Engineering:WannaCry ransomware attack

From HandWiki
Revision as of 15:05, 4 February 2024 by Rjetedi (talk | contribs) (linkage)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Short description: 2017 worldwide ransomware cyberattack
WannaCry ransomware attack
WannaCry ransomware attack image
Screenshot of the ransom note left on an infected system
Date12 May 2017 – 15 May 2017
(initial outbreak)[1]
Duration4 days
LocationWorldwide
Also known asTransformations:
Wanna → Wana
Cryptor → Crypt0r
Cryptor → Decryptor
Cryptor → Crypt → Cry
Addition of "2.0"
Short names:
Wanna → WN → W
Cry → CRY
TypeCyberattack
ThemeRansomware encrypting files with $300–600 United States dollar demand (via bitcoin)
CauseWannaCry worm
Outcome300,000+ computers infected[2][3][4]
ArrestsNone
SuspectsLazarus Group
AccusedTwo North Koreans indicted
ConvictionsNone
WannaCry
SubtypeRansomware
Point of originPyongyang, North Korea
Author(s)Lazarus Group (not confirmed)
Operating system(s) affectedMicrosoft Windows


The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.[5] It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

The attack began at 07:44 UTC on 12 May 2017 and was halted a few hours later at 15:03 UTC by the registration of a kill switch discovered by Marcus Hutchins. The kill switch prevented already infected computers from being encrypted or further spreading WannaCry.[6] The attack was estimated to have affected more than 300,000 computers[7] across 150 countries,[7] with total damages ranging from hundreds of millions to billions of United States dollar . At the time, security experts believed from preliminary evaluation of the worm that the attack originated from North Korea or agencies working for the country. This was confirmed in December 2017, when the United States and United Kingdom formally asserted that North Korea was behind the attack, although North Korea has denied any involvement with the attack.[8]

A new variant of WannaCry forced Taiwan Semiconductor Manufacturing Company (TSMC) to temporarily shut down several of its chip-fabrication factories in August 2018. The worm spread onto 10,000 machines in TSMC's most advanced facilities.[9]

Description

WannaCry is a ransomware cryptoworm, which targets computers running the Microsoft Windows operating system by encrypting (locking) data and demanding ransom payments in the Bitcoin cryptocurrency. The worm is also known as WannaCrypt,[10] Wana Decrypt0r 2.0,[11] WanaCrypt0r 2.0,[12] and Wanna Decryptor.[13] It is considered a network worm because it also includes a transport mechanism to automatically spread itself. This transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access, and the DoublePulsar tool to install and execute a copy of itself.[14] WannaCry versions 0, 1, and 2 were created using Microsoft Visual C++ 6.0.[15]

EternalBlue is an exploit of Microsoft's implementation of their Server Message Block (SMB) protocol released by The Shadow Brokers. Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) (from whom the exploit was likely stolen) had already discovered the vulnerability, but used it to create an exploit for its own offensive work, rather than report it to Microsoft.[16][17] Microsoft eventually discovered the vulnerability, and on Tuesday, 14 March 2017, they issued security bulletin MS17-010, which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016.[18]

DoublePulsar is a backdoor tool, also released by The Shadow Brokers on 14 April 2017. Starting from 21 April 2017, security researchers reported that there were tens of thousands of computers with the DoublePulsar backdoor installed.[19] By 25 April, reports estimated that the number of infected computers could be up to several hundred thousand, with numbers increasing every day.[20][21] The WannaCry code can take advantage of any existing DoublePulsar infection, or installs it itself.[14][22][23] On 9 May 2017, private cybersecurity company RiskSense released code on GitHub with the stated purpose of allowing legal white hat penetration testers to test the CVE-2017-0144 exploit on unpatched systems.[24]

When executed, the WannaCry malware first checks the kill switch domain name (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com); if it is not found, then the ransomware encrypts the computer's data,[25][26][27] then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet,[28] and laterally to computers on the same network.[29] On the local system, WannaCry executable file extracts and installs binary and configuration files from its resource section. It also hides the extracted directory, modifies security descriptors, creates an encryption key, deletes shadow copies, and so on.[30] As with other modern ransomware, the payload displays a message informing the user that their files have been encrypted, and demands a payment of around US$300 in bitcoin within three days, or US$600 within seven days (equivalent to about $310 and $630 in 2019),[26][31] warning that "you have not so enough time. [sic]" Three hardcoded bitcoin addresses, or wallets, are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the cryptocurrency wallet owners remain unknown.[32]

