IISS Strategic Comments

The WannaCry ransomware attack

On the afternoon of 12 May 2017 it became evident that large sectors of the United Kingdom’s National Health Service (NHS) were undergoing a concerted ransomware attack. Across the NHS access to data was blocked and screens filled with the following message:

WannaCry ransomware

The ransomware attack developed on an unprecedented scale, and by 14 May had affected 200,000 systems in 150 countries using 27 different languages and covering every geographical region. Russia and China appeared to have been hit particularly hard, the latter no doubt due to the inability of an inordinately large number of users to upgrade the pirated Microsoft software that is pervasive in China.

Technical details

Ransomware – penetrating a network, encrypting the data and demanding a ransom in a cryptocurrency such as Bitcoin to decrypt it – has become a relatively widespread form of malware. Applications are available for purchase on the darknet (the part of the internet that has not been indexed) for as little as US$50, thereby enabling unskilled and unsophisticated actors to utilise it. The ransomware attack deployed on 12 May was somewhat more sophisticated than such low-grade exploits. It appears to have been generated from one of a suite of capabilities developed by the United States National Security Agency (NSA), which was stolen by a group called Shadow Brokers in April 2017 and published on the internet.

The specific malware used was a variant of ‘WannaCry’, which exploits a flaw in Microsoft software that enables the Server Message Block 1.0 to act as a vector for the introduction of the malware. On entering the system, the malware insinuates routing software known as ‘The Onion Router’ (TOR) into the infected machine. Developed by the US State Department to permit individuals under authoritarian regimes to communicate safely – that is, without being identified – TOR sends messages through a multiplicity of relay points and thus obscures the originator. This makes communications between the machine and the hackers effectively anonymous, and the latter much harder to trace. Once inside the system, the malware functions as a worm, replicating itself wherever it encounters the relevant vulnerability.

The encryption used – RSA 2048-bit (the initials are for the surnames of the three Massachusetts Institute of Technology computer scientists who devised it) – is asymmetric public key encryption, which involves the use of both a public and a private key; it is slower but much stronger than symmetric encryption, which uses the same key for encryption and decryption. Furthermore, unlike most malware, the WannaCry exploit has a modular, hence more sophisticated, architecture. Even so, this particular exploit was quickly stopped after a UK-based security blogger identified a long, invented domain name in the exploit’s software. Registering the domain name had the effect of activating a kill switch. There are reports of a new variant of WannaCry without the kill-switch vulnerability but it appears not to have been deployed yet.

The culprits

At the time of publication it remained unknown who was responsible for the exploit or what its purpose was. Possible explanations range from ‘script kiddies’ unleashing a malware exploit they did not understand and could not control – as turned out to be the case with the 2016 attack on the UK service provider TalkTalk – to a state actor. There have been suggestions, so far unsubstantiated, that North Korea may have been responsible. The available evidence seems to indicate that the attack was not purely random. In the UK, the primary target was the network of healthcare trusts. These are known to be particularly vulnerable due to their widespread reliance on legacy software – in particular, Windows XP, which Microsoft has not supported since 2014. One health trust subjected to the attack had earlier registered some probing operations that appeared designed to determine how easy it would be to penetrate the system.

The relatively low number of ransom payments actually received – totalling little more than $50,000 at the time of publication – seems to belie initial presumptions that this attack was a purely mercenary, criminal exploit. Although most successful ransomware attacks to date have been criminal in intent, they have relied on the readiness of victims to quietly pay up – a far less likely contingency given the publicity the WannaCry attack has attracted. A perhaps more plausible explanation is that the recent attack was designed either as a test of the exploit’s effectiveness or as a statement of intent, indicating the substantial damage that the attackers could do if certain demands weren’t met. The latter explanation would seem consistent with a 16 May statement from Shadow Brokers – the anonymous group that claims to have stolen WannaCry and other exploits from the NSA – saying that they would release further stolen exploits on a regular basis in an apparent effort to persuade the NSA to repurchase the exploits the group had stolen.

Nothing is known about the composition or motives of the Shadow Brokers group. But rogue NSA contractor Edward Snowden, now living in Moscow, has suggested that the group had links to the Russian intelligence services. According to Snowden, the purpose of stealing and then publicising details of exploits developed by the NSA for intelligence collection purposes would be to send a message to the US government that public attribution of cyber exploits, as exemplified by US allegations of Russian interference in the 2016 presidential election, was a two-way street.

The aftermath

There were widespread fears that the initial attack would be followed up with a second phase when organisations resumed working on Monday. This did not happen, and in the UK most health trusts were able to resume normal operations. The recovery picture worldwide was less clear, though no major new attacks appear to have been reported. Nevertheless, the WannaCry attack has raised major questions about the challenges presented by the cyber domain and serves as a small foretaste of future dangers.

Those subjected to the WannaCry attack were criticised for failing to observe basic cyber hygiene and for persisting in the use of unsupported legacy software. Such criticisms were certainly justified. In the case of the UK, the NHS’s reliance on such legacy software was well known and managers had undeniably been slow to address this problem. At the same time, it is important to acknowledge that the UK healthcare system is large and complex. Software upgrades are not cheap, nor are they always straightforward to undertake – particularly where commercial systems have been customised. In addition, many health trusts rely on equipment and systems provided and operated by third parties whose contracts, drawn up in an era of lower threat awareness, do not require them to assume responsibility for cyber security. Such contracts probably need to be revised. Furthermore, given growing realisations of the value of healthcare data and the security havoc that tampering with or erasing such data can wreak, cyber security must be treated – as it is for most enterprises – as integral to the healthcare business model and resourced accordingly.

