Examine individual changes

'{{Use dmy dates|date=May 2019}} {{Infobox event | title = WannaCry | image = Wana Decrypt0r screenshot.png | image_size = | image_alt = | caption = Screenshot of the ransom note left on an infected system | english_name = | time = | duration = 4 days | date = 12 May 2017 – 15 May 2017 <br />(initial outbreak)<ref>{{cite web|url=https://www.vox.com/new-money/2017/5/15/15641196/wannacry-ransomware-windows-xp|title=The WannaCry ransomware attack was temporarily halted. But it’s not over yet.|publisher=}}</ref> | location = Worldwide | also_known_as = Transformations:<br />Wanna &rarr; Wana<br />Cryptor &rarr; Crypt0r<br />Cryptor &rarr; Decryptor<br />Cryptor &rarr; Crypt &rarr; Cry<br />Addition of "2.0"<br />Short names:<br />Wanna &rarr; WN &rarr; W<br />Cry &rarr; CRY | type = [[Cyberattack]] | theme = [[Ransomware]] encrypting files with $300 – $600 [[United States dollar|USD]] demand (via [[bitcoin]]) | cause = {{plainlist|* WannaCry worm * }} | first_reporter = | budget = | patron = <!-- or |patrons= --> | organisers = <!-- or |organizers= --> | filmed_by = | participants = | outcome = Over 200,000 victims and more than 300,000 computers infected<ref>{{cite web|url=http://www.abc.net.au/news/2017-05-15/ransomware-attack-to-hit-victims-in-australia-government-says/8526346|title=Ransomware attack still looms in Australia as Government warns WannaCry threat not over|publisher=Australian Broadcasting Corporation|access-date=15 May 2017}}</ref><ref>{{cite web|url=https://www.gizmodo.com.au/2017/05/todays-massive-ransomware-attack-was-mostly-preventable-heres-how-to-avoid-it/|title=Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It|first=Dell|last=Cameron|work=[[Gizmodo]]|access-date=13 May 2017}}</ref><ref name="threaten release">{{cite news|url=https://tribune.com.pk/story/1423609/shadow-brokers-threaten-release-windows-10-hacking-tools/|title=Shadow Brokers threaten to release Windows 10 hacking tools|newspaper=The Express Tribune|date=31 May 2017|accessdate=31 May 2017}}</ref> | reported missing = | reported property damage = | inquiries = | inquest = | coroner = | arrests = None | suspects = [[Lazarus Group]] | accused = Two North Koreans Indicted | convicted = | charges = | trial = | verdict = | convictions = None | sentence = | publication_bans = | litigation = | awards = | blank1_label = <!-- or |blank1_data= --> | blank2_label = <!-- or |blank2_data= --> | notes = }} {{Infobox computer virus | fullname = WannaCry | image = | caption = | common_name = | technical_name = | aliases = | family = | classification = | type = | subtype = [[Ransomware]] | isolation_date = | origin = [[Pyongyang]], [[North Korea]] | infection_vector = | author = [[Lazarus Group]] | ports_used = | OS = | filesize = | language = }} The '''WannaCry ransomware attack''' was a May 2017 [[Global issue|worldwide]] [[cyberattack]] by the WannaCry [[ransomware]] [[cryptovirology|cryptoworm]], which targeted computers running the [[Microsoft Windows]] [[operating system]] by encrypting data and demanding ransom payments in the [[Bitcoin]] [[cryptocurrency]]. It propagated through [[EternalBlue]], an exploit developed by the United States [[National Security Agency]] (NSA) for older Windows systems. EternalBlue was stolen and leaked by a group called [[The Shadow Brokers]] a few months prior to the attack. While [[Microsoft]] had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their [[end-of-life (product)|end-of-life]]. The attack was halted within a few days of its discovery due to emergency patches released by Microsoft and the discovery of a [[kill switch]] that prevented infected computers from spreading WannaCry further. The attack was estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of [[United States dollar|dollars]]. Security experts believed from preliminary evaluation of the worm that the attack originated from North Korea or agencies working for the country. In December 2017, the [[United States]], [[United Kingdom]] and [[Australia]] formally asserted that [[North Korea]] was behind the attack.<ref>{{cite news|url=https://www.wsj.com/articles/its-official-north-korea-is-behind-wannacry-1513642537|title=It’s Official: North Korea Is Behind WannaCry|newspaper=[[The Wall Street Journal]]|date=18 December 2017|accessdate=19 December 2017|author=Thomas P. Bossert}}</ref> A new variant of WannaCry forced [[Taiwan Semiconductor Manufacturing Company]] (TSMC) to temporarily shut down several of its chip-fabrication factories in August 2018. The virus spread to 10,000 machines in TSMC's most advanced facilities.<ref>{{Cite news|url=https://thehackernews.com/2018/08/tsmc-wannacry-ransomware-attack.html?_m=3n.009a.1802.pa0ao0cjb7.13po|title=TSMC Chip Maker Blames WannaCry Malware for Production Halt|work=The Hacker News|access-date=7 August 2018|language=en-us}}</ref> ==Description== WannaCry is a [[ransomware]] [[cryptovirology|cryptoworm]], which targeted computers running the [[Microsoft Windows]] [[operating system]] by encrypting data and demanding ransom payments in the [[Bitcoin]] [[cryptocurrency]]. The worm is also known as WannaCrypt,<ref name="microsoftreleases">{{cite web|url=https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/|title=Customer Guidance for WannaCrypt attacks|publisher=[[Microsoft]]|access-date=13 May 2017|last1=MSRC Team}}</ref> Wana Decrypt0r 2.0,<ref>{{cite web|url=https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today|title=Avast reports on WanaCrypt0r 2.0 ransomware that infected NHS and Telefonica. |date=12 May 2017|website=Avast Security News|publisher=Avast Software, Inc|author1=Jakub Kroustek}}</ref> WanaCrypt0r 2.0,<ref name=":0">{{Cite news|url=https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/ |title=An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak|last=Fox-Brewster|first=Thomas|work=[[Forbes]] |access-date=12 May 2017}}</ref> and Wanna Decryptor.<ref name="auto">{{Cite news|url=https://www.wired.co.uk/article/wanna-decryptor-ransomware |title=Wanna Decryptor: what is the 'atom bomb of ransomware' behind the NHS attack?|last=Woollaston|first=Victoria |work=WIRED UK|access-date=13 May 2017|language=en-GB}}</ref> It is considered a network worm because it also includes a "transport" mechanism to automatically spread itself. This transport code scans for vulnerable systems, then uses the [[EternalBlue]] exploit to gain access, and the [[DoublePulsar]] tool to install and execute a copy of itself.<ref name="talos" /> WannaCry versions 0, 1, and 2 were created using [[Microsoft Visual C++#vc6|Microsoft Visual C++ 6.0]].<ref name="doj">{{cite news |url=https://www.justice.gov/opa/press-release/file/1092091/download |title=Criminal Complaint |date=8 June 2018 |first=Nathan P. |last=Shields |publisher=[[United States Department of Justice]]}}</ref> EternalBlue is an [[Exploit (computer security)|exploit]] of Windows' [[Server Message Block]] (SMB) protocol released by [[The Shadow Brokers]]. Much of the attention and comment around the event was occasioned by the fact that the U.S. [[National Security Agency]] (NSA) (from whom the exploit was likely stolen) had already discovered the vulnerability, but used it to create an exploit for its own [[National Security Agency#Hacking operations|offensive work]], rather than report it to Microsoft.<ref name="independent">{{cite news|url=https://www.independent.co.uk/news/uk/home-news/nhs-cyber-attack-edward-snowden-accuses-nsa-not-preventing-ransomware-a7733941.html|title=NHS cyber attack: Edward Snowden says NSA should have prevented cyber attack|newspaper=[[The Independent]]|access-date=13 May 2017}}</ref><ref name="telegraph">{{cite web|url=https://www.telegraph.co.uk/news/2017/05/13/nhs-cyber-attack-everything-need-know-biggest-ransomware-offensive/|title=NHS cyber attack: Everything you need to know about 'biggest ransomware' offensive in history |access-date=13 May 2017|work=[[The Daily Telegraph]]}}</ref> Microsoft eventually discovered the vulnerability, and on [[Patch Tuesday|Tuesday]], 14 March 2017, they issued security bulletin MS17-010, which detailed the flaw and announced that [[Security patch|patches]] had been released for all Windows versions that were currently supported at that time, these being [[Windows Vista]], [[Windows 7]], [[Windows 8.1]], [[Windows 10]], [[Windows Server 2008]], [[Windows Server 2008 R2]], [[Windows Server 2012]], and [[Windows Server 2016]].<ref name="Ars Technica">{{Cite news|url=https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/|title=NSA-leaking Shadow Brokers just dumped its most damaging release yet|work=Ars Technica|access-date=15 April 2017|language=en-us}}</ref> DoublePulsar is a [[Backdoor (computing)|backdoor]] tool, also released by [[The Shadow Brokers]] on 14 April 2017. Starting from 21 April 2017, security researchers reported that there were tens of thousands of computers with the DoublePulsar backdoor installed.<ref>{{Cite news |url=https://arstechnica.com/uwusecurity/2017/04/10000-windows-computers-may-be-infected-by-advanced-nsa-backdoor/ |title=10,000 Windows computers may be infected by advanced NSA backdoor|last=Goodin|first=Dan|work=ARS Technica |access-date=14 May 2017|language=en-US}}</ref> By 25 April, reports estimated that the number of infected computers could be up to several hundred thousand, with numbers increasing every day.<ref>{{Cite news |url=https://arstechnica.com/security/2017/04/nsa-backdoor-detected-on-55000-windows-boxes-can-now-be-remotely-removed/|title=NSA backdoor detected on >55,000 Windows boxes can now be remotely removed |last=Goodin |first=Dan |work=[[ARS Technica]]|access-date=14 May 2017|language=en-US}}</ref><ref>{{Cite news|url=http://www.silicon.co.uk/security/nsa-malware-security-210253|title=NSA Malware 'Infects Nearly 200,000 Systems' |last=Broersma |first=Matthew |work=Silicon|access-date=14 May 2017|language=en-US}}</ref> The WannaCry code can take advantage of any existing DoublePulsar infection, or installs it itself.