See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/343688978

WannaCry ransomware attack -An Ethical Overlook

Preprint · November 2019

CITATIONS READS
0 48

1 author:

Kirthy Francis
Dublin City University
3 PUBLICATIONS   0 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Prediction & Classification of Anomalies in Transport Network using Dublin Bus Transit Feeds View project

All content following this page was uploaded by Kirthy Francis on 21 February 2021.

The user has requested enhancement of the downloaded file.

 WannaCry Ransomware Attack -An Ethical Overlook
I. INTRODUCTION
On Friday, the 12th of May 2017, the World faced what was the beginning of one of the
most extensive and disastrous ransomware attacks, which still remains a concern even till the
present day. WannaCry cryptoworm spread like wildfire, encrypting hundreds of thousands of
computers in more than 150 countries in a matter of hours. It was the first time that ransomware
had such far-reaching consequences in what looked like a coordinated cyberattack.

WannaCry is a ransomware worm that spread rapidly through computers running

on the Windows Operating System. It exploited a vulnerability in the Windows protocol to
propagate itself to other systems. Once the program transmitted itself to a computer, it
encrypted all the files on the hard drive of the machine and demanded ransom to decrypt the
files. Many of the victims paid the ransom in false hopes of retrieving their data, even though
experts strongly advised against it. The experts said that paying ransom would encourage more
such attacks and also have heard no reports of any of the victims successfully getting their data
decrypted.

The National Security Agency is assumed to have discovered and used this vulnerability in
Windows more than 5 years before The Shadow Brokers leaked the exploits. Instead of revealing
the vulnerability, they created an exploit (ETERNALBLUE) which used the vulnerability. Once the
exploits were stolen and the National Security Agency realized the possible impact of the exploit,
they notified Microsoft of the vulnerability, who immediately released emergency patches in
March of 2017. Machines that installed the security patches were not affected by the WannaCry
attack. But a large portion of the customers were not aware of the possible threat and did not
patch their systems. In fact, there still exist unpatched systems even now. Many critical systems
of different organizations, like the computers and medical equipment of the UK’s National Health
Service, were affected by this attack.

II. LITERATURE REVIEW

In the August of 2016, a hacking group who called themselves The Shadow Brokers,
announced to the world the auction of malware code they had stolen from the Equation Group
[1]. Equation Group is an elite cyber-attack group, speculated to have ties to the National Security
Agency, USA [2]. This was the first of The Shadow Brokers’ many leaks, the most damaging being
the fifth and final release – ‘Lost in Translation’ [3]. ‘Lost in Translation’ was released on April 14,
2017, through a tweet with the link to the STEEM blockchain (STEEM is a social-media powered
network that reward users cryptocurrency (also called STEEM) for contributing to the network.).
Among the many exploits in ‘Lost in Translation’ was ETERNALBLUE exploit, which was used in the
WannaCry Ransomware Attack. The ETERNALBLUE exploits a vulnerability in the Microsoft Server
Message Block (SMB) protocol.

WannaCry is a ransomware worm that spread rapidly through computers running on the
Windows Operating System. Ransomware is malware that encrypts a user’s files and demands
ransom in cryptocurrency to unlock them. The WannaCry worm infects the computers by
encrypting all the files on the Hard drive and making it impossible for users to open the files.
Instead, a message was displayed with a timer which gave the users 3 days to pay a ransom of
300 US Dollars worth Bitcoins after which the price would be doubled to 600 US Dollars to
decrypt their files or else after 7 days the files would be lost forever. The messages contained
three hardcoded BitCoin wallets that were not traceable. Within a day the worm infected more
than 230,000 computers in over 150 countries. Even though experts advised against paying
ransom, about 130,700 dollars had been transferred [4]. British researcher, Marcus Hutchins,
discovered a kill-switch domain hardcoded in the malware. The ransomware first tried to connect
to the domain, which did not exist and when they were unable to do so, they encrypted all the
data in the machine. Hutchins registered a domain with the domain name mentioned in the
ransomware and helped blunt the attack. The US Department of Justice (DoJ) attributes the
attack to a team of hacking experts based in North Korea. The main motive is assumed to be to
collect funds for the Pyongyang campaign.

Even years after the WannaCry attack, the cryptoworm is still affecting victims and some
of them are still paying ransom to retrieve their data, which is futile. The BitCoin wallets to which
the payments had to be done are still active and even though the payments are anonymous, the
transactions can be viewed by the public. This shows that there are still systems that are not yet
patched and vulnerable to WannaCry or similar ransomware attacks [5].

