Dec 19, 2017 5:45 AM PT

North Korea to blame for WannaCry, Trump administration says

Homeland security advisor, Thomas P. Bossert says the administration's conclusion is evidence-based

MalwareTech

On Monday evening, the Trump administration blamed North Korea for the WannaCry ransomware attacks back in May.

Homeland security advisor, Thomas P. Bossert, published the administration's conclusions in an Op-Ed for the Wall Street Journal. Those remarks follow similar claims made by the National Security Agency in June, and by the British government in October.

"…after careful investigation, the U.S. today publicly attributes the massive “WannaCry” cyberattack to North Korea," Bossert wrote in the Wall Street Journal.

"The consequences and repercussions of WannaCry were beyond economic. The malicious software hit computers in the U.K.’s health-care sector particularly hard, compromising systems that perform critical work. These disruptions put lives at risk."

The attacks started on May 12.  When all was said and done, WannaCry impacted more than 230,000 computers across 150 countries.

Moving away from the political ramifications of WannaCry, the nasty truth exposed is that such an attack could've been prevented. However, because some organizations are or were forbidden at the time from making changes to equipment (retail / medical), or failed to properly address potential issues due to oversight or usage of legacy systems (large enterprise), the necessary patches were missing or unavailable.

As previously reported on Salted Hash, WannaCry targeted a vulnerability in the SMB protocol, and leveraged an exploit stolen from the NSA (ETERNALBLUE) to do so. In addition, WannaCry also installed another NSA tool, Double Pulsar, leaving infected systems open to remote attack.

To give a brief example of its reach, WannaCry found its way on to systems at the National Health Service (UK), Nissan (UK), Telefonica (Spain), FedEX (US), Russia Interior Ministry, radiology equipment across the US, and ATMs across China.

As luck would have it, a researcher (MalwareTech) discovered the hard-coded domain that prevents WannaCry from spreading. This essentially killed WannaCry within 24-hours, but victims started paying the ransom demands ($300 - $600 BTC). Those that paid, never got their files back.

The money sat in three Bitcoin wallets until August, when the funds were transferred out. At current exchange rates, the total ransom paid by WannaCry victims is worth about $946,000 USD.

"Stopping malicious behavior like this starts with accountability. It also requires governments and businesses to cooperate to mitigate cyber risk and increase the cost to hackers. The U.S. must lead this effort, rallying allies and responsible tech companies throughout the free world to increase the security and resilience of the internet," Bossert wrote.

For additional details on WannaCry, Amanda Rousseau (Malware Unicorn) published a thorough write-up on the technical aspects. Also, various people contributed to a fact sheet on GitHub.

Update: A Homeland Security briefing on WannaCry is available on C-Span.