<ref name=talos>{{Cite web |url=http://blog.talosintelligence.com/2017/05/wannacry.html|title=Player 3 Has Entered the Game: Say Hello to 'WannaCry' |website=blog.talosintelligence.com|access-date=16 May 2017}}</ref><ref>{{cite web|first=Dell |last=Cameron |url=https://www.gizmodo.com.au/2017/05/todays-massive-ransomware-attack-was-mostly-preventable-heres-how-to-avoid-it/ |title=Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It |website=Gizmodo |date=13 May 2017 |access-date=15 May 2017}}</ref><ref>{{cite web |url=https://www.forbes.com/sites/thomasbrewster/2017/05/13/wannacry-ransomware-outbreak-stopped-by-researcher/ |title=How One Simple Trick Just Put Out That Huge Ransomware Fire |work=Forbes |date=24 April 2017 |access-date=15 May 2017}}</ref> On 9 May 2017, private cybersecurity company RiskSense released code on the website github.com with the stated purpose of allowing legal “white hat” penetration testers to test the CVE-2017-0144 exploit on unpatched systems. When executed, the WannaCry malware first checks the "[[Kill switch#Software|kill switch]]" domain name; if it is not found, then the ransomware [[Encryption software|encrypts]] the computer's data,<ref name=":1">{{Cite news|url=https://www.telegraph.co.uk/news/2017/05/12/russian-linked-cyber-gang-shadow-brokers-blamed-nhs-computer/|title=Russian-linked cyber gang blamed for NHS computer hack using bug stolen from US spy agency|work=The Telegraph|access-date=12 May 2017|language=en-GB}}</ref><ref name=syma /><ref>{{Cite news|url=https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html|title=Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool|last=Bilefsky|first=Dan|date=12 May 2017 |work=The New York Times|access-date=12 May 2017|last2=Perlroth|first2=Nicole|issn=0362-4331}}</ref> then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet,<ref name=mbytes>{{cite web|last1=Clark|first1=Zammis|title=The worm that spreads WanaCrypt0r|url=https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/|website=Malwarebytes Labs |publisher=malwarebytes.com|access-date=13 May 2017}}</ref> and "laterally" to computers on the same network.<ref name=mcafee>{{cite web |last1=Samani|first1=Raj|title=An Analysis of the WANNACRY Ransomware outbreak|url=https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/|publisher=McAfee|access-date=13 May 2017}}</ref> As with other modern ransomware, the [[payload (computing)|payload]] displays a message informing the user that files have been encrypted, and demands a payment of around US$300 in [[bitcoin]] within three days, or US$600 within seven days.<ref name=syma>{{cite web|title=What you need to know about the WannaCry Ransomware|url=https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware|publisher=Symantec Security Response |access-date=14 May 2017}}</ref><ref>{{Cite news|url=https://www.wsj.com/articles/more-cyberattack-victims-emerge-as-agencies-search-for-clues-1494671938|title=More Cyberattack Victims Emerge as Agencies Search for Clues|last=Thomas|first=Andrea|date=13 May 2017|work=[[The Wall Street Journal]]| access-date=14 May 2017 | last2=Grove | first2=Thomas | issn=0099-9660 | last3=Gross | first3=Jenny}}</ref> Three [[Hard coding|hardcoded]] bitcoin addresses, or "wallets", are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the [[cryptocurrency wallet]] owners remain unknown.<ref>{{cite web|last1=Collins |first1=Keith |title=Watch as these bitcoin wallets receive ransomware payments from the global cyberattack|url=https://qz.com/982993/watch-as-these-bitcoin-wallets-receive-ransomware-payments-from-the-ongoing-cyberattack/|work=Quartz|access-date=14 May 2017}}</ref> Several organizations released detailed technical writeups of the malware, including a senior security analyst at RiskSense,<ref>{{cite web| first1=|last1= |title=MS17-010 (SMB RCE) Metasploit Scanner Detection Module|url=https://zerosum0x0.blogspot.com/2017/04/ms17-010-smb-rce-metasploit-scanner.html|website=@zerosum0x0|publisher=@zerosum0x0|access-date=18 Apr 2017}}</ref><ref>{{cite web| first1=|last1= |title=DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis|url=https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html|website=@zerosum0x0|publisher=@zerosum0x0|access-date=21 Apr 2017}}</ref> Microsoft,<ref>{{cite web| first1=|last1= |title=WannaCrypt ransomware worm targets out-of-date systems|url=https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/|website=TechNet|publisher=Microsoft|access-date=20 May 2017}}</ref> [[Cisco Systems|Cisco]],<ref name=talos /> [[Malwarebytes]],<ref name=mbytes /> [[NortonLifeLock|Symantec]] and [[McAfee]].<ref name=mcafee /> ==Attack== The attack began on Friday, 12 May 2017,<ref name=naked /><ref>{{cite web|last1=Newman|first1=Lily Hay|title=The Ransomware Meltdown Experts Warned About Is Here|url=https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/|website=[[Wired (magazine)|Wired]] |access-date=13 May 2017}}</ref> with evidence pointing to an initial infection in Asia at 07:44 UTC.<ref name=naked>{{cite web |last1=Brenner|first1=Bill|title=WannaCry: the ransomware worm that didn’t arrive on a phishing hook |url=https://nakedsecurity.sophos.com/2017/05/17/wannacry-the-ransomware-worm-that-didnt-arrive-on-a-phishing-hook/|website=Naked Security |publisher=Sophos|access-date=18 May 2017}}</ref><ref>{{cite web|last1=Yuzifovich|first1=Yuriy|title=WannaCry: views from the DNS frontline |url=https://www.nominum.com/tech-blog/wannacry-views-dns-frontline/|website=Security and Data Science|publisher=nominum|access-date=18 May 2017}}</ref> The initial infection was likely through an exposed [[Vulnerability (computing)|vulnerable]] SMB port,<ref>{{Cite news |url=https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/|title=An NSA-derived ransomware worm is shutting down computers worldwide|last=Goodin|first=Dan|work=ARS Technica|access-date=14 May 2017|language=en-US}}</ref> rather than email phishing as initially assumed.<ref name=naked /> Within a day the code was reported to have infected more than 230,000 computers in over 150 countries.<ref name=":3">{{cite news|url=https://www.bbc.com/news/world-europe-39907965|title=Cyber-attack: Europol says it was unprecedented in scale|date=13 May 2017|work=BBC News |access-date=13 May 2017|language=en-GB}}</ref><ref name=cnbc1>{{cite web|title='Unprecedented' cyberattack hits 200,000 in at least 150 countries, and the threat is escalating|url=https://www.cnbc.com/2017/05/14/cyber-attack-hits-200000-in-at-least-150-countries-europol.html|publisher=CNBC|access-date=16 May 2017|date=14 May 2017}}</ref> Organizations that had not installed Microsoft's security update from April 2017 were affected by the attack.<ref name=exploit>{{cite news|url=http://www.eweek.com/security/wannacry-ransomware-attack-hits-victims-with-microsoft-smb-exploit|title=WannaCry Ransomware Attack Hits Victims With Microsoft SMB Exploit|work=[[eWeek]]|access-date=13 May 2017}}</ref> Those still running [[End-of-life (product)|unsupported]] versions of [[Microsoft Windows]], such as [[Windows XP]] and [[Windows Server 2003]]<ref name=vicexp>{{cite web|url=https://motherboard.vice.com/en_us/article/nhs-hospitals-are-running-thousands-of-computers-on-unsupported-windows-xp|title=NHS Hospitals Are Running Thousands of Computers on Unsupported Windows XP|website=Motherboard |access-date=13 May 2017}}</ref><ref name="unsupported">{{cite web|title=Microsoft issues ‘highly unusual’ Windows XP patch to prevent massive ransomware attack|url=https://www.theverge.com/2017/5/13/15635006/microsoft-windows-xp-security-patch-wannacry-ransomware-attack|website=The Verge|publisher=Vox Media|accessdate=13 May 2017}}</ref> were at particularly high risk because no security patches had been released since April 2014 for Windows XP (with the exception of one emergency patch released in May 2014) and July 2015 for Windows Server 2003.<ref name="microsoftreleases" /> A [[Kaspersky Lab]] study reported however, that less than 0.1 percent of the affected computers were running Windows XP, and that 98 percent of the affected computers were running Windows 7.<ref name="microsoftreleases" /><ref name=":2">{{cite web|title=Almost all WannaCry victims were running Windows 7|url=https://www.theverge.com/2017/5/19/15665488/wannacry-windows-7-version-xp-patched-victim-statistics|website=The Verge|publisher=Vox Media|accessdate=29 May 2017}}</ref> In a controlled testing environment, the cybersecurity firm Kryptos Logic found that they were unable to infect a Windows XP system with WannaCry using just the exploits, as the payload failed to load, or caused the operating system to crash rather than actually execute and encrypt files. However, when executed manually, WannaCry could still operate on Windows XP.<ref name="verge-xpimpact"/><ref name="kl-twoweekslater">{{cite web|title=WannaCry: Two Weeks and 16 Million Averted Ransoms Later |url=https://blog.kryptoslogic.com/malware/2017/05/29/two-weeks-later.html|publisher=Kryptos Logic|accessdate=30 May 2017}}</ref><ref>{{Cite web|url=https://www.newsit.gr/kosmos/pagkosmios-tromos-pano-apo-100-xores-xtypisan-oi-xakers-poy-zitoyn-lytra/1023246/|title=Παγκόσμιος τρόμος: Πάνω από 100 χώρες “χτύπησε” ο WannaCry που ζητάει λύτρα!