See the stats that explain the full reach and impact of the WannaCry ransomware outbreak — including how many devices were infected and how many are still vulnerable.
More than 400,000 machines infected
The infections started early in the morning on Friday, May 12. Two of the first prominent victims were the UK's National Health Service (NHS) and Telefónica, the largest telecom company in Spain. The outbreak quickly spread across Europe and the rest of the world. By late Friday evening, it had taken root in 150 countries, including the United States (where shipping giant FedEx was infected) and China (where a large concentration of computers running unlicensed or outdated versions of Windows resulted in the country being one of the hardest hit).
Windows versions infected by WannaCry / Kaspersky
To infect victims, WannaCry utilized an exploit called ETERNALBLUE, one of the leaked NSA hacking tools released by the Shadow Brokers hacking group in April 2017.
ETERNALBLUE targets a vulnerability in server message block (SMB) protocol (used primarily for providing shared access to files, printers, and serial ports, etc.) that was specifically addressed by critical Microsoft update MS17-010.
Analysis of the WannaCry attacks has revealed nearly all of the machines infected were running an outdated OS (Windows 7) that hadn't been patched and had port 445 open, exposing SMB to the Internet.
Status of WannaCry wallets:— actual ransom (@actual_ransom) May 26, 2017
49.96959529 BTC ($120,055.58)
314 payments, 0 withdraws
2017-05-25 at 08:59 AM ET
Despite the extent of the outbreak, when it comes to converting infections into Bitcoins, the attackers have mostly struck out. By tracking the Bitcoin wallets associated with the accounts, you can actually see exactly how many victims have paid (314 as of Friday, May 26) and how much the outbreak has netted them (slightly over $120,000).
That's not an insignificant sum considering the lack of effort that went into launching the attack, but it's paltry when you factor in over 400,000 machines were infected and the potential haul for the attackers was $300 for each one.
Even if more victims had chosen to pay, however, analysis of WannaCry indicates there's no way the attackers would've been able to handle the volume. The ransomware was designed for payments and decryption key transfers to be processed manually. That suggests the attackers may not have expected the ransomware to have anywhere close to the reach it did.
If they did harbor any hope for a bigger payday it was further sunk when decryption tools for WannaCry were released on May 17 and May 18.
As far as ransomware variants go, there actually isn't anything particularly special about WannaCry (aka Wcry, WanaCrypt0r, WannaDecrypt0r, etc.). Aside from the fact that it infected more than 400,000 machines, of course.
It may be a household name now, but prior to the oubreak a previous verison of WannaCry had unsuccessfully lurked around since February without gaining much notice or traction.
But that's actually one of the things that makes this outbreak so troubling.
The criminals behind WannaCry were able to string together an amateurish piece of ransomware, an NSA-developed exploit made available to anyone inclined to use it (thanks to the Shadow Brokers leak), an easy-to-use framework for deploying that exploit (also included in the leak), and a simple worm component to launch the biggest ransomware outbreak in history.
This wasn't the work of criminal masterminds. It wasn't even that sophisticated or advanced. And the damage it caused was still staggering.
All the pieces were there for just about anyone with marginal technical knowledge and the right (read: wrong) inclination to launch this kind of attack (and they're still there for anyone inclined to launch copycat and follow-up attacks).
What's also concerning is it's not as if there wasn't plenty of forewarning that something like this was coming...
When news of the Shadow Brokers' leak of NSA exploits broke on April 14, 2017, researchers were surprised to learn that Microsoft had quietly released updates that rendered the majority of them ineffective exactly one month before, on March 14, 2017.
That means organizations had nearly two months to apply patches that would have protected them from the WannaCry outbreak, and nearly one full month to do so after it became clear the exploits were now available for any criminal to readily use.
That said, "keep all systems up to date with all patches promptly" isn't always realistic advice. In fact, research shows companies take an average of 100-120 days to patch vulnerabilities, and in many complex enterprise environments there can be some valid (and likely extremely frustrating for the security folks involved) reasons for that.
With that number in mind, the risk for additional outbreaks is high, especially considering that...
This is really bad, in about an hour or so any attacker can download simple toolkit to hack into Microsoft based computers around the globe.— Hacker Fantastic (@hackerfantastic) April 14, 2017
The exploit used in the WannaCry attacks — ETERNALBLUE — was just one of the exploits included in the April 14, 2017 Shadow Brokers leak. There were 18 altogether (including other hacking tools), half of which also target SMB, and half of which are patched.
The below list was originally published at Bleeping Computer:
Thanks to WannaCry, the cat is now out of the bag on just how effective utilizing these exploits can be. To make matters worse, Shadow Brokers have announced they'll be launching an "exploit of the month" subscription service where they release new batches of exploits starting in June.
Machines with exposed SMB by geography / Rapid7
With WannaCry and now potentially a slew of follow-up attacks all targeting SMB vulnerabilities, the one thing you don't want to do is expose SMB to the Internet by leaving port 445 open.
Unfortunately, according to research from Rapid7, there are over 1 million internet-connected devices currently making that mistake. Of those, over 800,000 are running Windows, and a large chunk are vulnerable versions.
Machines with exposed SMB by geography / Rapid7
With attackers racing to utilize these exploits while the exploiting is still good, patching is an obvious first step. But as new exploits are released and attackers find new holes to poke through, organizations need to ensure all machines are running endpoint security designed to hold up against a wide variety of malware and zero-day threats.
To find out how Barkly is helping organizations do that, see our Complete Guide to Runtime Malware Defense.
See how Barkly stopped WannaCry automatically without the need for any updates in the video below:
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends stright to your inbox.