At the end of Denis Villeneuve’s 2015 movie Sicario, the movie’s heroine is warned to leave town: “You will not survive here. You are not a wolf, and this is a land of wolves now.” After the global WannaCry ransomware outbreak of May 2017 which infected the computer systems of “over 10,000 organizations and 200,000 individuals in over 150 countries,” many people — including the hundreds of thousands of ransomware victims — are likely to similarly see the internet as a lawless and dangerous “land of wolves.”
Among the global victims of the WannaCry outbreak were multinational companies including Renault and Federal Express, hospitals in the UK, universities in China, Russia’s Ministry of Interior, and telecommunications and energy companies in Spain. While security experts have begun a global hunt for the cybercriminals responsible for the attack, following this incident the efforts of countries like China to impose law and order on the internet are likely to see an urgent boost.
In a blog post published after the WannaCry outbreak, Brad Smith, Microsoft’s president and chief legal officer, confirmed that the software exploits deployed by the cybercriminals came from vulnerabilities discovered and stockpiled by the US National Security Agency:
“The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States. That theft was publicly reported earlier this year. A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.”
Smith warned that such stockpiling of software vulnerabilities by governments for purposes of surveillance and espionage ran the risk of leaks which could then empower cybercriminals — just like those who created WannaCry:
“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”
In particular, the WannaCry cyberattack uses two hacking tools— EternalBlue and DoublePulsar — that had been developed by an elite group of NSA-affiliated hackers that security researchers have named the Equation Group. EternalBlue exploits a vulnerability with the Microsoft Windows operating system’s Server Message Block (SMB) network file sharing protocol, while DoublePulsar is malware that functions as a “backdoor through which other malware can be loaded onto infected computers.” Both were in a collection of NSA hacking tools that were leaked to the public by a group of cybercriminals known as the Shadow Brokers in April 2017. As it turned out, the hackers who designed WannaCry deployed EternalBlue and DoublePulsar in their cyberattack:
“WannaCry appears to primarily utilize the ETERNALBLUE modules and the DOUBLEPULSAR backdoor. The malware uses ETERNALBLUE for the initial exploitation of the SMB vulnerability. If successful it will then implant the DOUBLEPULSAR backdoor and utilize it to install the malware. If the exploit fails and the DOUBLEPULSAR backdoor is already installed the malware will still leverage this to install the ransomware payload. This is the cause of the worm-like activity that has been widely observed across the internet.”
Once installed in the system, WannaCry’s ransomware payload deploys “AES and RSA encryption ciphers” to create “encrypted copies of specific file types before deleting the originals, leaving the victims with the encrypted copies, which can’t be accessed without a decryption key.” The victim is then prompted to pay a ransom of about 300 USD in bitcoin to receive the decryption key. If the ransom is not immediately paid, the ransomware “increases the ransom amount, and threatens loss of data, at a predetermined time, creating a sense of urgency and greatly improving the chances victims will pay the ransom.”
While the initial wave of the WannaCry outbreak was temporarily slowed by the discovery of a “kill switch” in the ransomware’s code, a new version of WannaCry without this “kill switch” has been released, and security experts expect this to be just “the first of many variants to follow, which will aim to exploit this vulnerability and infect as many devices as possible.”
President Xi has pushed for the “accelerated development of a system to protect key information infrastructure and ensure online security,” as well as the enhancement of “internet defense capabilities.”
According to their public bitcoin wallets, the WannaCry cybercriminals have only earned about 50,000 USD in paid ransoms. While some victims could have opted to “restore their computer data from back-ups or by reinstalling the operating system,” the complicated process of making bitcoin payments could have deterred many victims from paying the ransom:
“First, a person or business has to obtain the bitcoins by registering with one of the various online exchanges and going through its verification process. After that, money can be deposited into the exchange. For those living in countries that don’t have an exchange, including the U.K., money must be converted into another currency. Once the money is deposited on the exchange, the bitcoins can be sent to the address provided by the extortionist … It might take a few days to create an account at a bitcoin brokerage or exchange, connect a bank account, and then receive the bitcoin.”
Of course, paying the ransom indicates unearned trust on the part of the victims that the cybercriminals will keep their word and deliver the decryption keys. Not surprisingly, cases have emerged of victims who paid the ransom but “did not receive the decryption key in return.” Law enforcement agencies like Europol hence advise the victims of WannaCry not to pay the ransom — in part to avoid rewarding the cybercriminals — and instead “to go to nomoreransom.org for more information about how to unlock your computer without paying the attackers.”
In China, computer systems in “nearly 40,000 organizations, including about 4,000 academic institutions” — including “two of China’s most prestigious institutions of higher education, Tsinghua and Peking Universities” — were infected by WannaCry. Yang Lin, a final-year journalism student at Zhejiang University of Media and Communications, was one such victim. She had “just finished revising her thesis late on Friday and was closing Word on her desktop when all the Word icons blanked out, her screen went black and the hackers’ message appeared … She lost her literature review, foreign translations and thesis proposal, as well as films she had made over four years at college.”