|last=|first=|date=13 May 2017|website=newsit.gr|url-status=live|archive-url=|archive-date=|access-date=}}</ref> === Defensive response === Experts quickly advised affected users against paying the ransom due to no reports of people getting their data back after payment and as high revenues would encourage more of such campaigns.<ref name="NS">{{cite journal|date=17 May 2017|title=Ransomware attack hits 200,000 computers across the globe|url=https://www.newscientist.com/article/mg23431263-500-ransomware-attack-hits-200000-computers-across-the-globe/|journal=New Scientist}}</ref><ref name="BBC">{{Cite web|url=https://www.bbc.com/news/technology-39920269|title=Should you pay the WannaCry ransom?|last=Baraniuk|first=Chris|publication-place=BBC|publication-date=15 May 2017}}</ref><ref>{{cite news|last1=Palmer |first1=Danny |title=Ransomware: WannaCry was basic, next time could be much worse {{!}} ZDNet|url=https://www.zdnet.com/article/ransomware-wannacry-was-basic-next-time-could-be-much-worse/|work=ZDNet|access-date=22 May 2017|language=en}}</ref> As of 14 June 2017, after the attack had subsided, a total of 327 payments totaling US$130,634.77 (51.62396539 XBT) had been transferred.<ref>{{cite web|title=@actual_ransom tweets |url=https://twitter.com/actual_ransom?ref_src=twsrc%5Etfw&ref_url=https%3A%2F%2Fqz.com%2F982993%2Fwatch-as-these-bitcoin-wallets-receive-ransomware-payments-from-the-ongoing-cyberattack%2F|website=Twitter|access-date=19 May 2017}}</ref> The day after the initial attack in May, Microsoft released out-of-band security updates for end of life products [[Windows XP]], [[Windows Server 2003]] and [[Windows 8]]; these patches had been created in February of that year following a tip off about the vulnerability in January of that year.<ref>{{cite web|last1=Thompson|first1=Iain|title=While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday's WinXP fix was built in February|url=https://www.theregister.co.uk/2017/05/16/microsoft_stockpiling_flaws_too/|accessdate=19 December 2017|website=The Register|date=16 May 2017}}</ref><ref name="unsupported" /> Organizations were advised to patch Windows and plug the vulnerability in order to protect themselves from the cyber attack.<ref>{{Cite news|url=https://www.defensorum.com/global-reports-wannacry-ransomware-attacks/|title=Global Reports of WannaCry Ransomware Attacks - Defensorum|date=18 August 2017|work=Defensorum|access-date=16 October 2017|language=en-US}}</ref> The head of Microsoft's Cyber Defense Operations Center, Adrienne Hall, said that “Due to the elevated risk for destructive cyber-attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt [alternative name to WannaCry]”.<ref>{{Cite news|url=https://www.theguardian.com/technology/2017/jun/14/wannacry-attacks-prompt-microsoft-to-release-updates-for-older-windows-versions |title=WannaCry attacks prompt Microsoft to release Windows updates for older versions|last=Hern|first=Alex|date=14 June 2017 |work=The Guardian|access-date=14 June 2017|language=en-GB|issn=0261-3077}}</ref><ref>{{Cite news|url=https://www.computing.co.uk/ctg/news/3011916/microsoft-rushes-out-patch-for-windows-xp-to-prevent-another-wannacry-attack-via-a-shadow-brokers-release|title=Microsoft rushes out patch for Windows XP to prevent another WannaCry attack via a Shadow Brokers release |last= |first=|date=14 June 2017|work=Computing.com|access-date=14 June 2017|language=en-GB|issn=0261-3077}}</ref> Researcher [[Marcus Hutchins]]<ref>{{Cite news|url=http://www.abc.net.au/news/2017-05-16/ransomware-cyberattack-marcus-hutchins-gives-interview/8530574|title='Just doing my bit': The 22yo who blocked the WannaCry cyberattack|date=16 May 2017|work=ABC News|access-date=17 May 2017|language=en-AU}}</ref><ref name="MalwareTech">{{Cite web|url=https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html|title=How to Accidentally Stop a Global Cyber Attacks|last=MalwareTech|authorlink=MalwareTech|date=13 May 2017}}</ref> discovered the kill switch domain [[Hard coding|hardcoded]] in the malware.<ref>{{cite web |url=https://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hackers-demanding-ransom/|title=Government under pressure after NHS crippled in global cyber attack as weekend of chaos looms|date=12 May 2017|work=The Telegraph}}</ref><ref>{{cite web |url=https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/|title=74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+|last=Thomson|first=Iain|date=13 May 2017|work=The Register}}</ref><ref>{{Cite web|url=https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack |title='Accidental hero' halts ransomware attack and warns: this is not over|last=Khomami|first=Nadia|last2=Solon|first2=Olivia|date=13 May 2017 |website=The Guardian}}</ref> Registering a [[domain name]] for a [[DNS sinkhole]] stopped the attack spreading as a worm, because the ransomware only encrypted the computer's files if it was unable to connect to that domain, which all computers infected with WannaCry before the website's registration had been unable to do. While this did not help already infected systems, it severely slowed the spread of the initial infection and gave time for defensive measures to be deployed worldwide, particularly in North America and Asia, which had not been attacked to the same extent as elsewhere.<ref>{{Cite news|url=https://www.wired.com/2017/05/accidental-kill-switch-slowed-fridays-massive-ransomware-attack/|title=How an Accidental 'Kill Switch' Slowed Friday's Massive Ransomware Attack|last=Newman|first=Lily Hay |work=Wired Security|access-date=14 May 2017|language=en-US}}</ref><ref>{{cite news |url=https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack |title='Accidental hero' finds kill switch to stop spread of ransomware cyber-attack|date=13 May 2017|work=[[The Guardian]]|access-date=13 May 2017|location=London|last1=Solon|first1=Olivia}}</ref><ref>{{cite web|url=https://www.bbc.co.uk/news/technology-39907049|title=Global cyber-attack: Security blogger halts ransomware 'by accident'|last=Foxx|first=Chris|date=13 May 2017|publisher=BBC|access-date=13 May 2017}}</ref><ref>{{cite web|url=http://www.pcworld.com/article/3196515/security/a-kill-switch-is-slowing-the-spread-of-wannacry-ransomware.html |title=A 'kill switch' is slowing the spread of WannaCry ransomware|website=PC World|access-date=13 May 2017 |last1=Kan |first1=Micael}}</ref><ref>{{cite web| title=How an Accidental 'Kill Switch' Slowed Friday's Massive Ransomware Attack|url=https://www.computerworld.com/article/3196686/security/kill-switch-helps-slow-the-spread-of-wannacry-ransomware.html/|access-date=19 December 2017}}</ref> On 14 May, a first variant of WannaCry appeared with a new and second<ref>{{cite web|url=https://qz.com/983569/a-second-wave-of-wannacry-infections-has-been-halted-with-a-new-killswitch/|title=Just two domain names now stand between the world and global ransomware chaos|first1=Joon Ian|last1=Wong|first2=Joon Ian|last2=Wong|website=Quartz}}</ref> kill-switch registered by [[Matt Suiche]] on the same day. This was followed by a second variant with the third and last kill-switch on 15 May, which was registered by [[Check Point]] threat intelligence analysts.<ref>{{cite web|url=https://umbrella.cisco.com/blog/2017/05/16/the-hours-of-wannacry/|title=The Hours of WannaCry|date=17 May 2017|publisher=}}</ref><ref>{{cite web|url=https://blog.checkpoint.com/2017/05/15/wannacry-new-kill-switch-new-sinkhole/|title=WannaCry - New Kill-Switch, New Sinkhole|date=15 May 2017|website=Check Point Software Blog}}</ref> A few days later, a new version of WannaCry was detected that lacked the kill switch altogether.<ref name=spiegel1>{{Cite news|url=http://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html|title=It's Not Over, WannaCry 2.0 Ransomware Just Arrived With No 'Kill-Switch'| last=Khandelwal| first=Swati| work=The Hacker News|access-date=14 May 2017|language=en-US}}</ref><ref>{{cite news| last1=Shieber| first1=Jonathan| title=Companies, governments brace for a second round of cyberattacks in WannaCry's wake|url=https://techcrunch.com/2017/05/14/companies-governments-brace-for-a-second-round-of-cyberattacks-in-wannacrys-wake/|work=TechCrunch|access-date=14 May 2017}}</ref><ref>{{cite web| last1=Chan| first1=Sewell|last2=Scott|first2=Mark|title=Cyberattack's Impact Could Worsen in 'Second Wave' of Ransomware|url=https://www.nytimes.com/2017/05/14/world/europe/cyberattacks-hack-computers-monday.html|work=The New York Times|access-date=14 May 2017|date=14 May 2017}}</ref><ref>{{cite web|title=Warning: Blockbuster 'WannaCry' malware could just be getting started|url=https://www.nbcnews.com/news/us-news/blockbuster-wannacry-malware-could-just-be-getting-started-experts-n759356|publisher=[[NBC News]]|access-date=14 May 2017|language=en}}</ref> On 19 May, it was reported that hackers were trying to use a [[Mirai (malware)|Mirai]] botnet variant to effect a [[Denial-of-service attack#Distributed attack|distributed attack]] on WannaCry's kill-switch domain with the intention of knocking it offline.<ref>{{cite web|last1=Greenberg|first1=Andy|title=Botnets Are Trying to Reignite the Ransomware Outbreak|url=https://www.wired.com/2017/05/wannacry-ransomware-ddos-attack/|publisher=WIRED|access-date=22 May 2017}}</ref> On 22 May, Hutchins protected the domain by switching to a cached version of the site, capable of dealing with much higher traffic loads than the live site.<ref>{{cite news|last1=Gibbs |first1=Samuel |title=WannaCry hackers still trying to revive attack says accidental hero|url=https://www.theguardian.com/technology/2017/may/22/wannacry-hackers-ransomware-attack-kill-switch-windows-xp-7-nhs-accidental-hero-marcus-hutchins|newspaper=The Guardian|access-date=22 May 2017 |date=22 May 2017}}</ref> Separately, researchers from [[University College London]] and [[Boston University]] reported that their ''PayBreak'' system could defeat WannaCry and several other families of ransomware by recovering the keys used to encrypt the user's data.