The WannaCry Cyber Attack: A Case Analysis

Patrick Higgins

7 November 2018

In May of 2017, the WannaCry ransomware attack infected more than 200,000 computers across 150 countries by sending phishing emails to vulnerable, older-version Microsoft system networks. Key industries such as healthcare, finance, logistics, and telecommunications were affected. WannaCry caused havoc for vital societal operations. Major government services such as the UK’s National Health Service (NHS) as well as global firms such as FedEx were severely affected. Most prominently, within 60 NHS organisations, the health record information of individual patients was made unavailable, operations had to be cancelled, and many Accident & Emergency centres (A&Es) were closed.

The window to spread ransomware was given to WannaCry through an unpatched flaw in older Microsoft Windows versions. Though this flaw, called EternalBlue, had been fixed with patches issued by Microsoft for free in March 2017, computers that were still running older Microsoft systems (Windows XP) were liable to pay $1000 per year to receive the same coverage. In the most prominent case, which was that of the NHS, in 2015 U.K. Secretary of State for Health Jeremy Hunt decided that the government would cease paying Microsoft for XP support. This decision would bode ill, as the EternalBlue flaw would be published on the Internet by a hacking group called, “The Shadow Brokers,” in April 2017. This was done as a protest against the policies of Donald Trump. This information was seized upon and manipulated by the WannaCry creators. Once a computer was infected with WannaCry, the ransomware could only be removed with a $300 ransom paid in Bitcoin. Thankfully, only around $140,000 in Bitcoin ransom was ever paid as within a week of the attack Microsoft said that it would roll out the patch to all systems running unsupported Microsoft software free of charge. However, the damage was already done.

In the aftermath of the WannaCry attack, there were moves towards mitigating the damage and making legislation regarding companies’ liability for their users’ privacy stricter. The Data Protection Act (DPA, 2018), for example, incorporated the EU General Data Protection Regulation (GDPR, 2018) into U.K. common law. Under the DPA, companies that violate privacy agreements, under-invest in cyber-security policies, or fail to report cyber-attacks to regulators will be fined either 20 million euros (17.5 million pounds) or 4% of the company’s annual turnover. Another observable effect of the attack was the increased purchasing of cyber-security insurances, a booming industry that is projected to incorporate $5 billion in premiums by 2020.

Simultaneously, as the WannaCry chaos quieted down, officials and cybersecurity experts worldwide began investigating WannaCry’s creation. It was Google security researcher Neel Mehta who first linked WannaCry’s malware patterns to similar malware used in the Sony and SWIFT Bangladeshi banking service cyber-attacks in 2014 and 2016 respectively. The group attributed to both attacks was the Lazarus Group, a hacking group that has used North-Korea linked web addresses. This link to North Korea was cemented when the U.S. government charged one of the Lazarus Group’s most prominent hackers with two counts of conspiracy, a North Korean national named Park Jin Hyok, in September 2018 for his prominent role behind WannaCry. Relatedly, unknown persons attributed to the Lazarus Group were found to be attempting to launder a large amount of Bitcoin through a Swiss cryptocurrency exchange service called ShapeShift in October 2018. To do this, they split the Bitcoins into three “crypto wallets” to move into Monero, a cryptocurrency which is difficult to appropriate through judicial means. So far, around 13.5 Bitcoin ($37,000) has been laundered [Fox-Brewster, T., 2017 {1}]. With an overwhelming amount of evidence, many officials worldwide continue to believe that North Korea was the culprit behind WannaCry.

Despite the revisions earlier this year, legislation governing the illegality of cyber-crime is already plentiful in the United States and the United Kingdom, which were two of the hardest hit countries by WannaCry. In the United States, malware distribution is illegal under the Computer Fraud and Abuse Act (1984). Successful convictions for cyber-crime, such as hacking government systems like WannaCry, carries 10 years minimum prison time and a huge fine. In the United Kingdom there exists the Computer Misuse Act (1990), which was modified in 2015 to introduce life sentences (14 years) for hackers implicated in serious cyber-crimes. Despite the plethora of cyber-crime legislation, it’s not enough to counter the rise in global cyber-attacks. This has nothing to do with legislation itself, but rather with the nature of cyber-crime. It’s difficult to implicate individuals who utilise fake identities, shifting IP areas and jurisdictions due to the usage of virtual private networks (VPN), and encryption methods for deleting illegal evidence as criminals. Thus, conviction rates for hacking attacks are low.

For example, though 2.5 million hacking attacks were reported in the U.K. in 2015, only 43 individuals were prosecuted for cyber-crimes, rising insignificantly to 61 in 2016. In regard to jurisdiction, perhaps the most pressing factor in low cyber-crime prosecution rates, crimes committed abroad against a foreign victim means that even if that victim goes to their local magistrate to file a complaint about being hacked, the local or national governments are unable to pursue anything outside of their jurisdictions. In regard to WannaCry, none of the hackers’ identities, except Park Jin Hyok as mentioned above, were ever revealed. None of the hackers have gone to prison or had trials, and though Park has been charged in absentia with a U.S. federal arrest warrant, it is likely that he will never face justice for his crimes.

The WannaCry case was devastating but is simply a taste of what is to come if worldwide action against cyber-crime is not undertaken. It’s impossible to properly investigate, arrest, and prosecute those who commit cyber-crimes due to the world’s governance systems. Though WannaCry had an impact on U.K. data legislation, it spurred minimal positive action elsewhere except to drive up cyber-crime insurance premiums. In order to properly combat cyber-crime, the world needs to accept reality and adapt to the change of the digital age. Humanity needs a worldwide body, similar to Interpol, dedicated to fighting cyber-crime. The name could be Intercomp (International Computer) as an example. Intercomp would have jurisdiction in all necessary regions, be certified to carry out investigations by all national governments and be able to acquire search warrants within reason from local judges. Once an individual is investigated and identified as a cyber-criminal, with all the relevant evidence, Intercomp would turn over the suspect to the relevant local authorities for proper examination, trial, and imprisonment. If steps like the creation of an international body like Intercomp are not taken, attacks like WannaCry will continue to be commonplace. We are living in a world that our governments and organisations cannot adapt to properly. Thus, radical and constructive change is needed.