WannaCry ransomware timeline: From the NSA to the NHS

The WannaCry ransomware wormed its way across Europe, into the UK, and across the world wreaking havoc everywhere it went, shutting down doctor's surgeries in the UK, FedEx operations in America, payments for petrol stations in China, and a Renault factory in France.

Read next: What is WannaCry?

30 October - NAO finds third of all NHS trusts were affected
iStock

30 October - NAO finds third of all NHS trusts were affected

A report from the National Audit Office into the impact of the WannaCry ransomware on the NHS has found that more than a third of all trusts in England were affected by the malware.

The investigation also found that the Department of Health was warned about cyber attacks directed at the NHS a full year before WannaCry wormed its way through trusts, but hadn't formally responded until July this year.

Although the DoH and Cabinet Office wrote to trusts in 2014 about migrating away from legacy software, there was no formal assessment mechanism to see if they had until the first wave of attacks took place.

The NAO found that no NHS trusts actually paid the ransom, but the DoH isn't certain on the wider costs of cancelled appointments, additional IT support or restoring systems data. Worryingly, it acknowledges that the attack could have caused even more disruption were it not for the efforts of the lone infosec researcher that found a sort of kill switch in the code.

NHS England responded by focusing first on maintaining emergency care, while NHS Digital said all organisations that were hit by WannaCry shared the same vulnerability and "could have taken relatively simple action" to protect themselves.

But on the plus side, NHS organisations are learning from the devastating attack, including securing local firewalls.

Head of the NAO Amyas Morse said: "The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.

"There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks."

3 August - WannaCry NHS \'hero\' arrested by FBI
iStock

3 August - WannaCry NHS 'hero' arrested by FBI

Marcus Hutchins, the independent security researcher who discovered a ‘killswitch’ that was able to temporarily halt the spread of WannaCry, has been arrested by the FBI in Las Vegas following the Black Hat and Defcon conferences.

The Department of Justice said Hutchins, 23, whose identity was first revealed by British newspapers against his wishes, was suspected of playing a role in the creation and distribution of the Kronos banking Trojan.

“The charges against Hutchins, and for which he was arrested, relate to alleged conduct that occurred between in or around July 2014 and July 2015,” the statement reads.

According to Motherboard, the UK’s National Crime Agency was aware of the arrest, but said it was a "matter for the authorities in the US".

The National Cyber Security Centre told Motherboard: “We are aware of the situation. This is a law enforcement matter and it would be inappropriate to comment further.”

1 June - Programming errors could lead to file recovery
iStock

1 June - Programming errors could lead to file recovery

Kaspersky found errors in the WannaCry code that could potentially be used to recover files without having access to the decryption keys. ThreatPost reports that there are errors in the programming logic to remove files from the hard drive.

A synchronisation error means that original files are often deleted in an unsecure way, Kaspersky researchers said, so they could be restored through conventional data recovery software. But the encryption has still not been broken, so this is very much a workaround that could work in some instances.

29 May - Flashpoint links WannaCry to Chinese-language speakers
iStock

29 May - Flashpoint links WannaCry to Chinese-language speakers

Vendor Flashpoint took a look at the accompanying text for WannaCry in 28 of the ransom notes and concluded that only the English- and Chinese-language entries were likely entered manually by a human rather than run through a translation service such as Google Translate.

“Flashpoint found that the English note was used as the soruce text for machine translation into the other languages,” the researchers wrote. But “the two Chinese ransom notes differ substantially from other notes in content, format, and tone. Google Translate fails in both Chinese-English and English-Chinese tests, producing inaccurate results that suggests the Chinese text was likely not similarly generated by the English text.”

They noted that their research means it’s “possible” Chinese is the native language of the malware programmers, but other languages can’t be ruled out.

“It is also possible the malware authors intentionally used a machine translation of their native tongue to mask their identity,” the researchers said. “It is worth noting that characteristics marking the Chinese note as authentic are subtle. It is thus possible, though unlikely, that they were intentionally included to mislead.”

28 May - Department of Homeland Security warning posted online
iStock

28 May - Department of Homeland Security warning posted online

A DHS memo posted to the Public Intelligence website, initially issued on 14 May, warned critical infrastructure providers that although WannaCry was not targeting them directly, it could very well linger and affect them if there was a crossing over of industrial and business control systems.

The DHS’ Office of Cyber and Infrastructure Analysis also cited the effect WannaCry had on the NHS, warning that it could similarly impact healthcare companies in the states.

22 May - Windows 7 hardest hit
iStock

22 May - Windows 7 hardest hit

According to vendors Kaspersky and BitSight, most machines affected by WannaCry were running the Windows 7 operating system. Kaspersky said of the infections it had seen, the overwhelming majority at 97 percent used the OS, while BitSight spotted 66 percent of infections on Windows 7.

Although many systems running on Windows XP was believed to be the cause of the outages at the NHS. But overall, Windows XP machines made up a small number of those affected, the researchers said.