<ref>{{Cite web|url=https://www.bu.edu/eng/2017/05/18/protection-from-ransomware-like-wannacry/|title=Protection from Ransomware like WannaCry|publisher=[[Boston University]]|language=en|access-date=19 May 2017 |department=College of Engineering}}</ref><ref>{{Cite web|url=https://www.benthamsgaze.org/2017/05/16/paybreak-able-to-defeat-wannacrywannacryptor-ransomware/|title=PayBreak able to defeat WannaCry/WannaCryptor ransomware|last=Kolodenker|first=Eugene|date=16 May 2017 |website=Bentham’s Gaze|publisher=[[University College London]]|access-date=19 May 2017|department=Information Security Research & Education}}</ref> It was discovered that Windows encryption APIs used by WannaCry may not completely clear the [[prime number]]s used to generate the payload's private keys from the memory, making it potentially possible to retrieve the required key if they had not yet been overwritten or cleared from resident memory. The key is kept in the memory if the WannaCry process has not been killed and the computer has not been rebooted after being infected.<ref>{{cite web |last1=Suiche |first1=Matt |title=WannaCry — Decrypting files with WanaKiwi + Demos |url=https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d |website=Comae Technologies |date=19 May 2017}}</ref> This behaviour was used by a French researcher to develop a tool known as WannaKey, which automates this process on Windows XP systems.<ref name="zdnet-xpwannakey">{{cite web|title=Windows XP hit by WannaCry ransomware? This tool could decrypt your infected files|url=https://www.zdnet.com/article/windows-xp-hit-by-wannacry-ransomware-this-tool-could-decrypt-your-infected-files/ |website=ZDNet |accessdate=30 May 2017}}</ref><ref name="ars-wannakey">{{cite web|title=Windows XP PCs infected by WannaCry can be decrypted without paying ransom|url=https://arstechnica.co.uk/security/2017/05/windows-xp-wannacry-decryption/|website=Ars Technica |accessdate=30 May 2017}}</ref><ref>{{Cite web|url=https://www.wired.com/2017/05/wannacry-flaw-help-windows-xp-victims-get-files-back/ |title=A WannaCry flaw could help some windows XP users get files back|last=Greenberg|first=Andy|publication-place=Wired|publication-date=18 May 2017}}</ref> This approach was iterated upon by a second tool known as Wanakiwi, which was tested to work on Windows 7 and Server 2008 R2 as well.<ref name="ars-wanakiwi">{{cite web|title=More people infected by recent WCry worm can unlock PCs without paying ransom |url=https://arstechnica.com/security/2017/05/more-people-infected-by-recent-wcry-worm-can-unlock-pcs-without-paying-ransom/ |website=Ars Technica|accessdate=30 May 2017}}</ref> Within four days of the initial outbreak, new infections had slowed to a trickle due to these responses.<ref name=Volz>{{cite news|last1=Volz|first1=Dustin|title=Cyber attack eases, hacking group threatens to sell code |url=https://www.reuters.com/article/us-cyber-attack-idUSKCN18B0AC|access-date=21 May 2017 |agency=https://www.reuters.com|work=Reuters |date=17 May 2017}}</ref> ==Attribution== Linguistic analysis of the ransom notes indicated the authors were likely fluent in Chinese and proficient in English, as the versions of the notes in those languages were probably human-written while the rest seemed to be [[machine translation|machine-translated]].<ref name="register-language">{{cite web|title=WannaCrypt ransomware note likely written by Google Translate-using Chinese speakers |last=Leyden |first=John |date=26 May 2017|access-date=26 May 2017|website=[[The Register]] |url=https://www.theregister.co.uk/2017/05/26/wannacrypt_ransom_note_linguistics/}}</ref><ref>{{cite news |url=https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/ |publisher=Flashpoint |first1=Jon |last1=Condra |first2=John |last2=Costello |first3=Sherman |last3=Chu |title=Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors |date=25 May 2017 |archive-url=https://web.archive.org/web/20170527181100/https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/ |archive-date=27 May 2017 |quote=Flashpoint assesses with high confidence that the author(s) of WannaCry’s ransomware notes are fluent in Chinese, as the language used is consistent with that of Southern China, Hong Kong, Taiwan, or Singapore. Flashpoint also assesses with high confidence that the author(s) are familiar with the English language, though not native. [...] Flashpoint assesses with moderate confidence that the Chinese ransom note served as the original source for the English version, which then generated machine translated versions of the other notes. The Chinese version contains content not in any of the others, though no other notes contain content not in the Chinese. The relative familiarity found in the Chinese text compared to the others suggests the authors were fluent in the language—perhaps comfortable enough to use the language to write the initial note.}}</ref> According to an analysis by the FBI's Cyber Behavioral Analysis Center, the computer that created the ransomware language files had [[Hangul]] language fonts installed, as evidenced by the presence of the "\fcharset129" [[Rich Text Format]] tag.<ref name="doj"/> Metadata in the language files also indicated that the computers that created the ransomware were set to [[UTC+09:00]], used in [[Korea]].<ref name="doj"/> A [[Google]] security researcher<ref>{{cite web|url=https://www.wired.com/2017/05/wannacry-ransomware-link-suspected-north-korean-hackers/|title=The Ransomware Outbreak Has a Possible Link to North Korea|first=Andy|last=Greenberg|date=15 May 2017|work=Wired}}</ref><ref>{{cite web|url=https://thehackernews.com/2017/05/wannacry-lazarus-north-korea.html|title=Google Researcher Finds Link Between WannaCry Attacks and North Korea|website=The Hacker News — Cyber Security and Hacking News Website}}</ref> initially posted a tweet<ref>{{cite web|url=https://twitter.com/neelmehta/status/864164081116225536?lang=en |title=9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598 ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4 #WannaCryptAttribution |first=Neel|last=Mehta|date=15 May 2017}}</ref> referencing code similarities between WannaCry and previous malware. Then cybersecurity companies<ref>{{cite web|url=https://www.wsj.com/articles/researchers-identify-clue-connecting-ransomware-assault-to-group-tied-to-north-korea-1494898740|title=Researchers Identify Clue Connecting Ransomware Assault to Group Tied to North Korea|first=Robert|last=McMillan|date=16 May 2017|via=www.wsj.com}}</ref> [[Kaspersky Lab]] and [[NortonLifeLock|Symantec]] have both said the code has some similarities with that previously used by the [[Lazarus Group]]<ref name="attrib-1">{{Cite news|url=https://www.theguardian.com/technology/2017/may/15/wannacry-ransomware-north-korea-lazarus-group|title=WannaCry ransomware has links to North Korea, cybersecurity experts say|last=Solong|first=Olivia|date=15 May 2017 |work=The Guardian|access-date=}}</ref> (believed to have carried out [[Sony Pictures hack|the cyberattack on Sony Pictures]] in 2014 and [[Bangladesh Bank heist|a Bangladesh bank heist]] in 2016—and linked to [[North Korea]]).<ref name="attrib-1" /> This could also be either simple re-use of code by another group<ref>{{cite news|title=Experts question North Korea role in WannaCry cyberattack|url=http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=11860013|archive-url=https://web.archive.org/web/20170714125459/http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=11860013|url-status=dead|archive-date=14 July 2017|accessdate=22 May 2017|work=The New Zealand Herald|agency=AP|date=21 May 2017}}</ref> or an attempt to shift blame—as in a [[cyber false flag]] operation;<ref name="attrib-1" /> but a leaked internal NSA memo is alleged to have also linked the creation of the worm to North Korea.<ref name="washpo-nsa-dprk">{{cite web|last1=Nakashima|first1=Ellen|title=The NSA has linked the WannaCry computer worm to North Korea |url=https://www.washingtonpost.com/world/national-security/the-nsa-has-linked-the-wannacry-computer-worm-to-north-korea/2017/06/14/101395a2-508e-11e7-be25-3a519335381c_story.html?hpid=hp_hp-more-top-stories_northkoreacyber744pm%3Ahomepage%2Fstory |website=The Washington Post|publisher=The Washington Post|accessdate=15 June 2017}}</ref> [[Brad Smith (American lawyer)|Brad Smith]], the president of Microsoft, said he believed North Korea was the originator of the WannaCry attack,<ref>{{Cite news|url=https://www.telegraph.co.uk/news/2017/10/14/north-korea-behind-wannacry-attack-crippled-nhs-stealing-us/|title=North Korea behind WannaCry attack which crippled the NHS after stealing US cyber weapons, Microsoft chief claims|last=Harley|first=Nicola|date=14 October 2017|work=The Telegraph|access-date=14 October 2017|issn=0307-1235}}</ref> and the UK's National Cyber Security Centre reached the same conclusion.<ref>{{cite web|url=https://www.theguardian.com/technology/2017/oct/27/nhs-could-have-avoided-wannacry-hack-basic-it-security-national-audit-office|title=NHS could have avoided WannaCry hack with basic IT security' says report|first=Alex|last=Hern|date=26 October 2017|accessdate=26 October 2017|work=The Guardian}}</ref> On 18 December 2017, the [[United States Government]] formally announced that it publicly considers North Korea to be the main culprit behind the WannaCry attack.