WannaCry infected more systems globally than initially reported

Register now

The number of computer systems compromised by the global WannaCry ransomware attack last month was grossly underestimated, a cybersecurity expert told members of Congress on Thursday.

The malware, which hit computer systems worldwide, including those of the National Health Service in the United Kingdom, is now believed to have infected five to 10 times as many systems as previously suggested.

“Based on the velocity of the attack, estimated by sampling data we collected from our infrastructure currently blocking the attack, we believe that anywhere between 1 million to 2 million systems may have been affected in the hours prior to activating the kill switch, contrary to the widely reported—and more conservative—estimate of 200,000 systems,” testified Salim Neino, CEO of vendor Kryptos Logic, at a joint hearing of the House Oversight and Research and Technology subcommittees.

WannaCry started appearing in Europe and Asia on May 12 and quickly spread to the rest of the globe. Neino credits an employee of Kryptos Logic in the U.K. with stopping the fast-propagating worm attack by registering a domain associated with the malware.

“While investigating the code of WannaCry, we identified what looked like an anti-detection mechanism, which tested for the existence of a certain random-looking domain name,” Neino told lawmakers. “Our team proceeded to register the domain associated to this mechanism and directed it to one of the ‘sinkholes’ controlled by and hosted on the Kryptos Logic network infrastructure. We then noticed and confirmed that the propagation of the WannaCry attack had come to a standstill because of what we refer to as its ‘kill switch’ having been activated by our domain registration.”

Now, more than a month after registering that domain, Kryptos Logic has mitigated more than 60 million WannaCry infection attempts worldwide, with about 7 million of those from the U.S. The vendor estimates that those infections could have impacted 10 million to 15 million unique systems had they not been stopped Neino contended.

“The largest attack we thwarted and measured to date from WannaCry was not on May 12 or 13, when the attack started, but began suddenly on June 8 and 9 on a well-funded hospital in the east coast of the United States,” Neino added. “Another hospital was also hit on May 30 in another part of the country.”

Neino did not identify either system in his remarks. His testimony matches information contained in a Department of Health and Human Services alert issued in early June notifying the healthcare industry that the agency was aware of two large multi-state hospitals systems that were “continuing to face significant challenges to operations because of the WannaCry malware.”

Also See: HHS issues warning for vigilance on WannaCry ransomware

Although WannaCry disrupted hospitals, telecommunications companies and other organizations globally, the U.S. infection rate was lower than that experienced in many parts of the world, and no federal agencies were affected.

“While WannaCry failed to compromise federal government systems, it is almost certain that outcome was due in part to a measure of chance,” said Lamar Smith (R-Texas), chairman of the House Science, Space and Technology Committee, during Thursday’s hearing.

“Rather than seeing this outcome as a sign of bulletproof cybersecurity defenses, we must instead increase our vigilance to better identify constantly evolving cybersecurity threats. This is particularly true since many cyber experts predict that we will experience an attack similar to WannaCry that is more sophisticated in nature, carrying with it an even greater possibility of widespread disruption and destruction,” Smith says.

Since the initial WannaCry attack last month, cybercriminals have targeted Kryptos Logic in an effort to disrupt its operations, according to Neino. He said the company has “been under constant attack by unidentified attackers attempting to knock our systems offline, thus disabling the kill switch and further propagating the attack.” However, so far, they have been unsuccessful.

WannaCry has been linked to the so-called Lazarus group that is affiliated with North Korea and is responsible for, among other cyber attacks, the 2014 Sony Pictures hack and the 2016 theft of $81 million from the Bangladesh Central Bank, according to Symantec CTO Hugh Thompson.

“WannaCry was unique and dangerous because of how quickly it spread,” testified Thompson. “It was the first ransomware-as-a-worm that had such a rapid global impact. Once on a system, it propagated autonomously by exploiting a vulnerability in Microsoft Windows.”

However, Gregory Touhill, former U.S. Chief Information Security Officer, described WannaCry as a “slow-pitch softball,” but warned that the next attack is likely to be a “high and tight fastball.” Touhill said the creators of Wannacry “overtly placed a kill-switch instruction set in the program’s code,” which a Kryptos Logic security researcher discovered and implemented quickly to interrupt the attack.

“Next time, I do not believe we will be so lucky,” he concluded. “We need to step up our game and take immediate actions across both the public and private sectors to better manage our cyber risk before the really fast pitches come flying into our networks.”

Thompson agreed that WannaCry was stopped before it could cause major damage, particularly in the U.S., which was the result of “good fortune” in minimizing the impact of the malware as much as anything else. “But, we will not always have luck on our side.”

For reprint and licensing requests for this article, click here.