Center for Strategic Assessment and forecasts

Autonomous non-profit organization

Home / Defence and security / / Other
Who benefits from global epidemic WannaCry?
Material posted: Publication date: 24-05-2017
He brought down the British health care system, paralyzed the main Spanish telecommunications network, sneaked into the factories of Renault and hosted on the computers of the Ministry of internal Affairs of the Russian Federation. He talked about Vladimir Putin, Edward Snowden, President of Microsoft, head of cyber security of Australia and other dignitaries. He appeared only on may 12 and has already made a splash around the world. Epidemic WannaCry – not the biggest and not the most lucrative for hackers, but this is the major epidemic of our time. Because WCry showed us familiar digital world, you can turn off literally a snap of the fingers.

However, this virus (yet?) did not like and brought its creators resounding money, despite the supersonic speed of propagation. And in the history of its development stretches trail of the American secret services, and Russian hackers. Something is clearly wrong – let's understand what it is.


As is often the case with a resonant stories with a dark past, to accurately track the initial chain of events is almost impossible – officials blaming each other, government agencies are silent, the media misinterpret the data in favor of the current information agenda.

The more or less established version of events is the following: last summer of the technological bowels of the NSA (national security Agency USA) Shadow hacker organization Brokers stole a ton of cyber-weapons that American intelligence agencies used for their own purposes. The event, to put it mildly, uncommon: still that some organization would be cleaned out secret American base.


The hype was hushed up, but in April 2017-wow the truth came out – Shadow Brokers started posting exploits on public access, apparently desperate to sell them. Along the way, the hackers posted a farewell message, saying that to blame trump gave him a voice in the election, but he disappointed. Some analysts immediately linked the activities of the group either with the Russian government, or Russian intelligence services. Jake Williams, Executive Director of the cyber security Infosec Rendition, called the publication of exploit "the Revenge of Russia for missile strikes on Syria". Did not agree with expert James Bradford, wrote in a column for Reuters that "If Russia had stolen the data, they do not make sense to put them and especially to try to sell."

In any case, whatever the motives nor was guided by the Shadow Brokers, hackers have opened Pandora's box, out all evil. Particularly popular, as it turned out, got a virus Eternal Blue, written specifically for the needs of the NSA. The exploit is able to penetrate into the gap nephropathogenic versions of Windows (especially older ones), using port 445. Under such a scheme up and running WannaCry, akropovic entire planet for several days. Virus ransomware encrypts data on the hard disk of the computer and requires a ransom to unlock them.



Anatomy of a virus

The initial propagation velocity WannaCry scary – for the day this stuff has flown more than 70 countries, hitting about a hundred thousand devices. Now, according to the site tracker MalwareTech botnet that infected more than 300 thousand systems. The first wave was halted by the observation 22-year-old British programmer Mark Hutchins. The guy saw that the virus sends the signals to the unregistered domain The programmer, along with his 28-year-old colleague has registered this domain, and the virus is "off".


The guys immediately became big stars in the Internet (the Brand was invited to work on the GCHQ of the UK), but soon released an updated version of virus, devoid of this defect, and the epidemic continued.

Of course, compared to large botnets of millions of zombie devices, indicators WCry not as impressive. But it should be understood that it is not a simple likere advertising under attack the blackmailer turned out to be large public and private companies which are indispensable for the usual functioning of society. In addition, the virus is extremely dangerous distribution scheme, which in theory could lead to the present chaos.

To catch WannaCry, optional to download anything – it will get, roughly speaking, himself, through the same vulnerability in the OS. This can be a big surprise even for the technically literate person, who believes that "If you don't click on links, then nothing will happen." As it turns out, can happen without your participation; the rare case when the actual immortal phrase "I didn't do anything, it is itself."


The second feature WannaCry – infect a device, it searches for the LAN access. And if has access, and protection somehow is not provided, it instantly affects the whole organization – so quickly came under attack a variety of social structures, where security is usually treated carelessly. Plus the surprise effect: on the desktop, where, in the popular sense, there is no interface, suddenly there is an infection, appropriate more for a laptop teenager or grandmother. Or device with important data – the Internet is full of stories of patients (including critically ill) British hospitals had to be sent home or redirected to other clinics because the system just went down.

Infected, the user sees a typical banner-extortioner: WannaCry encrypts some files and then hangs on the desktop environment. Need to send a bitcoin wallet is the equivalent of 300-600 dollars – the total amount depends on the efficiency. If the victim does not, after a while the files destroyed. According to experts from Symantec, to send money to extortionists pointless – firstly, because you support criminals, and secondly, the algorithm of decryption keys is misspelled. Victims, apparently, agrees with Symantec and to give up the means to at the moment, the attackers gained almost 90 thousand dollars from all three well-known bitcoin wallets. Money the ransomware is not removed, in spite of encryption and anonymity in digital currency.