<ref>{{cite web|url=https://www.washingtonpost.com/world/national-security/us-set-to-declare-north-korea-carried-out-massive-wannacry-cyber-attack/2017/12/18/509deb1c-e446-11e7-a65d-1ac0fd7f097e_story.html |title=U.S. declares North Korea carried out massive WannaCry cyberattack |first=Ellen |last=Nakashima |date=18 December 2017 |accessdate=18 December 2017 | work = [[The Washington Post]]}}</ref> [[U.S. President|President]] [[Donald Trump|Trump]]'s [[Homeland Security Advisor]], [[Tom Bossert]], wrote an [[op-ed]] in ''[[The Wall Street Journal]]'' about this charge, saying "We do not make this allegation lightly. It is based on evidence."<ref>{{cite web|url=https://www.wsj.com/articles/its-official-north-korea-is-behind-wannacry-1513642537 |title=It’s Official: North Korea Is Behind WannaCry |first=Thomas P. |last=Bossert |date=18 December 2017 |accessdate=18 December 2017 |work=[[The Wall Street Journal]] }}</ref> In a press conference the following day, Bossert said that the evidence indicates that [[Kim Jong-un]] had given the order to launch the malware attack.<ref>{{Cite web|url=http://thehill.com/policy/cybersecurity/365580-wh-kim-jong-un-ordered-release-of-disastrous-wannacry-malware |title=WH: Kim Jong Un behind massive WannaCry malware attack |first=Joe |last=Uchill |date=19 December 2017 |accessdate=19 December 2017 |work=[[The Hill (newspaper)|The Hill]]}}</ref> Bossert said that Canada, New Zealand and Japan agree with the United States' assessment of the evidence that links the attack to North Korea,<ref>{{cite web|url=https://www.cbsnews.com/news/white-house-says-wannacry-attack-was-carried-out-by-north-korea/ |title=White House says WannaCry attack was carried out by North Korea |date=19 December 2017 |accessdate=19 December 2017 |work=[[CBS News]]}}</ref> while the United Kingdom's [[Foreign and Commonwealth Office]] says it also stands behind the United States' assertion.<ref>{{cite web|url=https://www.theguardian.com/technology/2017/dec/19/wannacry-cyberattack-us-says-it-has-evidence-north-korea-was-directly-responsible |title=UK and US blame WannaCry cyber-attack on North Korea |first1=Alex |last1=Hern |first2=Justin |last2=McCurry |date=19 December 2017 |accessdate=19 December 2017 |work=[[The Guardian]]}}</ref> North Korea, however, denied being responsible for the cyberattack.<ref>{{cite news|title=North Korea says linking cyber attacks to Pyongyang is 'ridiculous'|url=https://www.reuters.com/article/us-cyber-attack-northkorea-idUSKCN18F1X3|work=Reuters|accessdate=21 May 2017|date=19 May 2017}}</ref><ref>{{cite news|title=Experts Question North Korea Role in WannaCry Cyberattack |url=https://www.nytimes.com/aponline/2017/05/19/world/asia/ap-as-nkorea-wannacry-cyberattack-.html |newspaper=The New York Times |accessdate=21 May 2017 |date=19 May 2017}}</ref> On 6 September 2018, the US Department of Justice (DoJ) announced formal charges against Park Jin-hyok for involvement in the [[Sony Pictures hack]] of 2014. The DoJ contended that Park was a North Korean hacker working as part of a team of experts for the North Korean [[Reconnaissance General Bureau]]. The Department of Justice asserted this team also had been involved in the WannaCry attack, among other activities.<ref>{{cite web|url=https://www.nytimes.com/2018/09/06/us/politics/north-korea-sony-hack-wannacry-indictment.html |title=North Korean Spy to Be Charged in Sony Pictures Hacking |first1=David |last1=Sanger |first2=Katie |last2=Benner |first3=Adam |last3=Goldman |date=6 September 2018 |accessdate=6 September 2018 |work=[[The New York Times]]}}</ref><ref>{{Cite web|url=https://www.msn.com/en-us/news/world/us-targets-north-korean-hacking-as-national-security-threat/ar-AAHkAGU?ocid=ientp|title=U.S. Targets North Korean Hacking as National-Security Threat|last=Volz|first=|date=16 September 2019|website=msn|url-status=live|archive-url=|archivedate=|accessdate=16 September 2019}}</ref> == Impact == [[File:Countries initially affected in WannaCry ransomware attack.svg|alt=|thumb|300x300px|Map of the countries initially affected<ref>{{cite web|url=https://www.bbc.com/news/world-europe-39907965|title=Cyber-attack: Europol says it was unprecedented in scale|date=13 May 2017|publisher=[[BBC]]}}</ref>]] The ransomware campaign was unprecedented in scale according to [[Europol]],<ref name=":3" /> which estimates that around 200,000 computers were infected across 150 countries. According to [[Kaspersky Lab]], the four most affected countries were [[Russia]], [[Ukraine]], [[India]] and [[Taiwan]].<ref name="Jones">{{cite news|last1=Jones|first1=Sam|title=Global alert to prepare for fresh cyber attacks|newspaper=Financial Times|date=14 May 2017}}</ref> One of the largest agencies struck by the attack was the [[National Health Service]] hospitals in England and Scotland,<ref>{{cite news|last1=Millar|first1=Sheila A.|last2=Marshall|first2=Tracy P.|last3=Cardon|first3=Nathan A.|title=WannaCry: Are Your Security Tools Up to Date?|url=https://www.natlawreview.com/article/wannacry-are-your-security-tools-to-date|accessdate=9 July 2017|work=The National Law Review|publisher=Keller and Heckman LLP|date=22 May 2017}}</ref><ref>{{cite web |url=https://www.cbsnews.com/news/hospitals-across-britain-hit-by-ransomware-cyberattack/|title=Global cyberattack strikes dozens of countries, cripples U.K. hospitals|publisher=CBS News|access-date=13 May 2017}}</ref> and up to 70,000 devices&nbsp;– including computers, [[Magnetic resonance imaging|MRI scanners]], blood-storage refrigerators and theatre equipment&nbsp;– may have been affected.<ref name="14MaySunTim">{{cite news|url=https://www.thetimes.co.uk/article/cyber-attack-guides-promoted-on-youtube-972s0hh2c|title=Cyber-attack guides promoted on YouTube|last1=Ungoed-Thomas|first1=Jon|date=14 May 2017|work=The Sunday Times|access-date=14 May 2017|last2=Henry|first2=Robin|last3=Gadher|first3=Dipesh|url-access=subscription}}</ref> On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.<ref name="BBC news">{{cite news|url=https://www.bbc.co.uk/news/health-39899646|title=NHS cyber-attack: GPs and hospitals hit by ransomware|date=12 May 2017|access-date=12 May 2017|work=BBC News|language=en-GB}}</ref><ref>{{cite web |url=https://www.theguardian.com/technology/2017/may/12/global-cyber-attack-ransomware-nsa-uk-nhs|title=Massive ransomware cyber-attack hits 74 countries around the world|first1=Julia Carrie|last1=Wong|first2=Olivia|last2=Solon|date=12 May 2017 |access-date=12 May 2017 |work=[[The Guardian]] |location=London}}</ref> In 2016, thousands of computers in 42 separate [[NHS trust]]s in England were reported to be still running Windows XP.<ref name=vicexp /> In 2018 a report by Members of Parliament concluded that all 200 NHS hospitals or other organizations checked in the wake of the WannaCry attack still failed cyber security checks.<ref>{{Cite news|url=https://www.thetimes.co.uk/article/every-hospital-tested-for-cybersecurity-has-failed-97vc6rqkq|title=Every hospital tested for cybersecurity has failed|last=Health&nbsp;Editor|first=Chris Smyth|date=18 April 2018|work=The Times|access-date=18 April 2018|language=en|issn=0140-0460|url-access=subscription }}</ref><ref>https://publications.parliament.uk/pa/cm201719/cmselect/cmpubacc/787/787.pdf</ref> NHS hospitals in Wales and Northern Ireland were unaffected by the attack.<ref name="guardian-nhs">{{cite web|url=https://www.theguardian.com/society/2017/may/12/global-cyber-attack-nhs-trusts-malware|title=The NHS trusts hit by malware – full list|last=Marsh|first=Sarah|date=12 May 2017|location=London|access-date=12 May 2017|work=[[The Guardian]]}}</ref><ref name="BBC news" /> [[Nissan Motor Manufacturing UK]] in [[Tyne and Wear]], England, halted production after the ransomware infected some of their systems. [[Renault]] also stopped production at several sites in an attempt to stop the spread of the ransomware.<ref>{{cite news |url=https://www.independent.co.uk/news/uk/home-news/nissan-sunderland-cyber-attack-ransomware-nhs-malware-wannacry-car-factory-a7733936.html |title=Cyber-attack that crippled NHS systems hits Nissan car factory in Sunderland and Renault in France|date=13 May 2017 |first=Jon |last=Sharman|website=The Independent|access-date=13 May 2017}}</ref><ref>{{cite web|url=https://www.mirror.co.uk/news/world-news/renault-stops-production-several-plants-10413994|title=Renault stops production at several plants after ransomware cyber attack as Nissan also hacked|first1=Mathieu|last1=Rosemain|first2=Yann|last2=Le Guernigou|first3=James|last3=Davey|date=13 May 2017|website=Daily Mirror |access-date=13 May 2017}}</ref> Spain's [[Telefónica]], [[FedEx]] and [[Deutsche Bahn]] were hit, along with many other countries and companies worldwide.<ref name="cnn99countries">{{Cite news |url=http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/ |title=Massive ransomware attack hits 99 countries |last=Larson |first=Selena |date=12 May 2017 |publisher=[[CNN]] |access-date=12 May 2017}}</ref><ref name="verge1">{{cite web|title=The WannaCry ransomware attack has spread to 150 countries|url=https://www.theverge.com/2017/5/14/15637888/authorities-wannacry-ransomware-attack-spread-150-countries|website=The Verge|access-date=16 May 2017|date=14 May 2017}}</ref><ref>{{Cite news|url=https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20|title=What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS?