Professional Documents
Culture Documents
net/publication/343688978
CITATIONS READS
0 48
1 author:
Kirthy Francis
Dublin City University
3 PUBLICATIONS 0 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
Prediction & Classification of Anomalies in Transport Network using Dublin Bus Transit Feeds View project
All content following this page was uploaded by Kirthy Francis on 21 February 2021.
The National Security Agency is assumed to have discovered and used this vulnerability in
Windows more than 5 years before The Shadow Brokers leaked the exploits. Instead of revealing
the vulnerability, they created an exploit (ETERNALBLUE) which used the vulnerability. Once the
exploits were stolen and the National Security Agency realized the possible impact of the exploit,
they notified Microsoft of the vulnerability, who immediately released emergency patches in
March of 2017. Machines that installed the security patches were not affected by the WannaCry
attack. But a large portion of the customers were not aware of the possible threat and did not
patch their systems. In fact, there still exist unpatched systems even now. Many critical systems
of different organizations, like the computers and medical equipment of the UK’s National Health
Service, were affected by this attack.
WannaCry is a ransomware worm that spread rapidly through computers running on the
Windows Operating System. Ransomware is malware that encrypts a user’s files and demands
ransom in cryptocurrency to unlock them. The WannaCry worm infects the computers by
encrypting all the files on the Hard drive and making it impossible for users to open the files.
Instead, a message was displayed with a timer which gave the users 3 days to pay a ransom of
300 US Dollars worth Bitcoins after which the price would be doubled to 600 US Dollars to
decrypt their files or else after 7 days the files would be lost forever. The messages contained
three hardcoded BitCoin wallets that were not traceable. Within a day the worm infected more
than 230,000 computers in over 150 countries. Even though experts advised against paying
ransom, about 130,700 dollars had been transferred [4]. British researcher, Marcus Hutchins,
discovered a kill-switch domain hardcoded in the malware. The ransomware first tried to connect
to the domain, which did not exist and when they were unable to do so, they encrypted all the
data in the machine. Hutchins registered a domain with the domain name mentioned in the
ransomware and helped blunt the attack. The US Department of Justice (DoJ) attributes the
attack to a team of hacking experts based in North Korea. The main motive is assumed to be to
collect funds for the Pyongyang campaign.
Even years after the WannaCry attack, the cryptoworm is still affecting victims and some
of them are still paying ransom to retrieve their data, which is futile. The BitCoin wallets to which
the payments had to be done are still active and even though the payments are anonymous, the
transactions can be viewed by the public. This shows that there are still systems that are not yet
patched and vulnerable to WannaCry or similar ransomware attacks [5].
Primary Participants
▪ Microsoft
» Discovers the vulnerability
» Releases patches to remove vulnerability
» Announces to the world about vulnerability
» Does not inform of the importance of patching computers
Secondary Participants
▪ Equation Group
» Discovers vulnerability in Microsoft SMB protocol
» Creates exploit (ETERNALBLUE)
Implied participants
B. Reduced List
Since Equation Group is a part of the National Security Agency, they come under the same
organization and can, therefore, be considered a single participant. The National Security Agency
withheld the discovery of the Microsoft vulnerability and even created an exploit, which was later
stolen. This shows a lack of professionalism and Security measures.
Microsoft released a patch as soon as they discovered the vulnerability and encouraged the
public to patch their systems as soon as possible. Hence, they really did not have a role in the
ransomware attack and can be ruled out.
Marcus Hutchins found a kill switch and helped decrease the impact of the worldwide
ransomware attack. He helped decrease the attack and can be taken out.
The Shadow Brokers don’t really play a part in the actual cyberattack, they only stole the
weapons and published them and don’t have a direct role in WannaCry.
C. Legal Considerations
There are several federal laws, that already exist, concerning hacking such as those
mentioned in the Computer Fraud and Abuse Act (CFAA), The Stored Communications Act (SCA),
The Electronic Communications Privacy Act (ECPA) and The Defend Trade Secrets Act (DTSA). These
laws prohibit unauthorized access to networks, cloud storage, and private servers or individual
computer systems.
Even the possession of ransomware is illegal and the Senate passed a Ransomware law [6],
which requires the Department of Homeland Security (DHS) to advise organizations on how to
protect their critical systems against attacks and provide technical support in the case of an
incident. This law was passed after the impact of the WannaCry.
In 2017, the Protecting Our Ability to Counter Hacking Act of 2017 (or the PATCH Act of
2017) bill was introduced, which required the National Security Agency to justify all its hacking tools
as they possess many potent cyberweapons. [7]
F. Key Statements:
“.. one of the most widespread and devastating ransomware attacks ..”
“.. The National Security Agency is assumed to have discovered and used this vulnerability in
Windows more than 5 years before The Shadow Brokers leaked the exploits ..”