16 May - ShadowBrokers promise more exploits to come
iStock

16 May - ShadowBrokers promise more exploits to come

The ShadowBrokers, the group behind the original leak of EternalBlue developed by American spy agency the NSA, promised more leaks to come starting from June this year.

They likened it to a wine of the month club - and claimed they have access to tools that affect Windows 10, web browsers, and routers.

Cybersecurity stocks jump
iStock

Cybersecurity stocks jump

Finnish security company F-Secure saw its shares climb to a 16-year high, according to Citywire, meanwhile British security company Sophos performed well in the FTSE 250, believed to be a result of a rush to buy shares in cyber security companies as a direct result of the attacks.

15 May - some researchers suggest North Korea involvement
iStock

15 May - some researchers suggest North Korea involvement

Researchers discovered some lines of code that they believe could point toward North Korea, noting similiarties with other attacks by the Lazarus Group - a hacking organisation believed to be operating from China but with links to North Korea. But Symantec researcher Eric Chien warned that at the moment it's only a "temporal link", and it would be possible to plant a kind of 'false-flag' code to mislead investigators.

15 May - Jeremy Hunt breaks silence
iStock

15 May - Jeremy Hunt breaks silence

Health secretary Jeremy Hunt appeared on Sky News to comment on the attacks after having been accused of hiding from the issue. He said: "According to our latest intelligence we have not seen a second wave of attacks and the level of criminal activity is at the lower end of the range that we had anticipated so I think that is encouraging.

"But the message is very clear not just for organisations like the NHS but for private individuals for businesses."

14 May - Microsoft General Counsel slams US \'stockpiling\' of cyber weapons
iStock

14 May - Microsoft General Counsel slams US 'stockpiling' of cyber weapons

In a statement on Microsoft's blog, general counsel Brad Smith said that WannaCry provides "yet another example of why the stockpiling of vulnerabilities by governments is such a problem".

"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen."

14 May - Europol chief says attack has claimed 200,000 victims in 150 countries
iStock

14 May - Europol chief says attack has claimed 200,000 victims in 150 countries

Describing the scale of WannaCry as "unprecedented", Europol's director Rob Wainright warned that the WannaCry ransomware had reached 150 countries and hit at least 200,000 victims.

13 May - 75,000 systems infected
iStock

13 May - 75,000 systems infected

By Saturday 75,000 systems had been infected by WannaCry in 99 countries. According to Avast, most attacks took place in Ukraine, Russia and Taiwan. By now it had also caused disruption to the railways in Germany and payments systems at petrol stations across China, and FedEx had its logistics operations affected. Attacks had also been launched on the Russian interior ministry, which reported roughly 1,000 computers affected.

12 May - Independent infosec researcher flips \'kill switch\' with domain registration
iStock

12 May - Independent infosec researcher flips 'kill switch' with domain registration

A 22-year-old independent infosec researcher going by the name MalwareTech discovered that when running, the ransomware tries to connect to a strange and unregistered domain name. MalwareTech registered the site and found WannaCry stopped the installation process when it discovered that the domain name had been registered. Of course, this temporary 'fix' only works with the domain name that was registered by MalwareTech.

12 May - Telefonica confirms compromise
iStock

12 May - Telefonica confirms compromise

Spain's CNI intelligence service reported a slew of Spanish companies had suffered from a ransomware attack targeting Windows systems. Telefonica confirmed that an incident  affected some employees, and employees said they encountered a message demanding a bitcoin payment.

12 May - Auto makers halt production
iStock

12 May - Auto makers halt production

Japanese car maker and Renault partner Nissan stopped production at its plant in Sunderland. "Like many organisations, our UK plant was subject to a ransomware attack affecting some of our systems on Friday evening," a spokesperson later said. "Our teams are working to resolve the issue." French automotive company Renault temporarily suspended its operations in sites across Europe to prevent the spread of WannaCry. A full list of sites was not provided but a plant in Sandouville had production halted.

12 May - Microsoft issues Windows XP update in unusual move
iStock

12 May - Microsoft issues Windows XP update in unusual move

Although Microsoft had previously patched the SMB vulnerability when it was made known, outdated operating systems such as Windows XP were left vulnerable. Microsoft took the unusual move to patch XP to firefight the spread of WannaCry.

12 May - UK hospitals impacted, at least 40 NHS Trusts affected
iStock

12 May - UK hospitals impacted, at least 40 NHS Trusts affected

An anonymous NHS worker told the Guardian that the attacks began at roughly 12.30pm and as a result of a phishing attack that seemed to have been sent to every NHS Trust in the country. GP surgeries across the country were cut off from the NHS network, leaving them unable to access patient records or prescriptions, and a hospital in Stevenage was reportedly turning A&E patients away to other hospitals.

12 May - first infections
iStock

12 May - first infections

According to the FT, the first instance of WannaCry emerged from a compressed zip file in an email attachment in Europe. Once set up on this machine, it mobilised code repurposed from the NSA's EternalBlue exploit - which used a vulnerability in Microsoft's SMB protocol - to understand the system's file sharing arrangements, and began propagating itself across the local network and online.

Copyright © 2017 IDG Communications, Inc.