Several organizations released detailed technical write-ups of the malware, including a senior security analyst at RiskSense,[33][34] Microsoft,[35] Cisco,[14] Malwarebytes,[28] Symantec, and McAfee.[29]

Attack

The attack began on Friday, 12 May 2017,[36][37] with evidence pointing to an initial infection in Asia at 07:44 UTC.[36][38] The initial infection was likely through an exposed vulnerable SMB port,[39] rather than email phishing as initially assumed.[36] Within a day the code was reported to have infected more than 230,000 computers in over 150 countries.[40][41]

Organizations that had not installed Microsoft's security update from May were affected by the attack.[42] Those still running unsupported versions of Microsoft Windows, such as Windows XP and Windows Server 2003[43][44] were at particularly high risk because no security patches had been released since April 2014 for Windows XP and July 2015 for Windows Server 2003.[10] A Kaspersky Lab study reported, however, that less than 0.1 per cent of the affected computers were running Windows XP, and that 98 per cent of the affected computers were running Windows 7.[10][45] In a controlled testing environment, the cybersecurity firm Kryptos Logic found that it was unable to infect a Windows XP system with WannaCry using just the exploits, as the payload failed to load, or caused the operating system to crash rather than actually execute and encrypt files. However, when executed manually, WannaCry could still operate on Windows XP.[46][47][48]

Defensive response

Experts quickly advised affected users against paying the ransom due to no reports of people getting their data back after payment and as high revenues would encourage more of such campaigns.[49][50][51] As of 14 June 2017, after the attack had subsided, a total of 327 payments totaling US$130,634.77 (51.62396539 BTC) had been transferred.[52]

The day after the initial attack in May, Microsoft released out-of-band security updates for end-of-life products Windows XP, Windows Server 2003 and Windows 8; these patches had been created in February, but were previously only available to those who paid for a custom support plan.[53][44] Organizations were advised to patch Windows and plug the vulnerability in order to protect themselves from the cyber attack.[citation needed] The head of Microsoft's Cyber Defense Operations Center, Adrienne Hall, said that "Due to the elevated risk for destructive cyber-attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt [alternative name to WannaCry]".[54][55]

Researcher Marcus Hutchins[56][57] discovered the kill switch domain hardcoded in the malware.[58][59][60] Registering a domain name for a DNS sinkhole stopped the attack spreading as a worm, because the ransomware only encrypted the computer's files if it was unable to connect to that domain, which all computers infected with WannaCry before the website's registration had been unable to do. While this did not help already infected systems, it severely slowed the spread of the initial infection and gave time for defensive measures to be deployed worldwide, particularly in North America and Asia, which had not been attacked to the same extent as elsewhere.[61][62][63][64][65] On 14 May, a first variant of WannaCry appeared with a new and second[66] kill-switch registered by Matt Suiche on the same day. This was followed by a second variant with the third and last kill-switch on 15 May, which was registered by Check Point threat intelligence analysts.[67][68] A few days later, a new version of WannaCry was detected that lacked the kill switch altogether.[69][70][71][72]

On 19 May, it was reported that hackers were trying to use a Mirai botnet variant to effect a distributed denial-of-service attack on WannaCry's kill-switch domain with the intention of knocking it offline.[73] On 22 May, Hutchins protected the domain by switching to a cached version of the site, capable of dealing with much higher traffic loads than the live site.[74]

Separately, researchers from University College London and Boston University reported that their PayBreak system could defeat WannaCry and several other families of ransomware by recovering the keys used to encrypt the user's data.[75][76]

It was discovered that Windows encryption APIs used by WannaCry may not completely clear the prime numbers used to generate the payload's private keys from the memory, making it potentially possible to retrieve the required key if they had not yet been overwritten or cleared from resident memory. The key is kept in the memory if the WannaCry process has not been killed and the computer has not been rebooted after being infected.[77] This behaviour was used by a French researcher to develop a tool known as WannaKey, which automates this process on Windows XP systems.[78][79][80] This approach was iterated upon by a second tool known as Wanakiwi, which was tested to work on Windows 7 and Server 2008 R2 as well.[81]

