WannaCry ransomware timeline: from the NSA to the NHS
The WannaCry ransomware wormed its way across Europe, into the UK, and across the world wreaking havoc everywhere it went, shutting down doctor's surgeries in the UK, FedEx operations in America, payments for petrol stations in China, and a Renault factory in France.
1. WannaCry ransomware timeline - 12 May - first infections
According to the FT, the first instance of WannaCry emerged from a compressed zip file in an email attachment in Europe. Once set up on this machine, it mobilised code repurposed from the NSA's EternalBlue exploit - which used a vulnerability in Microsoft's SMB protocol - to understand the system's file sharing arrangements, and began propagating itself across the local network and online.
2. WannaCry ransomware timeline - 12 May - Telefonica confirms compromise
Spain's CNI intelligence service reported a slew of Spanish companies had suffered from a ransomware attack targeting Windows systems. Telefonica confirmed that an incident affected some employees, and employees said they encountered a message demanding a bitcoin payment.
3. WannaCry ransomware timeline - 12 May - UK hospitals impacted, at least 40 NHS Trusts affected
An anonymous NHS worker told the Guardian that the attacks began at roughly 12.30pm and as a result of a phishing attack that seemed to have been sent to every NHS Trust in the country. GP surgeries across the country were cut off from the NHS network, leaving them unable to access patient records or prescriptions, and a hospital in Stevenage was reportedly turning A&E patients away to other hospitals.
4. WannaCry ransomware timeline - 12 May - Microsoft issues Windows XP update in unusual move
Although Microsoft had previously patched the SMB vulnerability when it was made known, outdated operating systems such as Windows XP were left vulnerable. Microsoft took the unusual move to patch XP to firefight the spread of WannaCry.
5. WannaCry ransomware timeline - 12 May - Independent infosec researcher flips 'kill switch' with domain registration
A 22-year-old independent infosec researcher going by the name MalwareTech discovered that when running, the ransomware tries to connect to a strange and unregistered domain name. MalwareTech registered the site and found WannaCry stopped the installation process when it discovered that the domain name had been registered. Of course, this temporary 'fix' only works with the domain name that was registered by MalwareTech.
6. WannaCry ransomware timeline - 12 May - Auto makers halt production
Japanese car maker and Renault partner Nissan stopped production at its plant in Sunderland. "Like many organisations, our UK plant was subject to a ransomware attack affecting some of our systems on Friday evening," a spokesperson later said. "Our teams are working to resolve the issue." French automotive company Renault temporarily suspended its operations in sites across Europe to prevent the spread of WannaCry. A full list of sites was not provided but a plant in Sandouville had production halted.
7. WannaCry ransomware timeline - 13 May - 75,000 systems infected
By Saturday 75,000 systems had been infected by WannaCry in 99 countries. According to Avast, most attacks took place in Ukraine, Russia and Taiwan. By now it had also caused disruption to the railways in Germany and payments systems at petrol stations across China, and FedEx had its logistics operations affected. Attacks had also been launched on the Russian interior ministry, which reported roughly 1,000 computers affected.
8. WannaCry ransomware timeline - 14 May - Europol chief says attack has claimed 200,000 victims in 150 countries
Describing the scale of WannaCry as "unprecedented", Europol's director Rob Wainright warned that the WannaCry ransomware had reached 150 countries and hit at least 200,000 victims.
9. WannaCry ransomware timeline - 14 May - Microsoft General Counsel slams US 'stockpiling' of cyber weapons
In a statement on Microsoft's blog, general counsel Brad Smith said that WannaCry provides "yet another example of why the stockpiling of vulnerabilities by governments is such a problem".
"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen."
10. WannaCry ransomware timeline - 15 May - Jeremy Hunt breaks silence
Health secretary Jeremy Hunt appeared on Sky News to comment on the attacks after having been accused of hiding from the issue. He said: "According to our latest intelligence we have not seen a second wave of attacks and the level of criminal activity is at the lower end of the range that we had anticipated so I think that is encouraging.
"But the message is very clear not just for organisations like the NHS but for private individuals for businesses."
11. WannaCry ransomware timeline - cybersecurity stocks jump
Finnish security company F-Secure saw its shares climb to a 16-year high, according to Citywire, meanwhile British security company Sophos performed well in the FTSE 250, believed to be a result of a rush to buy shares in cyber security companies as a direct result of the attacks.
12. WannaCry ransomware timeline - 15 May - some researchers suggest North Korea involvement
Researchers discovered some lines of code that they believe could point toward North Korea, noting similiarties with other attacks by the Lazarus Group - a hacking organisation believed to be operating from China but with links to North Korea. But Symantec researcher Eric Chien warned that at the moment it's only a "temporal link", and it would be possible to plant a kind of 'false-flag' code to mislead investigators.
13. WannaCry ransomware timeline - 16 May - ShadowBrokers promise more exploits to come
The ShadowBrokers, the group behind the original leak of EternalBlue developed by American spy agency the NSA, promised more leaks to come starting from June this year.
They likened it to a wine of the month club - and claimed they have access to tools that affect Windows 10, web browsers, and routers.
Since Friday a wave of ransomware attacks has swept the globe
Ransomware is no new threat: will WannaCry finally act as a catalyst to a wider infosec wake-up call?
Organisations across the globe have and will continue to suffer malicious attacks, unless a cultural change takes place