III. LIFFICKS ANALYSIS

A. List of participants and their action

Primary Participants

▪ Microsoft
» Discovers the vulnerability
» Releases patches to remove vulnerability
» Announces to the world about vulnerability
» Does not inform of the importance of patching computers

▪ National Security Agency (NSA)

» Informs Microsoft of vulnerability when the exploit was stolen
▪ Marcus Hutchins
» Accidentally discovers Kill-Switch for WannaCry
» Registers the domain used in WannaCry and helps decrease the damage

Secondary Participants

▪ The Shadow Brokers

» Hacks into Equation Group and steals malware code
» Auctions and makes the malware code public

▪ Equation Group
» Discovers vulnerability in Microsoft SMB protocol
» Creates exploit (ETERNALBLUE)

Implied participants

▪ Infected computers (Primary Participant)

» Attempts to spread the ransomware cryptoworm to random computers on the internet.

B. Reduced List
Since Equation Group is a part of the National Security Agency, they come under the same
organization and can, therefore, be considered a single participant. The National Security Agency
withheld the discovery of the Microsoft vulnerability and even created an exploit, which was later
stolen. This shows a lack of professionalism and Security measures.
Microsoft released a patch as soon as they discovered the vulnerability and encouraged the
public to patch their systems as soon as possible. Hence, they really did not have a role in the
ransomware attack and can be ruled out.
Marcus Hutchins found a kill switch and helped decrease the impact of the worldwide
ransomware attack. He helped decrease the attack and can be taken out.
The Shadow Brokers don’t really play a part in the actual cyberattack, they only stole the
weapons and published them and don’t have a direct role in WannaCry.

C. Legal Considerations
There are several federal laws, that already exist, concerning hacking such as those
mentioned in the Computer Fraud and Abuse Act (CFAA), The Stored Communications Act (SCA),
The Electronic Communications Privacy Act (ECPA) and The Defend Trade Secrets Act (DTSA). These
laws prohibit unauthorized access to networks, cloud storage, and private servers or individual
computer systems.
Even the possession of ransomware is illegal and the Senate passed a Ransomware law [6],
which requires the Department of Homeland Security (DHS) to advise organizations on how to
protect their critical systems against attacks and provide technical support in the case of an
incident. This law was passed after the impact of the WannaCry.
 In 2017, the Protecting Our Ability to Counter Hacking Act of 2017 (or the PATCH Act of
2017) bill was introduced, which required the National Security Agency to justify all its hacking tools
as they possess many potent cyberweapons. [7]

D. Possible Options for Participants:

The National Security Agency had the responsibility to inform Microsoft Windows about
the Server Message Block (SMB) vulnerability as soon as they discovered it. Instead, they
developed the ETERNALBLUE exploit which exploits the vulnerability. Later the Shadow Brokers
hacked into Equation Group and made the exploit public. The Equation Group failed to keep their
data secure which resulted in Shadow Brokers hacking their systems.
Microsoft found the vulnerability and released patches as soon as they sensed the threat.
The National Security Agency should have stressed on the importance of installing the patches to
the general public, which could have decreased almost all the effects of the cryptoworm.
The customers could have installed the patches and avoided the attack on their
computers. Organizations had the responsibility to update their critical systems.

E. Possible Justification for the participant’s Action:

In the case of the National Security Agency, they might need to develop and use such
volatile tools to combat other cybercrime tools developed by other parties. Also, NSA did not
expect to be hacked into and have the tools stolen. After the leak of the tools, NSA had alerted
Microsoft and expected customers to download and install the patch, relying on them to keep
their computers up to date.
Customers did not expect to be attacked and so did not install the patches.

F. Key Statements:
“.. one of the most widespread and devastating ransomware attacks ..”
“.. The National Security Agency is assumed to have discovered and used this vulnerability in
Windows more than 5 years before The Shadow Brokers leaked the exploits ..”
“.. created an exploit (ETERNALBLUE) which used the vulnerability ..”
“.. National Security Agency realized the possible impact of the exploit, they notified Microsoft of
the vulnerability, who immediately released emergency patches in March of 2017 ..”
“.. Machines that installed the security patches were not affected by the WannaCry attack ..”
“.. a large portion of the customers were not aware of the possible threat and did not patch their
systems ..”
“.. infects the computers by encrypting all the files on the Hard drive and making it impossible for
users to open the files ..”
“.. Even years after the WannaCry attack, the cryptoworm is still affecting victims ..”
“.. there are still systems which are not yet patched and vulnerable to the WannaCry or similar
ransomware attacks ..”