|last=Hern|first=Alex|date=12 May 2017 |work=[[The Guardian]] |location=London|access-date=12 May 2017|last2=Gibbs|first2=Samuel |issn=0261-3077}}</ref> The attack's impact is said to be relatively low compared to other potential attacks of the same type and could have been much worse had [[Marcus Hutchins]] not discovered that a kill-switch had been built in by its creators<ref name=chica1>{{cite web|title=Lucky break slows global cyberattack; what's coming could be worse |url=https://www.chicagotribune.com/news/nationworld/ct-nsa-cyberattacks-20170513-story.html|work=[[Chicago Tribune]]|access-date=14 May 2017}}</ref><ref name=guard1>{{cite web|last1=Helmore|first1=Edward|title=Ransomware attack reveals breakdown in US intelligence protocols, expert says|url=https://www.theguardian.com/technology/2017/may/13/ransomware-cyber-attack-us-intelligence|work=The Guardian|access-date=14 May 2017|date=13 May 2017}}</ref> or if it had been specifically targeted on highly [[critical infrastructure]], like [[Nuclear safety and security|nuclear power plants]], dams or railway systems.<ref>{{cite news |title=The Latest: Researcher who helped halt cyberattack applauded |url=http://www.startribune.com/the-latest-turkey-among-countries-hit-in-cyberattack/422161813/ |newspaper=[[Star Tribune]] |access-date=14 May 2017 |url-status=dead |archiveurl=https://web.archive.org/web/20170516182233/http://www.startribune.com/the-latest-turkey-among-countries-hit-in-cyberattack/422161813/ |archivedate=16 May 2017 }}</ref><ref>{{cite news|title=Global 'WannaCry' ransomware cyberattack seeks cash for data |url=https://www.washingtonpost.com/world/europe/uk-working-to-restore-hospital-systems-after-cyberattack/2017/05/13/472ef544-37c1-11e7-ab03-aa29f656f13e_story.html|newspaper=Washington Post|access-date=16 May 2017}}</ref> According to cyber-risk-modeling firm Cyence, economic losses from the cyber attack could reach up to US$4 billion, with other groups estimating the losses to be in the hundreds of millions.<ref>{{Cite news|url=https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/|title="WannaCry" ransomware attack losses could reach $4 billion|access-date=14 June 2017|language=en}}</ref> === Affected organizations === The following is an alphabetical list of organisations confirmed to have been affected: <!-- Please don't add entries in here without a reference to a Reliable Source --> {{columns-list|colwidth=20em| * [[Andhra Pradesh Police]], India<ref>{{cite web|url=http://timesofindia.indiatimes.com/india/andhra-police-computers-hit-by-cyberattack/articleshow/58658853.cms|title=Andhra police computers hit by cyberattack|date=13 May 2017|website=The Times of India|language=en|access-date=13 May 2017}}</ref> * [[Aristotle University of Thessaloniki]], Greece<ref>{{cite news|url=http://www.protothema.gr/greece/article/679082/hakaran-kai-to-apth-stin-pagosmia-kuvernoepithesi/|title="Χάκαραν" και το ΑΠΘ στην παγκόσμια κυβερνοεπίθεση!|language=el|work=[[Proto Thema]]|date=13 May 2017|access-date=18 May 2017}}</ref> * [[Automobile Dacia]], Romania<ref>{{cite web |url=http://stirileprotv.ro/stiri/actualitate/atacul-informatic-global-ar-fi-afectat-si-uzina-dacia-de-la-mioveni-reactia-ministrului-comunicatiilor-augustin-jianu.html |title=Atacul cibernetic global a afectat și Uzina Dacia de la Mioveni. Renault a anunțat că a oprit producția și în Franța |work=Pro TV |date=13 May 2017 |language=ro}}</ref> * [[Boeing Commercial Airplanes]]<ref>{{cite web|url=https://www.theverge.com/2018/3/28/17174540/boeing-wannacry-ransomware-attack-production-plant-charleston-south-carolina|title=Boeing production plant hit with WannaCry ransomware attack|language=en|work=[[theverge.com]]|date=28 March 2018|access-date=29 March 2018}}</ref> * [[Cambrian College]], Canada<ref>{{cite news|url=http://www.cbc.ca/news/canada/sudbury/cambrian-college-ransomware-hack-1.4093634|title=Hackers demand $54K in Cambrian College ransomware attack|work=[[CBC.ca]]|access-date=16 May 2017}}</ref> * [[Chinese public security bureau]]<ref name="scmp">{{Cite news|url=http://www.scmp.com/news/china/society/article/2094291/chinese-police-and-petrol-stations-hit-ransomware-attack|title=Chinese police and petrol stations hit by ransomware attack|author=Mimi Lau|work=South China Morning Post|date=14 May 2017|access-date=15 May 2017|language=en}}</ref> * [[CJ CGV]] (a cinema chain)<ref>{{cite news|title=Korean gov't computers safe from WannaCry attack|url=http://www.koreaherald.com/view.php?ud=20170515000574|access-date=15 May 2017|newspaper=[[The Korea Herald]]}}</ref> * [[Dalian Maritime University]]<ref name="Cina" /> * [[Deutsche Bahn]]<ref>{{cite web|url=http://www.faz.net/aktuell/wirtschaft/unternehmen/hacker-angriff-weltweite-cyberattacke-trifft-computer-der-deutschen-bahn-15013583.html|title=Weltweite Cyberattacke trifft Computer der Deutschen Bahn|date=13 May 2017|website=Frankfurter Allgemeine Zeitung|language=de|access-date=13 May 2017}}</ref> * [[Dharmais Hospital]], Indonesia<ref name="misc" /> * [[Faculty Hospital, Nitra]], Slovakia<ref name="nitra">{{cite web|url=https://www.etrend.sk/ekonomika/hackersky-utok-zasiahol-aj-fakultnu-nemocnicu-v-nitre.html|title=Hackerský útok zasiahol aj Fakultnú nemocnicu v Nitre|date=15 May 2017|website=etrend.sk|language=sk|access-date=15 May 2017}}</ref> * [[FedEx]]<ref>{{cite web|url=https://www.ft.com/content/af74e3f4-373d-11e7-99bd-13beb0903fa3|title=What is Wannacry and how can it be stopped?|date=12 May 2017|newspaper=[[Financial Times]]|language=en|access-date=13 May 2017}}</ref> * Garena Blade and Soul<ref>{{cite web|url=https://www.blognone.com/node/92406|title=เซิร์ฟเวอร์เกม Blade & Soul ของ Garena ประเทศไทยถูก WannaCrypt โจมตี|date=13 May 2017|publisher=blognone.com|language=th|access-date=14 May 2017}}</ref> * [[Guilin University of Aerospace Technology]]<ref name="Cina" /> * [[Guilin University of Electronic Technology]]<ref name="Cina" /> * [[Pusat Jantung Nasional Harapan Kita|Harapan Kita Hospital]], Indonesia<ref name="misc" /> * Hezhou University<ref name="Cina" /> * [[Hitachi]]<ref>{{cite news|url=http://www.nikkei.com/article/DGXLASFL15HC6_V10C17A5000000|title=日立、社内システムの一部に障害　サイバー攻撃の影響か|language=ja|website=日本経済新聞|date=15 May 2017|access-date=21 June 2017}}</ref> * [[Honda]]<ref>{{cite news|url=https://www.reuters.com/article/us-honda-cyberattack-idUSKBN19C0EI|title=Honda halts Japan car plant after WannaCry virus hits computer network|website=Reuters|date=21 June 2017|access-date=21 June 2017}}</ref> * Instituto Nacional de Salud, [[Colombia]]<ref>{{cite web |url=http://www.eltiempo.com/tecnosfera/novedades-tecnologia/alerta-por-cibertaque-que-golpeo-a-74-paises-87602|title=Instituto Nacional de Salud, entre víctimas de ciberataque mundial|date=13 May 2017|work=El Tiempo|language=Spanish}}</ref> * [[Lakeridge Health]]<ref>{{cite web|url=https://www.thestar.com/news/canada/2017/05/13/ontario-health-ministry-on-high-alert-amid-global-cyberattack.html|title=Ontario health ministry on high alert amid global cyberattack|website=Toronto Star}}</ref> * LAKS, Netherlands <ref>{{cite web|url=http://www.nu.nl/internet/4706262/laks-tweede-nederlandse-slachtoffer-ransomware-wannacry.html|title=Laks second Dutch victim of WannaCry|website=Nu.nl}}</ref> * [[LATAM Airlines Group]]<ref>{{cite web|title=LATAM Airlines también está alerta por ataque informático|url=https://www.fayerwayer.com/2017/05/latam-airlines-tambien-estaria-comprometida-en-ataque-ransomware/|publisher=[[Fayerwayer]]|access-date=13 May 2017}}</ref> * [[MegaFon]]<ref>{{cite web|title=Massive cyber attack creates chaos around the world|url=http://www.news.com.au/technology/online/hacking/massive-cyber-attack-creates-chaos-around-the-world/news-story/b248da44b753489a3f207dfee2ce78a9|publisher=news.com.au|access-date=13 May 2017}}</ref> * [[Ministry of Internal Affairs (Russia)|Ministry of Internal Affairs of the Russian Federation]]<ref>{{cite web|title=Researcher 'accidentally' stops spread of unprecedented global cyberattack|url=https://abcnews.go.com/International/researcher-accidentally-stops-spread-unprecedented-global-cyberattack/story?id=47390745|publisher=[[ABC News]]|access-date=13 May 2017}}</ref> * [[Ministry of Foreign Affairs (Romania)|Ministry of Foreign Affairs (Romania)]]<ref>{{cite web |url=http://www.libertatea.ro/stiri/atac-cibernetic-la-mae-1836024 |title=UPDATE. Atac cibernetic la MAE. Cine sunt hackerii de elită care au falsificat o adresă NATO |work=Libertatea |date=12 May 2017 |language=ro}}</ref> * [[National Health Service (England)]]<ref name="uk">{{cite news|url=https://www.independent.co.uk/news/uk/home-news/nissan-sunderland-cyber-attack-ransomware-nhs-malware-wannacry-car-factory-a7733936.html|title=Cyber-attack that crippled NHS systems hits Nissan car factory in Sunderland and Renault in France|date=13 May 2017|website=The Independent|language=en|access-date=13 May 2017}}</ref><ref name="BBC news" /><ref name=guardian-nhs /> * [[NHS Scotland]]<ref name="BBC news" /><ref name=guardian-nhs /> * [[Nissan Motor Manufacturing UK]]<ref name="uk" /> * [[Telefónica Europe|O2]], Germany<ref>{{cite web|title=Nach Attacke mit Trojaner WannaCry: Kundensystem bei O2 ausgefallen|url=http://www.focus.de/digital/es-ist-ein-technischer-fehler-aufgetreten-nutzer-koennen-twitter-nicht-aufrufen_id_7156840.html|publisher=FOCUS Online|access-date=20 May 2017|language=de}}</ref><ref>{{cite web|title=Erhebliche Störungen – WannaCry: Kundendienst von O2 ausgefallen – HAZ – Hannoversche Allgemeine|url=http://www.haz.de/Nachrichten/Wirtschaft/Deutschland-Welt/WannaCry-Kundendienst-von-O2-ausgefallen|publisher=Hannoversche Allgemeine Zeitung|access-date=20 May 2017|language=de-DE}}</ref> * [[Petrobrás]]<ref name="auto1" /> * [[PetroChina]]<ref name="cnn99countries" /><ref name="scmp" /> * [[Portugal Telecom]]<ref>{{cite web|url=http://observador.pt/2017/05/12/portugal-telecom-alvo-de-ataque-informatico-internacional/|title=PT Portugal alvo de ataque informático internacional|date=12 May 2017 | website=Observador | language=pt|access-date=13 May 2017}}</ref> * [[Pulse FM]]<ref>{{cite web|url=https://www.radioinfo.com.au/news/ransomware-infects-narrowcast-radio-station/|title=Ransomware infects narrowcast radio station|date=15 