Within four days of the initial outbreak, new infections had slowed to a trickle due to these responses.[82]

Attribution

Linguistic analysis of the ransom notes indicated the authors were likely fluent in Chinese and proficient in English, as the versions of the notes in those languages were probably human-written while the rest seemed to be machine-translated.[83][84] According to an analysis by the FBI's Cyber Behavioral Analysis Center, the computer that created the ransomware language files had Hangul language fonts installed, as evidenced by the presence of the "\fcharset129" Rich Text Format tag.[15] Metadata in the language files also indicated that the computers that created the ransomware were set to 00, which is used in Korea.[15]

A security researcher[85][86] initially posted a tweet[87] referencing code similarities between WannaCry and previous malware. The cybersecurity companies[88] Kaspersky Lab and Symantec have both said the code has some similarities with that previously used by the Lazarus Group[89] (believed to have carried out the cyberattack on Sony Pictures in 2014 and a Bangladesh bank heist in 2016—and linked to North Korea).[89] This could also be either simple re-use of code by another group[90] or an attempt to shift blame—as in a cyber false flag operation;[89] but a leaked internal NSA memo is alleged to have also linked the creation of the worm to North Korea.[91] Brad Smith, the president of Microsoft, said he believed North Korea was the originator of the WannaCry attack,[92] and the UK's National Cyber Security Centre reached the same conclusion.[93]

On 18 December 2017, the United States Government formally announced that it publicly considers North Korea to be the main culprit behind the WannaCry attack.[94] Then-President Trump's Homeland Security Advisor, Tom Bossert, wrote an op-ed in The Wall Street Journal about this charge, saying "We do not make this allegation lightly. It is based on evidence."[95] In a press conference the following day, Bossert said that the evidence indicates that Kim Jong-un had given the order to launch the malware attack.[96] Bossert said that Canada, New Zealand and Japan agree with the United States' assessment of the evidence that links the attack to North Korea,[97] while the United Kingdom's Foreign and Commonwealth Office says it also stands behind the United States' assertion.[98]

North Korea, however, denied being responsible for the cyberattack.[99][100]

On 6 September 2018, the US Department of Justice (DoJ) announced formal charges against Park Jin-hyok for involvement in the Sony Pictures hack of 2014. The DoJ contended that Park was a North Korean hacker working as part of a team of experts for the North Korean Reconnaissance General Bureau. The Department of Justice asserted this team also had been involved in the WannaCry attack, among other activities.[101][102]

Impact

Map of the countries initially affected[103]

The ransomware campaign was unprecedented in scale according to Europol,[40] which estimates that around 200,000 computers were infected across 150 countries. According to Kaspersky Lab, the four most affected countries were Russia , Ukraine , India and Taiwan.[104]

One of the largest agencies struck by the attack was the National Health Service hospitals in England and Scotland,[105][106] and up to 70,000 devices – including computers, MRI scanners, blood-storage refrigerators and theatre equipment – may have been affected.[107] On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.[108][109] In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.[43] In 2018 a report by Members of Parliament concluded that all 200 NHS hospitals or other organisations checked in the wake of the WannaCry attack still failed cybersecurity checks.[110][111] NHS hospitals in Wales and Northern Ireland were unaffected by the attack.[112][108]

Nissan Motor Manufacturing UK in Tyne and Wear, England, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.[113][114] Spain's Telefónica, FedEx and Deutsche Bahn were hit, along with many other countries and companies worldwide.[115][116][117]

The attack's impact is said to be relatively low compared to other potential attacks of the same type and could have been much worse had Hutchins not discovered that a kill switch had been built in by its creators[118][119] or if it had been specifically targeted on highly critical infrastructure, like nuclear power plants, dams or railway systems.[120][121]

According to cyber-risk-modeling firm Cyence, economic losses from the cyber attack could reach up to US$4 billion, with other groups estimating the losses to be in the hundreds of millions.[122]