G. Questions Raised:
How secure was the National Security Agency that The Shadow Brokers could hack into
and steal high profile exploits?
 Why did the National Security Agency ‘hoard’ the vulnerabilities and not inform Microsoft
so that Microsoft could take necessary precautions?
How ethical is the possession of potent cyberweapons by the National Security agency?
Why were the customers not made aware of the importance of patching their systems?
Why did the customers not patch their computers and leave the computers vulnerable?

H. Analogies Employed
Ransomware analogies have devastating effects. In 2016, variants of Petya surfaced,
which following the WannaCry attack, was repurposed using the ETERNALBLUE exploit to give rise
to NotPetya. Bad Rabbit was another attack which is closely related to Petya/Not Petya malware.
Stuxnet is another malicious computer worm that attacked computers that Siemens software.
The tools leaked by The Shadow Brokers remain a threat even to the present day [5,8].

I. Code of Ethics Utilized:

The following laws from the ACM Principles, among many others, apply to this case study.

1.1 Contribute to society and to human well-being, acknowledging that all people are
stakeholders in computing.
1.2 Avoid harm.
1.6 Respect privacy.
2.5 Give comprehensive and thorough evaluations of computer systems and their impacts,
including analysis of possible risks.
2.7 Foster public awareness and understanding of computing, related technologies, and their
consequences.
3.03. Identify, define and address ethical, economic, cultural, legal and environmental issues
related to work projects.
3.12. Work to develop software and related documents that respect the privacy of those who will
be affected by that software.
3.13. Be careful to use only accurate data derived by ethical and lawful means, and use it only in
ways properly authorized.

J. Alternative Proposals:
• Pessimistic: The National Security Agency should have disclosed the vulnerability as soon as
they discovered it instead of stashing them and creating exploits. They should also have
implemented higher security measures to fend of any hacking attempts. Being such an
established organization, security was lacking. Microsoft released patches as soon as they
were informed of the vulnerability.

• Optimistic: This incident raised awareness about how important it is to keep critical systems
up to date whenever patches are made available on the customer side. If the timely
installation of the Windows security patches were made, the attack could be almost entirely
avoided.
• Compromise: When the National Security Agency realized the Windows vulnerability was
stolen, they informed Microsoft about the possibility of an attack so that Microsoft could
release patches to overcome the vulnerability.

IV. CONCLUSION:
The WannaCry Ransomware was one of the most disastrous ransomware attacks the
world has ever seen. The tools leaked by the Shadow Brokers remain a threat even today. These
tools were used in many cyber-attacks following WannaCry. The National Security Agency has
been widely criticized for not informing Microsoft about the vulnerability and emphasizing
enough about installing the patches. This incident would serve a reminder for all the users of any
software to keep their critical systems updated and safe to prevent any possible attacks.

V. REFERENCES:

[1] Jenni Ryall, “Edward Snowden: Equation Group hack is a warning from Russia to the U.S.”,
Available: mashable, https://mashable.com/2016/08/18/equation-group-shadow-brokers-hack-
snowden/?europe=true [Accessed: Nov 9, 2019]

[2] Imarc, “What is the EquationGroup & who are the Shadow Brokers?”, Available:
securityscorecard, https://securityscorecard.com/blog/what-is-equation-group-shadow-brokers
[Accessed: Nov 13, 2019]

[3] Wikipedia, “The Shadow Brokers”, Available: Wikipedia,

https://en.wikipedia.org/wiki/The_Shadow_Brokers [Accessed: Nov 9, 2019]

[4] Wikipedia, “WannaCry ransomware attack”, Available: Wikipedia,

https://en.wikipedia.org/wiki/WannaCry_ransomware_attack [Accessed: Nov 9, 2019]

[5] Danny Palmer, “WannaCry ransomware is still infecting PCs - and some victims are still trying
to pay the ransom”, Available: zdnet, https://www.zdnet.com/article/wannacry-ransomware-is-
still-infecting-pcs-and-some-victims-are-still-trying-to-pay-the-ransom/ [Accessed: Nov 12, 2019]

[6] Phil Muncaster, “Senate Passes Ransomware Law”, Available: infosecurity-magazine,

https://www.infosecurity-magazine.com/news/senate-passes-ransomware-law/ [Accessed: Nov
13, 2019]

[7] Colin Lecher, “After WannaCry, a new bill would force the NSA to justify its hacking tools”,
Available: theverge, https://www.theverge.com/2017/5/17/15647508/wannacry-ransomeware-
microsoft-nsa-patch-act-hacking [Accessed: Nov 13, 2019]
 [8] Zack Whittaker, “Two years after WannaCry, a million computers remain at risk”, Available:
techcrunch, https://techcrunch.com/2019/05/12/wannacry-two-years-on/ [Accessed: Nov 9,
2019]

View publication stats