<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">
Stats & Trends
Jonathan Crowe
May 2017

WannaCry Ransomware Statistics: The Numbers Behind the Outbreak

wannacry-infection-map-nytimes.png

Map tracking the spread of WannaCry. Source: The New York Times

See the stats that explain the full reach and impact of the WannaCry ransomware outbreak — including how many devices were infected and how many are still vulnerable.

 

More than 400,000 machines infected

Tweet this stat

Source: MalawareTech

The infections started early in the morning on Friday, May 12. Two of the first prominent victims were the UK's National Health Service (NHS) and Telefónica, the largest telecom company in Spain. The outbreak quickly spread across Europe and the rest of the world. By late Friday evening, it had taken root in 150 countries, including the United States (where shipping giant FedEx was infected) and China (where a large concentration of computers running unlicensed or outdated versions of Windows resulted in the country being one of the hardest hit). 

98% percent of victims were using Windows 7

Tweet this stat

WannaCry-statistics-Windows7.png

Windows versions infected by WannaCry / Kaspersky

To infect victims, WannaCry utilized an exploit called ETERNALBLUE, one of the leaked NSA hacking tools released by the Shadow Brokers hacking group in April 2017. 

ETERNALBLUE targets a vulnerability in server message block (SMB) protocol (used primarily for providing shared access to files, printers, and serial ports, etc.) that was specifically addressed by critical Microsoft update MS17-010. 

Analysis of the WannaCry attacks has revealed nearly all of the machines infected were running an outdated OS (Windows 7) that hadn't been patched and had port 445 open, exposing SMB to the Internet. 

Only 0.07% of victims have paid

Tweet this stat

Despite the extent of the outbreak, when it comes to converting infections into Bitcoins, the attackers have mostly struck out. By tracking the Bitcoin wallets associated with the accounts, you can actually see exactly how many victims have paid (314 as of Friday, May 26) and how much the outbreak has netted them (slightly over $120,000).

That's not an insignificant sum considering the lack of effort that went into launching the attack, but it's paltry when you factor in over 400,000 machines were infected and the potential haul for the attackers was $300 for each one.

Even if more victims had chosen to pay, however, analysis of WannaCry indicates there's no way the attackers would've been able to handle the volume. The ransomware was designed for payments and decryption key transfers to be processed manually. That suggests the attackers may not have expected the ransomware to have anywhere close to the reach it did. 

If they did harbor any hope for a bigger payday it was further sunk when decryption tools for WannaCry were released on May 17 and May 18

WannaCry had initially been discovered 91 days prior to the outbreak

Tweet this stat

As far as ransomware variants go, there actually isn't anything particularly special about WannaCry (aka Wcry, WanaCrypt0r, WannaDecrypt0r, etc.). Aside from the fact that it infected more than 400,000 machines, of course. 

It may be a household name now, but prior to the oubreak a previous verison of WannaCry had unsuccessfully lurked around since February without gaining much notice or traction. 

But that's actually one of the things that makes this outbreak so troubling. 

The criminals behind WannaCry were able to string together an amateurish piece of ransomware, an NSA-developed exploit made available to anyone inclined to use it (thanks to the Shadow Brokers leak), an easy-to-use framework for deploying that exploit (also included in the leak), and a simple worm component to launch the biggest ransomware outbreak in history.

This wasn't the work of criminal masterminds. It wasn't even that sophisticated or advanced. And the damage it caused was still staggering.  

All the pieces were there for just about anyone with marginal technical knowledge and the right (read: wrong) inclination to launch this kind of attack (and they're still there for anyone inclined to launch copycat and follow-up attacks). 

What's also concerning is it's not as if there wasn't plenty of forewarning that something like this was coming...

The patch for the SMB vulnerability was available for 59 days prior to the attack

Tweet this stat

When news of the Shadow Brokers' leak of NSA exploits broke on April 14, 2017, researchers were surprised to learn that Microsoft had quietly released updates that rendered the majority of them ineffective exactly one month before, on March 14, 2017. 