Affected organisations

The following is an alphabetical list of organisations confirmed to have been affected:


Reactions

A number of experts highlighted the NSA's non-disclosure of the underlying vulnerability, and their loss of control over the EternalBlue attack tool that exploited it. Edward Snowden said that if the NSA had "privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, the attack may not have happened".[166] British cybersecurity expert Graham Cluley also sees "some culpability on the part of the U.S. intelligence services". According to him and others "they could have done something ages ago to get this problem fixed, and they didn't do it". He also said that despite obvious uses for such tools to spy on people of interest, they have a duty to protect their countries' citizens.[167] Others have also commented that this attack shows that the practice of intelligence agencies to stockpile exploits for offensive purposes rather than disclosing them for defensive purposes may be problematic.[119] Microsoft president and chief legal officer Brad Smith wrote, "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen."[168][169][170] Russian President Vladimir Putin placed the responsibility of the attack on U.S. intelligence services, for having created EternalBlue.[155]

On 17 May 2017, United States bipartisan lawmakers introduced the PATCH Act[171] that aims to have exploits reviewed by an independent board to "balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process".[172]

On 15 June 2017, the United States Congress was to hold a hearing on the attack.[173] Two subpanels of the House Science Committee were to hear the testimonies from various individuals working in the government and non-governmental sector about how the US can improve its protection mechanisms for its systems against similar attacks in the future.[173]

Marcus Hutchins, a cybersecurity researcher, working in loose collaboration with UK's National Cyber Security Centre,[174][175] researched the malware and discovered a "kill switch".[57] Later globally dispersed security researchers collaborated online to develop open source tools[176][177] that allow for decryption without payment under some circumstances.[178] Snowden states that when "NSA-enabled ransomware eats the Internet, help comes from researchers, not spy agencies" and asks why this is the case.[179][180][175]

Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations, stated that "the patching and updating systems are broken, basically, in the private sector and in government agencies".[119] In addition, Segal said that governments' apparent inability to secure vulnerabilities "opens a lot of questions about backdoors and access to encryption that the government argues it needs from the private sector for security".[119] Arne Schönbohm, president of Germany's Federal Office for Information Security (BSI), stated that "the current attacks show how vulnerable our digital society is. It's a wake-up call for companies to finally take IT security [seriously]".[181]

United Kingdom

The effects of the attack also had political implications; in the United Kingdom , the impact on the National Health Service quickly became political, with claims that the effects were exacerbated by Government underfunding of the NHS; in particular, the NHS ceased its paid Custom Support arrangement to continue receiving support for unsupported Microsoft software used within the organization, including Windows XP.[182] Home Secretary Amber Rudd refused to say whether patient data had been backed up, and Shadow Health Secretary Jon Ashworth accused Health Secretary Jeremy Hunt of refusing to act on a critical note from Microsoft, the National Cyber Security Centre (NCSC) and the National Crime Agency that had been received two months previously.[183]

Others argued that hardware and software vendors often fail to account for future security flaws, selling systems that − due to their technical design and market incentives − eventually won't be able to properly receive and apply patches.[184]

The NHS denied that it was still using XP, claiming only 4.7% of devices within the organization ran Windows XP.[185][46] The cost of the attack to the NHS was estimated as £92 million in disruption to services and IT upgrades.[186]

After the attack, NHS Digital refused to finance the estimated £1 billion to meet the Cyber Essentials Plus standard, an information security certification organized by the UK NCSC, saying this would not constitute "value for money", and that it had invested over £60 million and planned "to spend a further £150 [million] over the next two years" to address key cyber security weaknesses.[187]