Microsoft’s decision to withdraw support from Windows XP, an operating system that has been in existence since 2004, has also been questioned. While it was accepted that Microsoft had provided ample warning of its intention to withdraw support, the company may have failed to appreciate the scale of global dependence on the system and the need to make appropriate allowances for that. Although Microsoft prepared a patch to deal with the WannaCry vulnerability once the NSA reported its loss, it was criticised for not rolling it out sooner. Microsoft has sought to eliminate the need for further upgrades by making Windows 10 the last operating system it ever develops.

In any case, the incipient blame game diverts attention from the fact that – apart from the perpetrators – nobody has total responsibility for the WannaCry exploit, while everybody has some. The current architecture of the cyber domain makes guaranteed security impossible. By observing basic hygiene, though, users should be able to protect themselves against opportunistic criminal attacks – which amount to around 80% of all malign online criminal activity – with a high degree of assurance. At the corporate level, far too many users have failed to appreciate the centrality of cyber security to business operations. It now needs to be a core concern.

Remedial steps

The major technology companies are all American, occupy the top five positions in the Fortune 500 index and sit at the heart of a global business valued at $3.6 trillion. They too must assume some responsibility. These companies operate according to a business model that prioritises quickly developing new products and rushing them to market ahead of their competitors, leaving security to be dealt with later – and not always very effectively – by a separate cyber security industry whose global value accounts for about $400 billion.

Getting the behemoth tech industry to move from a ‘rush to market’ mindset to a ‘security by design’ approach is an enormous challenge, further complicated by China’s rise as a digital power of consequence. Immense complexities are likely to arise from the ‘internet of things’ – that is, the increasing interconnectedness of everyday devices – and the growth of machine learning, which could culminate in widespread reliance on intelligent autonomous systems that can make their own decisions without human intervention. In this light, the case for change seems compelling. But such change may require a level and character of government regulation that the information and communication technologies (ICT) sector can be expected to fiercely resist.

Within the world’s expert cyber security community there has emerged a growing awareness of and concern about the extent to which the cyber domain has become a zone of conflict and contestation, characterised by growing levels of cyber criminality and a heightened incidence of attacks perpetrated by states. The perception that global cyber stability was at or near a dangerous tipping point led Microsoft’s president, Brad Smith, to call in February 2017 for the establishment of a ‘Digital Geneva Convention’, which would commit all states to observe the following guidelines:

  • No targeting of tech companies, private sector or critical infrastructure
  • Assist private sector efforts to detect, contain, respond to and recover from events
  • Report vulnerabilities to vendors rather than stockpile, sell or exploit them
  • Exercise restraint in developing cyber weapons and ensure that any developed are limited, precise and not reusable
  • Commit to non-proliferation activities with respect to cyber weapons
  • Limit offensive operations to avoid a mass event


The Microsoft proposal feeds into a global debate on cyber security that has been ongoing since before the turn of the millennium, when the Russian Federation, driven by an awareness of the United States’ massive first-mover advantage in the cyber domain, sought to initiate discussions leading to an arms-control treaty governing the development and use of ‘information weapons’. The Russian initiative was unsuccessful but evolved into various iterations of a UN Group of Governmental Experts (UN/GGE) convened under the First Committee of the UN General Assembly. In 2015, the UN/GGE identified a series of non-binding norms of state behaviour that, among other things, incorporated some of the Microsoft points outlined above. The challenge, however, is to operationalise these norms, and the prospects for doing so are not encouraging. There is a distinct possibility that the UN/GGE due to conclude in June 2017 will not be able to produce a report, and that the process may come to an end without any successor mechanism having been agreed upon.

The WannaCry attack was global in scale and targeted critical systems. Although it appears to have done little lasting damage and to have been contained, it should still be regarded as a wake-up call. The collective response to cyber incidents has tended to default to business-as-usual. After the initial shock of a cyber attack, governments are apt to blame the United States, Microsoft or users who failed to implement security upgrades, but otherwise to downplay the incident and highlight the effectiveness of institutional responses. If a relatively unsophisticated though clever cyber exploit is able to achieve the degree of disruption that WannaCry did, it seems entirely legitimate to worry about how much damage a determined attacker might be able to cause with a truly sophisticated effort, and plan accordingly.

Established cyber powers, which have their own reasons to exercise restraint and have established institutional mechanisms to manage risk, do not constitute the most dire concern. The bigger threats come from outlier states such as North Korea – which has invested heavily in developing offensive cyber capabilities while enjoying limited vulnerability to in-domain retaliation due to its minimal dependence on networked systems – and from catalytic non-state actors undertaking activities designed to draw nation states into an escalatory spiral within the cyber domain. Ideally, governments and the ICT sector would treat WannaCry as an inflection point. Unfortunately, they almost certainly will not.

Volume 23, Comment 16 – May 2017


Receive Strategic Comments by Email

IISS Membership

Strategic Comments Homepage

Editor: Jonathan Stevenson


Recent Strategic Comments

The Kurds’ precarious balancing act in Syria

The battle for Mosul

Conflict and impasse in South Sudan

China–North Korea relations

The Trump–Russia connection

IISS Cyber Report: 11 to 17 May

11 to 17 May

IISS Cyber Report

Wannacry ransomware epidemic; Ukraine blocks Russian sites; US Army tests cyber defences; Trump's executive order on cyber security; Wikipedia loses battle to overturn ban in Turkey.


IISS Blogs

Latest posts

New defence-economics data confirms key trends

The damage Mike Flynn has done to American foreign policy

North Korea moves closer to missile that could strike US

IISS Cyber Report: 11 to 17 May

Comey’s dismissal: a tipping point?

Connect to the IISS
Copyright © 2017 International Institute for Strategic Studies. All rights reserved. Registered Charity 206504.
Unsubscribe from this list    |    Update subscription preferences    |    Difficulty viewing? Click here.