted, as well as a high likelihood of your data having been stolen or corrupted. It is always advisable to install security updates and patches provided by manufacturers to aid in the prevention of future infections. While many third party anti-malware and anti-virus software can aid in preventing infections, they must be kept up to date as well.

Prepared By: Paul Monhollen, the United States

Return to top

TABLE OF CONTENTS

Overview


Timeline of Attacks


Effects of Attacks


Analyst Comment



 

DROP US A LINE!

Sales | Service | Feedback

Report Questions & Support
 

ABOUT PINKERTON

Pinkerton traces its roots to 1850 when Allan Pinkerton founded the Pinkerton National Detective Agency. Today, Pinkerton offers organizations a range of corporate risk management services from security consulting and investigations to executive protection, employment screening and security intelligence. With employees and offices worldwide, Pinkerton maintains an unmatched reputation for protecting clients and their assets around the globe.