See also

References

  1. "The WannaCry ransomware attack was temporarily halted. But it's not over yet.". 15 May 2017. https://www.vox.com/new-money/2017/5/15/15641196/wannacry-ransomware-windows-xp. 
  2. "Ransomware attack still looms in Australia as Government warns WannaCry threat not over". Australian Broadcasting Corporation. 14 May 2017. http://www.abc.net.au/news/2017-05-15/ransomware-attack-to-hit-victims-in-australia-government-says/8526346. 
  3. Cameron, Dell (13 May 2017). "Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It". Gizmodo. https://www.gizmodo.com.au/2017/05/todays-massive-ransomware-attack-was-mostly-preventable-heres-how-to-avoid-it/. 
  4. "Shadow Brokers threaten to release Windows 10 hacking tools". The Express Tribune. 31 May 2017. https://tribune.com.pk/story/1423609/shadow-brokers-threaten-release-windows-10-hacking-tools/. 
  5. "Two years after WannaCry, a million computers remain at risk" (in en-US). 12 May 2019. https://social.techcrunch.com/2019/05/12/wannacry-two-years-on/. 
  6. "What is the domain name that stopped WannaCry?". 15 May 2017. https://whoapi.com/blog/what-is-the-domain-name-that-stopped-wannacry/. 
  7. 7.0 7.1 Chappell, Bill; Neuman, Scott (2017-12-19). "U.S. Says North Korea 'Directly Responsible' For WannaCry Ransomware Attack" (in en). NPR. https://www.npr.org/sections/thetwo-way/2017/12/19/571854614/u-s-says-north-korea-directly-responsible-for-wannacry-ransomware-attack. 
  8. "Cyber-attack: US and UK blame North Korea for WannaCry" (in en-GB). BBC News. 2017-12-19. https://www.bbc.com/news/world-us-canada-42407488. 
  9. "TSMC Chip Maker Blames WannaCry Malware for Production Halt" (in en-us). The Hacker News. https://thehackernews.com/2018/08/tsmc-wannacry-ransomware-attack.html. 
  10. 10.0 10.1 10.2 MSRC Team (13 May 2017). "Customer Guidance for WannaCrypt attacks". Microsoft. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/. 
  11. "Avast reports on WanaCrypt0r 2.0 ransomware that infected NHS and Telefonica.". Avast Software, Inc. 12 May 2017. https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today. 
  12. Fox-Brewster, Thomas. "An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak". Forbes. https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/. 
  13. Woollaston, Victoria. "Wanna Decryptor: what is the 'atom bomb of ransomware' behind the NHS attack?" (in en-GB). WIRED UK. https://www.wired.co.uk/article/wanna-decryptor-ransomware. 
  14. 14.0 14.1 14.2 "Player 3 Has Entered the Game: Say Hello to 'WannaCry'". 12 May 2017. http://blog.talosintelligence.com/2017/05/wannacry.html. 
  15. 15.0 15.1 15.2 Shields, Nathan P. (8 June 2018). "Criminal Complaint". United States Department of Justice. https://www.justice.gov/opa/press-release/file/1092091/download. 
  16. "NHS cyber attack: Edward Snowden says NSA should have prevented cyber attack". The Independent. https://www.independent.co.uk/news/uk/home-news/nhs-cyber-attack-edward-snowden-accuses-nsa-not-preventing-ransomware-a7733941.html. 
  17. Graham, Chris (13 May 2017). "NHS cyber attack: Everything you need to know about 'biggest ransomware' offensive in history". The Daily Telegraph. https://www.telegraph.co.uk/news/2017/05/13/nhs-cyber-attack-everything-need-know-biggest-ransomware-offensive/. 
  18. "NSA-leaking Shadow Brokers just dumped its most damaging release yet" (in en-us). Ars Technica. https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/. 
  19. Goodin, Dan. "10,000 Windows computers may be infected by advanced NSA backdoor" (in en-US). Ars Technica. https://arstechnica.com/uwusecurity/2017/04/10000-windows-computers-may-be-infected-by-advanced-nsa-backdoor/. 
  20. Goodin, Dan. "NSA backdoor detected on >55,000 Windows boxes can now be remotely removed" (in en-US). Ars Technica. https://arstechnica.com/security/2017/04/nsa-backdoor-detected-on-55000-windows-boxes-can-now-be-remotely-removed/. 
