Visualize: Insights that power innovation

Self-replicating ransomware infects computers worldwide

By Eric Dallal May 24, 2017
From AIR Worldwide
Computer Security
Photo courtesy of Intel Free Press via Wikimedia Commons.

A new strain of ransomware called WannaCry, or Wcry, has been spreading around the world, infecting hundreds of thousands of computers in 150 countries. As we explained in an earlier article, ransomware is a type of malware that holds a computer’s files hostage by stealing and then deleting them—frequently by encrypting and then erasing the unencrypted data. The malware then proceeds to display a ransom notice demanding payment for the return of the data, typically in a cryptocurrency, of which the most common is bitcoin.

Spreads like a worm or virus

True to form, Wcry is encrypting computers and demanding payment in Bitcoin. What distinguishes this ransomware from most of the strains that have been seen so far is that it also spreads like a worm or virus.

Whereas ransomware demands are typically targeted, involving large payments from single victims to recover data (e.g., a hospital in Hollywood paid $17,000 when it was hit), the current strain is demanding the relatively meager sum of $300–$600. This demand applies for each computer, and with at least 230,000 computers infected worldwide, the originators of the malware stand to make a significant sum. It’s quite clear from both the low ransom demand and the fact that the ransom message is available in dozens of languages that the originators of the malware anticipated a worldwide spread.

A map of infections shows that countries all over the world have been infected. The effects have been worse in countries where older operating systems or pirated software are more prevalent, but major (and presumably technologically advanced) companies have also been hit. Spain’s biggest telecommunications company, Telefonica, has reportedly had 85 percent of its computers affected by the worm. In the United Kingdom, the National Health Service was apparently severely affected, and had reportedly responded by asking patients to seek treatment for only life-threatening emergencies. This could lead to another instance of “Silent Silent Cyber”.

What we know

The malware copies an exploit, codenamed “EternalBlue,” that was previously used by the NSA. This exploit was released in mid-April by a group known as “The Shadow Brokers,” suspected of having hacked the NSA. The vulnerability targets Windows operating systems from Windows XP to Windows 2012, but a patch was released by Microsoft exactly one month before the exploit was made public. This patch only applied to currently supported operating systems (Windows Vista and later), meaning Windows XP was still vulnerable when the attack began on May 12. On May 13, Microsoft took the extremely unusual step of issuing patches for operating systems it no longer supports, including Windows XP and Windows 8.

Around the same time, the malware was inadvertently stopped by a security researcher. The creators of the malware had programmed it to check if it could connect to a particular domain: If it failed to connect, the malware would proceed with encryption; if it succeeded in connecting, the malware would terminate. Once the domain was registered, the malware was stopped in its tracks, worldwide.

Two explanations have been put forward as to why the malware was programmed with this particular behavior. The first explanation is that it was intended as a kill switch. The second explanation is that it was a sloppy attempt at trying to detect when the malware found itself in a sandbox—essentially an artificial environment used by security researchers where the malware cannot do any harm—and deactivate itself if it was, thus slowing down its analysis.

A post by the security researcher who stopped the malware provides a more detailed explanation. Note that as of May 14, a new version of the malware has been detected; it does not have the aforementioned code and has resumed its spread. This has led to fears of a second wave of infections that has thus far not materialized.

Bigger concern

Because the ransom demands are relatively small, the direct economic cost may be less than $100 million even if ransom is paid for all infected computers. As of mid-May, it appears that only $34,000 has been paid. However, a bigger concern from a loss perspective is the business interruption that could result from companies having to shut down their systems, reformat computers, and recover their data from backups. Estimates of business interruption costs range from $1 billion to (a highly implausible) $4 billion. This is something that can be modeled today using AIR’s newly released cyber modeling platform, ARC. By choosing a common provider in ARC that has a similar market share to the percentage of companies that don’t have good patching cadence—or a set of common providers over a plausible range—one can immediately begin to model business interruption scenarios related to WannaCry.


Eric Dalal is a research scientist in the cyber group at AIR Worldwide. This article originally appeared in the AIR Worldwide In Focus blog and is reprinted with permission.