May 2017 | website=RadioInfo | language=en|access-date=30 September 2017}}</ref> * [[Q-Park]]<ref>{{cite web|URL=http://www.nu.nl/internet/4691349/parkeerbedrijf-q-park-getroffen-ransomware-aanval.html|title=Parkeerbedrijf Q-Park getroffen door ransomware-aanval|date=13 May 2017|website=Nu.nl|language=nl|access-date=14 May 2017}}</ref> * [[Renault]]<ref>{{cite web|url=http://www.france24.com/en/20170512-cyberattack-ransomware-renault-worldwide-british-hospitals|title=France's Renault hit in worldwide 'ransomware' cyber attack|date=13 May 2017|publisher=France 24|language=es|access-date=13 May 2017}}</ref> * [[Russian Railways]]<ref>{{cite web|title=Компьютеры РЖД подверглись хакерской атаке и заражены вирусом|url=https://www.svoboda.org/a/28483898.html|publisher=[[Radio Free Europe/Radio Liberty]]|access-date=13 May 2017}}</ref> * [[Sandvik]]<ref name="misc">{{cite web|url=http://www.straitstimes.com/world/organisations-hit-by-global-cyberattack|title=Global cyber attack: A look at some prominent victims|date=13 May 2017|publisher=elperiodico.com|language=es|access-date=14 May 2017}}</ref> * [[Justice Court of São Paulo]]<ref name="auto1">{{cite web|url=http://www.opovo.com.br/jornal/economia/2017/05/wannacry-no-brasil-e-no-mundo.html|title=WannaCry no Brasil e no mundo|date=13 May 2017|website=O Povo|language=pt|access-date=13 May 2017}}</ref> * [[Saudi Telecom Company]]<ref>{{Cite tweet |user=AmjadShacker |author= Amjad Shacker |number= 863749329017868293 |date = 14 May 2017 |title=-|language=ar|trans-title=⁥⁥screenshot of message}}</ref> * [[Sberbank of Russia|Sberbank]]<ref name=vidal /> * [[Shandong University]]<ref name="Cina">{{cite web|url=http://news.163.com/17/0514/08/CKCOOATU000187VI.html|title=一夜之间 勒索病毒"永恒之蓝"席卷 国内近3万机构被攻陷 全球 超十万台电脑"中毒"江苏等十省市受害最严重}}</ref> * State Governments of India ** [[Government of Gujarat]]<ref name="auto2" /> ** [[Government of Kerala]]<ref name="auto2">{{cite news|title=Ransomware WannaCry Surfaces In Kerala, Bengal: 10 Facts|url=http://www.ndtv.com/india-news/ransomware-wannacry-surfaces-in-kerala-bengal-10-facts-1693806|access-date=15 May 2017|work=New Delhi Television Limited (NDTV)}}</ref> ** [[Government of Maharashtra]]<ref>{{cite news|author1=Sanjana Nambiar|title=Hit by WannaCry ransomware, civic body in Mumbai suburb to take 3 more days to fix computers|url=http://www.hindustantimes.com/mumbai-news/hit-by-wannacry-ransomware-civic-body-in-mumbai-suburb-to-take-3-more-days-to-fix-computers/story-eSIMZQ2NFT217erJAFkS0J.html|access-date=17 May 2017|work=[[Hindustan Times]]|date=16 May 2017|language=en}}</ref> ** [[Government of West Bengal]]<ref name="auto2" /> * Suzhou Vehicle Administration<ref name="Cina" /> * [[Sun Yat-sen University]], China<ref name="misc" /> * [[Telefónica]], Spain<ref name="spain">{{cite web|url=http://www.elperiodico.com/es/noticias/sociedad/ataque-informatico-masivo-infecta-las-grandes-empresas-espana-6033534|title=Un ataque informático masivo con 'ransomware' afecta a medio mundo|date=12 May 2017|publisher=elperiodico.com|language=es|access-date=13 May 2017}}</ref> * [[Telenor Hungary]], Hungary<ref>{{cite news|last1=Balogh|first1=Csaba|title=Ideért a baj: Magyarországra is elért az óriási kibertámadás|url=http://hvg.hu/tudomany/20170512_wannacry_zsarolovirus_aldozatok_magyar_ceg|access-date=13 May 2017|work=[[Heti Világgazdaság|HVG]]|date=12 May 2017|language=Hungarian}}</ref> * [[Telkom (South Africa)]]<ref>{{cite news|title=Telkom systems crippled by WannaCry ransomware|url=https://mybroadband.co.za/news/security/211576-telkom-systems-crippled-by-wannacry-ransomware.html|access-date=21 May 2017|work=[[MyBroadband]]|date=21 May 2017|language=English}}</ref> * [[Timrå Municipality]], Sweden<ref>{{cite news|url=https://www.svt.se/nyheter/inrikes/timra-kommun-drabbat-av-utpressningsattack|date=13 May 2017|publisher=[[Sveriges Television]]|title=Timrå kommun drabbat av utpressningsattack|language=sv|access-date=15 May 2017}}</ref> * [[TSMC]], Taiwan<ref>{{cite news |first=Jeremy |last=Kirk |quote=Taiwan Semiconductor Manufacturing Co., the world's largest chip manufacturer, says a WannaCry infection hit unpatched Windows 7 systems in its fabrication facilities, leaving multiple factories crippled. |publisher=Information Security Media Group, Corp. |title=WannaCry Outbreak Hits Chipmaker, Could Cost $170 Million |url=https://www.bankinfosecurity.com/chipmaker-tsmc-wannacry-attack-could-cost-us170-million-a-11285}}</ref> * [[Universitas Jember]], Indonesia<ref>{{cite web|url=https://m.tempo.co/read/news/2017/05/16/058875604/virus-ransomware-wannacry-serang-perpustakaan-universitas-jember|title=Virus Ransomware Wannacry Serang Perpustakaan Universitas Jember|date=16 May 2017|website=Tempo|language=id|access-date=17 May 2017}}</ref> * [[University of Milano-Bicocca]], Italy<ref>{{cite web|url=http://milano.repubblica.it/cronaca/2017/05/12/news/milano_virus_ransomware_universita_bicocca-165302056/|title=Il virus Wannacry arrivato a Milano: colpiti computer dell'università Bicocca|date=12 May 2017|website=la Repubblica|language=it|access-date=13 May 2017}}</ref> * [[Université de Montréal|University of Montreal]], Canada<ref>{{cite news|title=Some University of Montreal computers hit with WannaCry virus|url=https://www.theglobeandmail.com/news/national/universite-de-montreal-computers-hit-with-wannacry-virus/article35004991/|access-date=16 May 2017|work=The Globe and Mail|date=16 May 2017}}</ref> * [[Vivo (telecommunications)|Vivo]], Brazil<ref name="auto1" />}} == Reactions == A number of experts highlighted the [[National Security Agency|NSA]]'s non-disclosure of the underlying vulnerability, and their loss of control over the EternalBlue attack tool that exploited it. [[Edward Snowden]] said that if the NSA had "[[Responsible disclosure|privately disclosed]] the flaw used to attack hospitals when they found it, not when they lost it, the attack may not have happened".<ref>{{cite web |url=https://www.theguardian.com/technology/2017/may/12/global-cyber-attack-ransomware-nsa-uk-nhs|title=Massive ransomware cyber-attack hits 74 countries around the world|first1=Julia Carrie|last1=Wong|first2=Olivia|last2=Solon|date=12 May 2017 |access-date=12 May 2017 |work=The Guardian}}</ref> British cybersecurity expert [[Graham Cluley]] also sees "some culpability on the part of the U.S. intelligence services". According to him and others "they could have done something ages ago to get this problem fixed, and they didn't do it". He also said that despite obvious uses for such tools [[targeted surveillance|to spy on people of interest]], they have a duty to protect their countries' citizens.<ref>{{cite web|last1=Heintz|first1=Sylvia Hui, Allen G. Breed and Jim|title=Lucky break slows global cyberattack; what's coming could be worse|url=https://www.chicagotribune.com/news/nationworld/ct-nsa-cyberattacks-20170513-story.html|work=Chicago Tribune |access-date=14 May 2017}}</ref> Others have also commented that this attack shows that the practice of intelligence agencies to stockpile exploits for offensive purposes rather than disclosing them for defensive purposes may be problematic.<ref name="guard1" /> Microsoft president and chief legal officer [[Brad Smith (American lawyer)|Brad Smith]] wrote, "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its [[Tomahawk (missile)|Tomahawk missiles]] stolen."<ref>{{cite web |url=https://www.theguardian.com/technology/2017/may/15/ransomware-attack-like-having-a-tomahawk-missile-stolen-says-microsoft-boss |title=Ransomware attack 'like having a Tomahawk missile stolen', says Microsoft boss |date=14 May 2017 |work=The Guardian |access-date=15 May 2017}}</ref><ref>{{Cite news |url=http://www.computerworld.com/article/3196987/security/wikileaks-posts-user-guides-for-cia-malware-implants-assassin-and-aftermidnight.html |title=WikiLeaks posts user guides for CIA malware implants Assassin and AfterMidnight |last=Storm |first=Darlene |date=15 May 2017 |work=[[Computerworld]]|access-date=17 May 2017|language=en}}</ref><ref>{{cite web |last1=Smith |first1=Brad |title=The need for urgent collective action to keep people safe online |url=https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/ |publisher=Microsoft |access-date=14 May 2017}}</ref> Russian President [[Vladimir Putin]] placed the responsibility of the attack on U.S. intelligence services, for having created EternalBlue.<ref name="vidal">{{cite news |url=http://internacional.elpais.com/internacional/2017/05/15/actualidad/1494855826_022843.html|title=Putin culpa a los servicios secretos de EE UU por el virus ‘WannaCry’ que desencadenó el ciberataque mundial|date=15 May 2017|newspaper=El País|language=es|last1=Vidal Liy |first1=Macarena|access-date=16 May 2017}}</ref> On 17 May 2017, United States bipartisan lawmakers introduced the [[PATCH Act]]<ref>{{cite web|title=Patch Act bill before Congress|url=https://www.documentcloud.org/documents/3725905-Patch-Act-bill-before-Congress.html |accessdate=23 May 2017}}</ref> that aims to have exploits reviewed by an independent board to "balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process".<ref>{{cite news|last1=Whittaker|first1=Zack|title=Congress introduces bill to stop US from stockpiling cyber-weapons |url=https://www.zdnet.com/article/congress-introduces-bill-to-prevent-us-from-stockpiling-cyber-weapons/ |work=ZDNet |accessdate=23 May 2017|language=en}}</ref> On 15 June 2017, the United States Congress was to hold a hearing on the attack.