Skip to content

Trending tags

An Oral History of WannaCry

Jason Sattler

14.05.18 6 min. read

WannaCry will go down in history, but what will history remember most?

The outbreak that began on May 12, 2017 still the biggest ransomware attack in history and the trojan ended up being responsible for 9 out of 10 ransomware detections by the end of 2017.It also was the one of the few malware attacks that was directly attributed to a nation-state by other nation states. And while the initial outbreak was quickly contained thanks to the quick thinking of a lone malware researcher, WannaCry continues to be incredibly prevalent, particularly in Asia.

Whether we’ll see more threats like WannaCry in the future remains to be seen. But there’s a lot to learn from an outbreak of this magnitude.

To mark this historic event, we asked a few of our researchers  — Karmina Aquino, F-Secure Labs Service Lead; Sean Sullivan, Security Advisor; Andy Patel, Senior Manager Security Research and Technology; Jarno Niemelä, F-Secure Labs Principal Researcher; and Mikko Hypponen, F-Secure Chief Research Officer — to recollect what they thought as the outbreak surfaced and crested.

KARMINA
It was Friday morning in the US when the news hit, which means it was Friday evening in Helsinki. I was already halfway through my dinner when I got several SMS’es from various managers asking about Wannacry.

SEAN
It was the first thing in a while that struck me as a crisis. Worms move fast, so it’s not something that could wait for regular business hours.

MIKKO
I was in Spain when the outbreak began. I first learned about it in a call from the office. WannaCry was spreading like wildfire at that point. And my phone didn’t stop ringing until my flight left.

ANDY
It was a Friday, and I was asked about the NHS [United Kingdom’s National Health Service] being hacked. I was in the middle of cooking something, but I went to the computer and checked Twitter, and realized the situation was already quite severe. But it was still escalating.

SEAN
I thought, what kind of @$$h0£3 pulls this on a Friday!

JARNO
Well, what I felt at the time was something like amazement and amusement, and I felt like clock would have turned back in time for more than 10 years.

KARMINA
I became curious and immediately asked for the hash. We get malware escalations continuously and the moment it’s reported to us, our primary reaction is basically to start the investigation, primarily to see if our users are already protected.

ANDY
Ransomware that spreads that aggressively isn’t a great idea because it’s going to draw a lot of heat from authorities, who will immediately start looking into and taking down supporting infrastructure. It was the opposite of what we normally see in cyber crime. It wasn’t your everyday ransomware.

KARMINA
Upon checking, they were indeed protected. So I went online and ensured that the fellows on shift understood our protection status before the day ended.

SEAN
Our customers were already protected, but all of this needs to be checked, double checked, and triple checked to make sure we’re providing our customers and partners with accurate info. We also needed to makes sure we were able to answer questions to address concerns from customers, partners, and the general public. It was very similar to the kind of crisis management atmosphere companies deal with when they’re attacked.

ANDY
We had a sudden conference call late Friday night. And there were a surprising number of people there considering the time. I spoke with some other Fellows who work in our Labs and we worked on preparing some comms (blog posts, tweets, etc.) to help answer questions from our partners, customers, and other stakeholders.

KARMINA
I continued to work during the weekend because it had been a while since we’ve had this kind of outbreak, and I have to admit, the excitement reminded me of the network worms in the early 2000’s.

MIKKO
By the morning, our team picked the WannaCry code apart. And it appeared that the spread of WannaCry was halted by a Marcus Hutchins, a 23-year old British malware researcher, after finding a function in the code that could be used to stop its spread. A great development! But hospitals, car manufacturers, power stations, and companies operating trains all over the world were affected by the epidemic. I gave two interviews for the BBC from home via Skype. One of the interviews is for BBC World with tens of millions of watchers. I think it went well.

SEAN
The United Kingdom’s National Health Service (NHS) probably really drove it home, because hospitals going down is serious. Hospitals getting hit is generally newsworthy, but multiple NHS locations is shocking and enough to cause panic. Stuxnet and Conficker instilled similar sense of panic, but typically, events like these are years apart.

MIKKO
The aftermath continued after the weekend. There were a lot of infections in Asia that went unnoticed before the weekend. My phone continued to ring off the hook with calls from customers and journalists wanting to know more about the outbreak.

ANDY
This outbreak reminded me of Downadup (AKA Confiker), in that it had a lot of people working overtime when it hit. But Downadup had further-reaching consequences. After Downadup, we needed to develop new features in our products to handle certain features in the malware (such as USB propagation). In WannaCry’s case, no new functionality was needed, so the initial escalation was purely about understanding the malware itself.

JARNO
Cases like Wannacry should really not have happened, since just about everything should have a basic firewall configuration in place. But it once again turned out to be a case of organizations getting lazy with security mitigations for threats that had been extinct for too long.

KARMINA
Even though we always protect our customers, the magnitude of the Wannacry infection coverage globally still took us by surprise.

SEAN
That WannaCry utilized an NSA exploit also attracted a lot of attention—even though it wasn’t a 0-day exploit.

JARNO
WannaCry underlines the way our whole industry is still very young. We’re prone to go with the fad of the year, and forget past learnings, until they come for a reminder visit once again. It also was rather amusing that as we had been mocked by some of our “next gen” competitors for having so many security layers, which to them looked obsolete, proved to be the ones that stopped WannaCry. Without us even being aware of the outbreak until we got it info from external sources, as our users were fully protected, save for isolated cases of broken product settings and malfunctions.

ANDY
I remember waiting for someone to find an email attachment matching the initial infection vector for patient zero. But nobody ever found one. We eventually learned that the malware was initially spread by its SMB propagation mechanism – it was seeded to several vulnerable public-facing systems. This malware, had it not been made in a hurry, with a bunch of careless mistakes (such as the anti-emulation feature that allowed it to be shut down by simply registering a domain) could have been a lot worse. We dodged a bullet. WannaCry wasn’t nearly as devastating as it could have been. If this were to happen again, I’d expect less noob mistakes, and more damage.

KARMINA
No matter how many years we go without an outbreak, we cannot go complacent because it can still happen.

 

 

Jason Sattler

14.05.18 6 min. read

Categories

Leave a comment

Oops! There was an error posting your comment. Please try again.

Thanks for participating! Your comment will appear once it's approved.

Posting comment...

Your email address will not be published. Required fields are marked *

Highlighted article

Hacking cyber security gender roles

Michael Sandelson

10.10.18

4 min. read

Related posts

Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.