The impression is that the epidemic WCry has emphasized demonstrative. Hundreds of infected street devices, including vending machines and digital signs may not pose a threat to the social order, but clearly demonstrate what time we live in. Suddenly, the infected ATM, which you used each month to withdraw from the salary, a hundred times more frightening than any of the Internet stories about hackers and Trojans: it's happened to you in your city and with your friends. As if visibility and maximum publicity – most importantly, what did the authors WannaCry. And it's weird – usually viruses are created for the other.



...but only when I it will be profitable

Let's again count other people's money – for the time of work, the authors WannaCry received 90 thousand dollars. Given the volume of infected devices and the hype that revolves around virus, is peanuts. Any more or less "promoted" Trojan in a month will earn, if not more, and not much less. And will continue to work quietly, without all the hype. All, recall from WCry affected about 300 thousand devices – that means "paid" ransomware is less than 0.1% of the victims.

This doesn't add up. Interesting and the focus of the spread – if you believe the map Check Point, the virus especially cracking down on the territory of Russia, India, Ukraine, Taiwan, to a lesser extent China and, in recent days, the United States. The minimum fare for unlocking, we recall, is $ 300 – about 17 thousand Russian rubles. Not every citizen of the Russian Federation or Ukraine will agree to give the same amount to bring back to life the digital data. Most likely, no important data from the average Russian does not; and he hardly appreciate their value in a budget laptop.


Similar situation with Taiwan – there are severely affected the education sector: schools, universities. Their employees, of course, no ransom was paid, because, given the scale, the total amount would cover the entire budget, which did not come from private pockets. It is typical for affected state agencies have ignored the function of payment – at least because in such organizations a large-scale spending is often not possible without bureaucratic procedures. Perhaps the authors WannaCry labeled secured, but not secured by private companies. May have hoped to ordinary users. But one thing is for sure – if the extortionists wanted a lot of money at the expense of victims, their plan failed.

However, the virus does not always bring money "in a forehead" – sometimes come into play other factors. This can be beneficial to large-scale hysteria over WannaCry? The answers, in fact, much more than it seems at first glance.

The most logical option – the antivirus company. In 2016, according to RBC, the sales of anti-virus software was the worst in the last three years. And what now? For example, increased stocks Sophos – manufacturer of information security systems – by as much as 8.5%, and reached record values. As you might guess, the surge occurred on the background of news about the activities WannaCry.


Do not lag behind colleagues. The Finnish company F-Secure updated 16-year high. 3.5% rose paper NCC Group. It may be that the company's protection around the world chipped in and spread the dangerous virus to remind myself?

The second possible motive, or rather, a whole cluster – the political claims of the various States. Under the guise of "cyberaide" you can accuse an international opponent (which actually happened) and to make friends for long lasting benefits. You can lobby for a series of reforms on import substitution – the press-Secretary of the Ministry of internal Affairs of the Russian Federation Irina Volk has said that the Department's servers were not injured just because they work on other operating systems, under management of the domestic processors "Elbrus". "Protection from vermin" – the perfect excuse to disallow companies to use "leaky" Windows, but instead be required to put a domestic substitute. Again, the example of China, where for a long time moving to software – level infections are much lower than in the same Taiwan and India.


Rubbing their hands now and companies that do cyber security system for organizations. WannaCry brought the problem to the global level, and it is only right: the frightened government now just forked out for a couple of large orders. For this cost slightly to rewrite Eternal Blue and throw a virus in populated countries. A loud trail of the NSA, again, will help to remain in the shadows.

Finally, such a step could go and Microsoft itself. It may seem that this kind of "spite grandmother frostbitten his ears," but let us think. In this simple way the company draws attention to the new OS, reminding all Luddites sitting on XP and the other "Oldies" – it is unsafe, move on to "ten", and at the same time enrich our Bank accounts for hundreds of millions of dollars. An extra plus in the Treasury of Microsoft quickly closed the vulnerability: security update came out in March. And urgently released a patch for unsupported versions as it emphasizes – see how we care about you, updated 14-year-old Windows Server 2003.



Brave new world

Whoever was behind large-scale cyber attack, they were able to demonstrate the vulnerability of modern civilization. Our imaginary being and supposedly powerful security technologies can fall apart for a couple of days. Banks will stop working, stand plants, electronics freak, train freak, mobile operators will raise the white flag, the TV goes out, Internet service providers will shut down. And the culprit is a simple virus, jurkowski in the outdated operating system. Apocalypse, follow me.

Illia Bozhko


RELATED MATERIALS: Defence and security