<ref name="thehill.com">{{Cite news |url=http://thehill.com/business-a-lobbying/337440-lawmakers-to-hold-hearing-on-wanna-cry-ransomware-attack|title=Lawmakers to hold hearing on ‘Wanna Cry’ ransomware attack|last=Chalfant|first=Morgan|date=12 June 2017|work=TheHill|access-date=14 June 2017}}</ref> Two subpanels of the House Science Committee were to hear the testimonies from various individuals working in the government and non-governmental sector about how the US can improve its protection mechanisms for its systems against similar attacks in the future.<ref name="thehill.com" /> [[Marcus Hutchins]], a cybersecurity researcher, working in loose collaboration with UK's [[National Cyber Security Centre (United Kingdom)|National Cyber Security Centre]],<ref>{{cite web|title=Finding the kill switch to stop the spread of ransomware – NCSC Site |url=https://www.ncsc.gov.uk/blog-post/finding-kill-switch-stop-spread-ransomware-0+|website=www.ncsc.gov.uk|access-date=21 May 2017 |language=en-gb}}</ref><ref name=sky1>{{cite web|title=Sky Views: Stop the cyberattack blame game|url=http://news.sky.com/story/sky-views-stop-the-cyberattack-blame-game-10880726|publisher=Sky News|access-date=21 May 2017}}</ref> researched the malware and discovered a "kill switch".<ref name="MalwareTech" /> Later globally dispersed security researchers [[Collaboration#Technology|collaborated online]] to [[Civic hacking|develop]] [[open-source software|open source]] tools<ref name=wanakiwi>{{cite web|title=gentilkiwi/wanakiwi|url=https://github.com/gentilkiwi/wanakiwi|website=GitHub|access-date=20 May 2017|language=en}}</ref><ref>{{cite web|title=aguinet/wannakey|url=https://github.com/aguinet/wannakey|website=GitHub|access-date=20 May 2017|language=en}}</ref> that allow for decryption without payment under some circumstances.<ref name=reuters1>{{cite web |last=Auchard |first=Eric |url=https://www.reuters.com/article/us-cyber-attack-cure-idUSKCN18F1CA |title=French researchers find way to unlock WannaCry without ransom |date=19 May 2017 |work=Reuters |access-date=19 May 2017}}</ref> Snowden states that when "[[NSA]]-enabled ransomware eats the Internet, help comes from researchers, not spy agencies" and asks why this is the case.<ref>{{cite tweet |user=Snowden |number=863422022994481152 |date=13 May 2017 |title=When @NSAGov-enabled ransomware eats the internet, help comes from researchers, not spy agencies. Amazing story. |first=Edward |last=Snowden |access-date=20 May 2017|language=en}}</ref><ref>{{cite tweet |user=Snowden |number=863425539616284673 |date=13 May 2017 |title=Pause a moment to consider why we're left with researchers, not governments, trying to counter the @NSAGov-enabled ransomware mess. Hint: |first=Edward |last=Snowden |access-date=20 May 2017|language=en}}</ref><ref name=sky1 /> Other experts also used the publicity around the attack as a chance to reiterate the value and importance of having good, regular and [[Storage security|secure]] [[backup]]s, good [[cybersecurity]] including isolating critical systems, using appropriate software, and having the latest security patches installed.<ref>{{cite web|url=https://www.forbes.com/sites/tomcoughlin/2017/05/14/wannacry-ransomware-demonstrations-the-value-of-better-security-and-backups/|title=WannaCry Ransomware Demonstrations The Value of Better Security and Backups|last1=Coughlin|first1=Tom|work=Forbes|access-date=14 May 2017}}</ref> [[Adam Segal]], director of the digital and cyberspace policy program at the [[Council on Foreign Relations]], stated that "the patching and updating systems are broken, basically, in the private sector and in government agencies".<ref name="guard1" /> In addition, Segal said that governments' apparent inability to secure vulnerabilities "opens a lot of questions about backdoors and access to encryption that the government argues it needs from the private sector for security".<ref name="guard1" /> [[Arne Schönbohm]], president of Germany's [[Federal Office for Information Security]] (BSI), stated that "the current attacks show how vulnerable our [[Information society|digital society]] is. It's a wake-up call for companies to finally take IT security [seriously]".<ref name="hei">{{cite web|title=WannaCry: BSI ruft Betroffene auf, Infektionen zu melden |url=https://www.heise.de/newsticker/meldung/WannaCry-BSI-ruft-Betroffene-auf-Infektionen-zu-melden-3713442.html|publisher=heise online |access-date=14 May 2017|language=de-DE}}</ref> ===United Kingdom=== The effects of the attack also had political implications; in the [[United Kingdom]], the impact on the [[National Health Service]] quickly became political, with claims that the effects were exacerbated by Government underfunding of the NHS; in particular, the NHS ceased its paid Custom Support arrangement to continue receiving support for unsupported Microsoft software used within the organization, including Windows XP.<ref>{{cite news|title=The ransomware attack is all about the insufficient funding of the NHS |url=https://www.theguardian.com/commentisfree/2017/may/13/nhs-computer-systems-insufficient-funding|access-date=14 May 2017|work=The Guardian|date=13 May 2017}}</ref> [[Home Secretary]] [[Amber Rudd]] refused to say whether patient data had been [[Backup|backed up]], and [[Shadow Secretary of State for Health|Shadow Health Secretary]] [[Jon Ashworth]] accused [[Secretary of State for Health|Health Secretary]] [[Jeremy Hunt]] of refusing to act on a critical note from Microsoft, the [[National Cyber Security Centre (United Kingdom)|National Cyber Security Centre]] (NCSC) and the [[National Crime Agency]] that had been received two months previously.<ref>{{cite news|title=Jeremy Hunt 'ignored warning signs' before cyber-attack hit NHS|url=https://www.theguardian.com/society/2017/may/13/jeremy-hunt-ignored-warning-signs-before-cyber-attack-hit-nhs|access-date=14 May 2017|work=The Guardian|date=13 May 2017}}</ref> Others argued that hardware and software vendors often fail to account for future security flaws, selling systems that − due to their technical design and market incentives − eventually won't be able to properly receive and apply patches.<ref>{{cite web |title=Why WannaCry ransomware took down so many businesses|url=http://money.cnn.com/2017/05/17/technology/wannacry-ransomware-business-security/index.html|date=17 May 2017 |website=CNN Money|publisher=CNN|language=en|last1=Larson |first1=Selena |access-date=22 May 2017}}</ref> The NHS denied that it was still using XP, claiming only 4.7% of devices within the organization ran Windows XP.<ref name="nhs-noxp">{{cite web|title=UPDATED Statement on reported NHS cyber-attack (13 May) |url=https://digital.nhs.uk/article/1493/UPDATED-Statement-on-reported-NHS-cyber-attack-13-May-|publisher=National Health Service |accessdate=30 May 2017}}</ref><ref name="verge-xpimpact">{{cite web |title=Windows XP computers were mostly immune to WannaCry |url=https://www.theverge.com/2017/5/30/15712542/windows-xp-wannacry-protect-ransomware-blue-screen|website=The Verge|accessdate=30 May 2017}}</ref> The cost of the attack to the NHS was estimated as £92 million in disruption to services and IT upgrades.<ref>{{cite news |title=Cyber-attack cost NHS £92m – DHSC |url=https://www.hsj.co.uk/technology-and-innovation/cyber-attack-cost-nhs-92m--dhsc/7023560.article |accessdate=13 November 2018 |publisher=Health Service Journal |date=11 October 2018}}</ref> After the attack, [[NHS Digital]] refused to finance the estimated £1 billion to meet the [[Cyber Essentials#Assurance framework|Cyber Essentials Plus]] standard, an information security certification organized by the UK NCSC, saying this would not constitute "value for money", and that it had invested over £60 million and planned "to spend a further £150 [million] over the next two years" to address key cyber security weaknesses.<ref>{{cite news |title=Health chiefs refuse to foot £1bn bill to improve NHS cyber security |url=https://www.buildingbetterhealthcare.co.uk/news/article_page/Health_chiefs_refuse_to_foot_1bn_bill_to_improve_NHS_cyber_security/147855/cn164706 |accessdate=27 November 2018 |publisher=Building Better Healthcare |date=15 October 2018}}</ref> ==2018 email scam== In late June, hundreds of computer users reported being sent an email from someone (or multiple people), claiming to be the developers of WannaCry.<ref>{{cite web|title=Wannacry is back!|url=https://www.theregister.co.uk/2018/06/21/wannacry_is_back_except_its_not|publisher=heise online |access-date=21 June 2018}}</ref> The email threatened to destroy the victims' data unless they sent 0.1 [[Bitcoin|BTC]] to the Bitcoin address of the hackers. This has also happened in 2019.{{citation needed|date=September 2019}} == See also == {{columns-list|colwidth=20em| * [[BlueKeep (security vulnerability)]] * {{Section link|Computer security|Medical systems}} * [[Comparison of computer viruses]] * [[Conficker]] * [[CryptoLocker]] * [[Cyber self-defense]] * {{Section link|Cyberweapon|Control and disarmament}} * [[International Multilateral Partnership Against Cyber Threats]] * {{Section link|Proactive cyber defence|Measures}} * [[Security engineering]] * [[Software versioning]] * [[SQL Slammer]] * [[Timeline of computer viruses and worms]] * [[Vault 7]] * [[Windows Update]] * [[2016 Dyn cyberattack]] * [[2017 Petya cyberattack]] }} ==References== {{Reflist}} == External links == {{Commons category}} * [https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt Ransom:Win32/WannaCrypt] at Microsoft Malware Protection Center * {{twitter|id=actual_ransom|name=@actual_ransom}}, a [[Twitterbot]] tracking the ransom payments {{Hacking in the 2010s|collapsed}} {{Portal bar|Law|border=Microsoft|Internet}} [[Category:2017 in computer science]] [[Category:Cyberattacks]] [[Category:Cybercrime]] [[Category:Hacking in the 2010s]] [[Category:May 2017 crimes]] [[Category:Ransomware]] [[Category:Computer security exploits]]'