  21. Broersma, Matthew. "NSA Malware 'Infects Nearly 200,000 Systems'" (in en-US). Silicon. http://www.silicon.co.uk/security/nsa-malware-security-210253. 
  22. Cameron, Dell (13 May 2017). "Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It". Gizmodo Australia. https://www.gizmodo.com.au/2017/05/todays-massive-ransomware-attack-was-mostly-preventable-heres-how-to-avoid-it/. 
  23. "How One Simple Trick Just Put Out That Huge Ransomware Fire". Forbes. 24 April 2017. https://www.forbes.com/sites/thomasbrewster/2017/05/13/wannacry-ransomware-outbreak-stopped-by-researcher/. 
  24. "Enterprise Ransomware". August 2019. https://risksense.com/wp-content/uploads/2019/09/RiskSense-Spotlight-Report-Ransomware.pdf. 
  25. "Russian-linked cyber gang blamed for NHS computer hack using bug stolen from US spy agency" (in en-GB). The Telegraph. https://www.telegraph.co.uk/news/2017/05/12/russian-linked-cyber-gang-shadow-brokers-blamed-nhs-computer/. 
  26. 26.0 26.1 "What you need to know about the WannaCry Ransomware". Symantec Security Response. https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware. 
  27. Bilefsky, Dan; Perlroth, Nicole (12 May 2017). "Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool". The New York Times. ISSN 0362-4331. https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html. 
  28. 28.0 28.1 Clark, Zammis (13 May 2017). "The worm that spreads WanaCrypt0r". malwarebytes.com. https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/. 
  29. 29.0 29.1 Samani, Raj (12 May 2017). "An Analysis of the WANNACRY Ransomware outbreak". McAfee. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/. 
  30. "WannaCry Malware Analysis, Overview by ANY.RUN". https://any.run/malware-trends/wannacry. 
  31. Thomas, Andrea; Grove, Thomas; Gross, Jenny (13 May 2017). "More Cyberattack Victims Emerge as Agencies Search for Clues". The Wall Street Journal. ISSN 0099-9660. https://www.wsj.com/articles/more-cyberattack-victims-emerge-as-agencies-search-for-clues-1494671938. 
  32. Collins, Keith (12 May 2017). "Watch as these bitcoin wallets receive ransomware payments from the global cyberattack". Quartz. https://qz.com/982993/watch-as-these-bitcoin-wallets-receive-ransomware-payments-from-the-ongoing-cyberattack/. 
  33. "MS17-010 (SMB RCE) Metasploit Scanner Detection Module". @zerosum0x0. 18 April 2017. https://zerosum0x0.blogspot.com/2017/04/ms17-010-smb-rce-metasploit-scanner.html. 
  34. "DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis". @zerosum0x0. 21 April 2017. https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html. 
  35. "WannaCrypt ransomware worm targets out-of-date systems". Microsoft. 13 May 2017. https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/. 
  36. 36.0 36.1 36.2 Brenner, Bill (16 May 2017). "WannaCry: the ransomware worm that didn't arrive on a phishing hook". Sophos. https://nakedsecurity.sophos.com/2017/05/17/wannacry-the-ransomware-worm-that-didnt-arrive-on-a-phishing-hook/. 
  37. Newman, Lily Hay (12 May 2017). "The Ransomware Meltdown Experts Warned About Is Here". Wired. https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/. Retrieved 13 May 2017. 
  38. Yuzifovich, Yuriy. "WannaCry: views from the DNS frontline". nominum. https://www.nominum.com/tech-blog/wannacry-views-dns-frontline/. 
  39. Goodin, Dan. "An NSA-derived ransomware worm is shutting down computers worldwide" (in en-US). Ars Technica. https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/. 
  40. 40.0 40.1 "Cyber-attack: Europol says it was unprecedented in scale" (in en-GB). BBC News. 13 May 2017. https://www.bbc.com/news/world-europe-39907965. 
  41. "'Unprecedented' cyberattack hits 200,000 in at least 150 countries, and the threat is escalating". CNBC. 14 May 2017. https://www.cnbc.com/2017/05/14/cyber-attack-hits-200000-in-at-least-150-countries-europol.html. 