That means organizations had nearly two months to apply patches that would have protected them from the WannaCry outbreak, and nearly one full month to do so after it became clear the exploits were now available for any criminal to readily use. 

That said, "keep all systems up to date with all patches promptly" isn't always realistic advice. In fact, research shows companies take an average of 100-120 days to patch vulnerabilities, and in many complex enterprise environments there can be some valid (and likely extremely frustrating for the security folks involved) reasons for that. 

With that number in mind, the risk for additional outbreaks is high, especially considering that...

ETERNALBLUE was one of 18 exploits leaked by the Shadow Brokers

Tweet this stat

The exploit used in the WannaCry attacks — ETERNALBLUE — was just one of the exploits included in the April 14, 2017 Shadow Brokers leak. There were 18 altogether (including other hacking tools), half of which also target SMB, and half of which are patched.   

The below list was originally published at Bleeping Computer:

  1. EASYBEE appears to be an MDaemon email server vulnerability [source, source, source]
  2. EASYPI is an IBM Lotus Notes exploit [source, source] that gets detected as Stuxnet [source]
  3. EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 to 7.0.2 [source, source]
  4. EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor [source, source]
  5. ETERNALROMANCE is a SMBv1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges [source, source]
  6. EDUCATEDSCHOLAR is a SMB exploit [source, source]
  7. EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 [source, source]
  8. EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino [source, source]
  9. ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users [source, source]
  10. ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003 [source, source]
  11. ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 [source, source, source]
  12. ETERNALBLUE is a SMBv1 and SMBv2 exploit [source]
  13. ETERNALCHAMPION is a SMBv1 exploit [source]
  14. ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers [source, source]
  15. ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003 and Windows XP [source, source]
  16. ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later [source, source]
  17. EXPANDINGPULLEY is another Windows implant [source]
  18. ETRE is an exploit for IMail 8.10 to 8.22 [source]
The leak also contained the following hacking tools:
  1. FUZZBUNCH is an exploit framework, similar to MetaSploit [source, source], which was also part of the December-January "Windows Tools" Shadow Brokers auction [source]
  2. DOUBLEPULSAR is a RING-0 multi-version kernel mode payload [source]
  3. PASSFREELY is a tool that bypasses authentication for Oracle servers [source]
  4. ODDJOB is an implant builder and C&C server that can deliver exploits for Windows 2000 and later [source, source], also not detected by any AV vendors [source]
  5. GROK is a keylogger for Windows, also known about since Snowden [source]

Thanks to WannaCry, the cat is now out of the bag on just how effective utilizing these exploits can be. To make matters worse, Shadow Brokers have announced they'll be launching an "exploit of the month" subscription service where they release new batches of exploits starting in June.  

Over 1 million computers have port 445 open

Tweet this stat

exposed-smb-port-445-geography.png

Machines with exposed SMB by geography / Rapid7

With WannaCry and now potentially a slew of follow-up attacks all targeting SMB vulnerabilities, the one thing you don't want to do is expose SMB to the Internet by leaving port 445 open. 

Unfortunately, according to research from Rapid7, there are over 1 million internet-connected devices currently making that mistake. Of those, over 800,000 are running Windows, and a large chunk are vulnerable versions.

exposed-smb-port-455-by-os-sized.png

Machines with exposed SMB by geography / Rapid7

 

Where to go from here

With attackers racing to utilize these exploits while the exploiting is still good, patching is an obvious first step. But as new exploits are released and attackers find new holes to poke through, organizations need to ensure all machines are running endpoint security designed to hold up against a wide variety of malware and zero-day threats 

To find out how Barkly is helping organizations do that, see our Complete Guide to Runtime Malware Defense.

See how Barkly stopped WannaCry automatically without the need for any updates in the video below:

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

blocks-attack-grey-circle.svg

2017 Malware Trends in Review

How attacks are evolving and what to expect next.

Get my report

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.