The WannaCry outbreak hence has demonstrated the importance of the Chinese government’s push for cybersovereignty, which is the extension of the principle of the sovereign equality of states into cyberspace. As Chinese President Xi Jinping explained: “Countries have the right to independently choose how they will tread the path of cyber development, as well as issue their own regulations and public policies.” Cybersecurity is key to the successful establishment of cybersovereignty. President Xi has pushed for the “correct outlook on cybersecurity,” including the “accelerated development of a system to protect key information infrastructure and ensure online security,” as well as the enhancement of “internet defense capabilities.” While China’s push for cybersecurity is targeted at threats from foreign powers like “cyberattacks, cyber espionage, surveillance,” and undesirable content like “subversive thought, religious extremism, pornography, fake news and financial scams,” heightened cybersecurity measures could have protected internet users in China from the WannaCry outbreak.
In the wake of WannaCry, one promising avenue to enhance cybersecurity would be the Chinese government’s development and mass deployment of a homegrown operating system like NeoKylin to replace the Chinese computing public’s heavy dependence on the Microsoft Windows operating system. This is especially since the rapid spread of the WannaCry outbreak in China was partly due to the heavy installation of unpatched and unlicensed copies of Windows in the country: “Many users … did not update their software to get the latest safety features because of a fear that their copies would be damaged or locked, while universities offered only older, pirated versions.” Lacking the critical March 14, 2017 security update from Microsoft which would have patched the SMB vulnerability exploited by EternalBlue to penetrate Windows computer systems, these computers running unprotected versions of Windows were utterly vulnerable to the WannaCry cyberattack.
In Singapore, the government has opted for a different approach to cybersecurity. May 2017 marks the deadline for the country’s 143,000 civil servants to disconnect their work computers from the internet. While they still can have internet access during working hours, they will have to do so “on separately issued laptops, or on their personal mobile phones or tablets.” In practice, some civil servants have had to adjust their workflows to include working with two or more devices. For example, “social media researchers working at some government agencies have been issued three laptops — one for work e-mail, one for posting on government social media pages, and one for general Web surfing and research.”
The goal of the internet disconnection exercise is to “create an ‘air gap’ between the Web and government systems, so that malware will not find its way into critical IT systems. The measure also means highly classified e-mail and files will not end up in unsecured Internet devices.” This and other cybersecurity measures have successfully blocked the WannaCry outbreak from infecting the Singapore government’s computer systems, including its critical information infrastructure. While some critics have described the disconnection exercise as Luddite, the real-life demonstration of the measure’s success in protecting government computer systems from WannaCry could lead to its adoption in other countries, including those in the West.
Anderson, M. (2016, June 8). Why Singapore’s government internet blockade might spread west. The Stack.
Chew, H. M. (2017, May 13). No government agencies or critical information infrastructure in Singapore affected by global cyber attacks. Straits Times.
China’s Xi calls for better development of Internet. (2016, April 19). Xinhua.
Chinese President underscores cyber sovereignty, rejects Internet hegemony. (2015, December 16). Xinhua.
Customer Guidance for WannaCrypt attacks. (2017, May 12). Microsoft TechNet.
Disis, J. (2017, May 15). Police warn: If you’re hit by cyberattack, don’t pay the ransom. CNN.
Global manhunt for WannaCry creators. (2017, May 15). BBC News.
Goodin, D. (2015, February 17). How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last. Ars Technica.
Lanxon, N., and Satariano, A. (2017, May 15). Hardly anyone paying the hackers? Because using bitcoin is hard. Bloomberg News.
Lee, M., Mercer, W., Rascagneres, P., and Williams, C. (2017, May 12). Player 3 has entered the game: Say hello to ‘WannaCry.’ Cisco’s Talos Intelligence Group Blog.
Mozur, P. (2017, May 15). China, addicted to bootleg software, reels from ransomware attack. New York Times.
Mullany, G., and Mozur, P. (2017, May 15). Cyberattack spreads in Asia; thousands of groups affected. New York Times.
Ransomware cyber-attack: Who has been hardest hit? (2017, May 15). BBC News.
Shih, G. (2017, March 2). China seeks global support for cyber sovereignty framework. AP.
Smith, B. (2017, May 14). The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack. Microsoft on the Issues.
Sonnad, N. (2015, September 22). A first look at the Chinese operating system the government wants to replace Windows. Quartz.
Sterling, B. (2017, April 26). Double Pulsar NSA leaked hacks in the wild. Wired.
Tham, I. (2017, March 15). Some government agencies delink Net access ahead of deadline. Straits Times.
Thomson, I. (2017, April 21). Script kiddies pwn 1000s of Windows boxes using leaked NSA hack tools. The Register.
WannaCry ransomware attacks: Hard lessons for some victims. (2017, May 15). Channel NewsAsia.
Woollaston, V. (2017, May 15). Wanna Decryptor ransomware appears to be spawning and this time it may not have a kill switch. Wired.
Zaharia, A. (2017, May 14). Security alert: Uiwix ransomware is here and it can be worse than Wannacry. Heimdal Security.