A new strain of ransomware, called WannaCry or Wcry, has been spreading around the world, infecting hundreds of thousands of computers in 150 countries. As we explained in an earlier blog, ransomware is a type of malware that holds a computer’s files hostage by stealing and then deleting them—frequently by encrypting and then erasing the unencrypted data. The malware then proceeds to display a ransom notice demanding payment for the return of the data, typically in a cryptocurrency, of which the most common is bitcoin.
True to form, Wcry is encrypting computers and demanding payment in Bitcoin. What distinguishes this ransomware from most of the strains that have been seen so far is that it also spreads like a worm or virus. Whereas ransomware demands are typically targeted, involving large payments from single victims to recover data (e.g., a hospital in Hollywood paid USD 17,000 when it was hit), the current strain is demanding the relatively meager sum of USD 300–600. This demand applies for each computer, and with at least 230,000 computers infected worldwide, the originators of the malware stand to make a significant sum. It’s quite clear from both the low ransom demand and the fact that the ransom message is available in dozens of languages that the originators of the malware anticipated a worldwide spread.
A map of infections shows that countries all over the world have been infected. The effects have been worse in countries where older operating systems or pirated software are more prevalent, but major (and presumably technologically advanced) companies have also been hit. Spain’s biggest telecommunications company, Telefonica, has reportedly had 85% of its computers affected by the worm. In the UK, the National Health Service was apparently severely affected, and had reportedly responded by asking patients to seek treatment for only life-threatening emergencies. This could lead to another instance of “Silent Silent Cyber”.
What We Know
The malware copies an exploit, codenamed “EternalBlue,” that was previously used by the NSA. This exploit was released in mid-April by a group known as “The Shadow Brokers,” suspected of having hacked the NSA. The vulnerability targets Windows operating systems from Windows XP to Windows 2012, but a patch was released by Microsoft exactly one month before the exploit was made public. This patch only applied to currently supported operating systems (Windows Vista and later), meaning Windows XP was still vulnerable when the attack began on May 12. On May 13, Microsoft took the extremely unusual step of issuing patches for operating systems it no longer supports, including Windows XP and Windows 8.
Around the same time, the malware was inadvertently stopped by a security researcher. The creators of the malware had programmed it to check if it could connect to a particular domain: If it failed to connect, the malware would proceed with encryption; if it succeeded in connecting, the malware would terminate. Once the domain was registered, the malware was stopped in its tracks, worldwide.
Two explanations have been put forward as to why the malware was programmed with this particular behavior. The first explanation is that it was intended as a kill switch. The second explanation is that it was a sloppy attempt at trying to detect when the malware found itself in a sandbox—essentially an artificial environment used by security researchers where the malware cannot do any harm—and deactivate itself if it was, thus slowing down its analysis. A post by the security researcher who stopped the malware provides a more detailed explanation. Note that as of May 14, a new version of the malware has been detected; it does not have the aforementioned code and has resumed its spread. This has led to fears of a second wave of infections that has thus far not materialized.
Because the ransom demands are relatively small, the direct economic cost may be less than USD 100 million even if ransom is paid for all infected computers. As of this writing, it appears that only USD 34,000 has been paid. However, a bigger concern from a loss perspective is the business interruption that could result from companies having to shut down their systems, reformat computers, and recover their data from backups. Estimates of business interruption costs range from USD 1 billion to (a highly implausible) 4 billion. This is something that can be modeled today using AIR’s newly released cyber modeling platform, ARC. By choosing a common provider in ARC that has a similar market share to the percentage of companies that don’t have good patching cadence—or a set of common providers over a plausible range—one can immediately begin to model business interruption scenarios related to WannaCry.