“.. created an exploit (ETERNALBLUE) which used the vulnerability ..”
“.. National Security Agency realized the possible impact of the exploit, they notified Microsoft of
the vulnerability, who immediately released emergency patches in March of 2017 ..”
“.. Machines that installed the security patches were not affected by the WannaCry attack ..”
“.. a large portion of the customers were not aware of the possible threat and did not patch their
systems ..”
“.. infects the computers by encrypting all the files on the Hard drive and making it impossible for
users to open the files ..”
“.. Even years after the WannaCry attack, the cryptoworm is still affecting victims ..”
“.. there are still systems which are not yet patched and vulnerable to the WannaCry or similar
ransomware attacks ..”
G. Questions Raised:
How secure was the National Security Agency that The Shadow Brokers could hack into
and steal high profile exploits?
Why did the National Security Agency ‘hoard’ the vulnerabilities and not inform Microsoft
so that Microsoft could take necessary precautions?
How ethical is the possession of potent cyberweapons by the National Security agency?
Why were the customers not made aware of the importance of patching their systems?
Why did the customers not patch their computers and leave the computers vulnerable?
H. Analogies Employed
Ransomware analogies have devastating effects. In 2016, variants of Petya surfaced,
which following the WannaCry attack, was repurposed using the ETERNALBLUE exploit to give rise
to NotPetya. Bad Rabbit was another attack which is closely related to Petya/Not Petya malware.
Stuxnet is another malicious computer worm that attacked computers that Siemens software.
The tools leaked by The Shadow Brokers remain a threat even to the present day [5,8].
1.1 Contribute to society and to human well-being, acknowledging that all people are
stakeholders in computing.
1.2 Avoid harm.
1.6 Respect privacy.
2.5 Give comprehensive and thorough evaluations of computer systems and their impacts,
including analysis of possible risks.
2.7 Foster public awareness and understanding of computing, related technologies, and their
consequences.
3.03. Identify, define and address ethical, economic, cultural, legal and environmental issues
related to work projects.
3.12. Work to develop software and related documents that respect the privacy of those who will
be affected by that software.
3.13. Be careful to use only accurate data derived by ethical and lawful means, and use it only in
ways properly authorized.
J. Alternative Proposals:
• Pessimistic: The National Security Agency should have disclosed the vulnerability as soon as
they discovered it instead of stashing them and creating exploits. They should also have
implemented higher security measures to fend of any hacking attempts. Being such an
established organization, security was lacking. Microsoft released patches as soon as they
were informed of the vulnerability.
• Optimistic: This incident raised awareness about how important it is to keep critical systems
up to date whenever patches are made available on the customer side. If the timely
installation of the Windows security patches were made, the attack could be almost entirely
avoided.
• Compromise: When the National Security Agency realized the Windows vulnerability was
stolen, they informed Microsoft about the possibility of an attack so that Microsoft could
release patches to overcome the vulnerability.
IV. CONCLUSION:
The WannaCry Ransomware was one of the most disastrous ransomware attacks the
world has ever seen. The tools leaked by the Shadow Brokers remain a threat even today. These
tools were used in many cyber-attacks following WannaCry. The National Security Agency has
been widely criticized for not informing Microsoft about the vulnerability and emphasizing
enough about installing the patches. This incident would serve a reminder for all the users of any
software to keep their critical systems updated and safe to prevent any possible attacks.
V. REFERENCES:
[1] Jenni Ryall, “Edward Snowden: Equation Group hack is a warning from Russia to the U.S.”,
Available: mashable, https://mashable.com/2016/08/18/equation-group-shadow-brokers-hack-
snowden/?europe=true [Accessed: Nov 9, 2019]
[2] Imarc, “What is the EquationGroup & who are the Shadow Brokers?”, Available:
securityscorecard, https://securityscorecard.com/blog/what-is-equation-group-shadow-brokers
[Accessed: Nov 13, 2019]
[5] Danny Palmer, “WannaCry ransomware is still infecting PCs - and some victims are still trying
to pay the ransom”, Available: zdnet, https://www.zdnet.com/article/wannacry-ransomware-is-
still-infecting-pcs-and-some-victims-are-still-trying-to-pay-the-ransom/ [Accessed: Nov 12, 2019]
[7] Colin Lecher, “After WannaCry, a new bill would force the NSA to justify its hacking tools”,
Available: theverge, https://www.theverge.com/2017/5/17/15647508/wannacry-ransomeware-
microsoft-nsa-patch-act-hacking [Accessed: Nov 13, 2019]
[8] Zack Whittaker, “Two years after WannaCry, a million computers remain at risk”, Available:
techcrunch, https://techcrunch.com/2019/05/12/wannacry-two-years-on/ [Accessed: Nov 9,
2019]