  42. "WannaCry Ransomware Attack Hits Victims With Microsoft SMB Exploit". eWeek. http://www.eweek.com/security/wannacry-ransomware-attack-hits-victims-with-microsoft-smb-exploit. 
  43. 43.0 43.1 "NHS Hospitals Are Running Thousands of Computers on Unsupported Windows XP". https://motherboard.vice.com/en_us/article/nhs-hospitals-are-running-thousands-of-computers-on-unsupported-windows-xp. 
  44. 44.0 44.1 "Microsoft issues 'highly unusual' Windows XP patch to prevent massive ransomware attack". Vox Media. 13 May 2017. https://www.theverge.com/2017/5/13/15635006/microsoft-windows-xp-security-patch-wannacry-ransomware-attack. 
  45. Brandom, Russell (19 May 2017). "Almost all WannaCry victims were running Windows 7". Vox Media. https://www.theverge.com/2017/5/19/15665488/wannacry-windows-7-version-xp-patched-victim-statistics. 
  46. 46.0 46.1 Brandom, Russell (30 May 2017). "Windows XP computers were mostly immune to WannaCry". Vox Media. https://www.theverge.com/2017/5/30/15712542/windows-xp-wannacry-protect-ransomware-blue-screen. 
  47. "WannaCry: Two Weeks and 16 Million Averted Ransoms Later". Kryptos Logic. https://blog.kryptoslogic.com/malware/2017/05/29/two-weeks-later.html. 
  48. "Παγκόσμιος τρόμος: Πάνω από 100 χώρες "χτύπησε" ο WannaCry που ζητάει λύτρα!". 13 May 2017. https://www.newsit.gr/kosmos/pagkosmios-tromos-pano-apo-100-xores-xtypisan-oi-xakers-poy-zitoyn-lytra/1023246/. 
  49. Reynolds, Matt (17 May 2017). "Ransomware attack hits 200,000 computers across the globe". New Scientist. https://www.newscientist.com/article/mg23431263-500-ransomware-attack-hits-200000-computers-across-the-globe/. Retrieved 10 December 2020. 
  50. Baraniuk, Chris (15 May 2017). "Should you pay the WannaCry ransom?". BBC News. https://www.bbc.com/news/technology-39920269. 
  51. Palmer, Danny (22 May 2017). "Ransomware: WannaCry was basic, next time could be much worse" (in en). ZDNet. https://www.zdnet.com/article/ransomware-wannacry-was-basic-next-time-could-be-much-worse/. 
  52. Collins, Keith (13 May 2017). "Watch as these bitcoin wallets receive ransomware payments from the ongoing global cyberattack". https://qz.com/982993/watch-as-these-bitcoin-wallets-receive-ransomware-payments-from-the-ongoing-cyberattack/. 
  53. Thompson, Iain (16 May 2017). "While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday's WinXP fix was built in February". https://www.theregister.co.uk/2017/05/16/microsoft_stockpiling_flaws_too/. 
  54. Hern, Alex (14 June 2017). "WannaCry attacks prompt Microsoft to release Windows updates for older versions" (in en-GB). The Guardian. ISSN 0261-3077. https://www.theguardian.com/technology/2017/jun/14/wannacry-attacks-prompt-microsoft-to-release-updates-for-older-windows-versions. 
  55. "Microsoft rushes out patch for Windows XP to prevent another WannaCry attack via a Shadow Brokers release" (in en-GB). Computing.com. 14 June 2017. ISSN 0261-3077. https://www.computing.co.uk/ctg/news/3011916/microsoft-rushes-out-patch-for-windows-xp-to-prevent-another-wannacry-attack-via-a-shadow-brokers-release. 
  56. "'Just doing my bit': The 22yo who blocked the WannaCry cyberattack" (in en-AU). ABC News. 16 May 2017. http://www.abc.net.au/news/2017-05-16/ransomware-cyberattack-marcus-hutchins-gives-interview/8530574. 
  57. 57.0 57.1 MalwareTech (13 May 2017). "How to Accidentally Stop a Global Cyber Attacks". https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html. 
  58. Bodkin, Henry; Henderson, Barney; Donnelly, Laura; Mendick, Robert; Farmer, Ben; Graham, Chris (12 May 2017). "Government under pressure after NHS crippled in global cyber attack as weekend of chaos looms". The Telegraph. https://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hackers-demanding-ransom/. 
  59. Thomson, Iain (13 May 2017). "74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+". The Register. https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/. 
  60. Khomami, Nadia; Solon, Olivia (13 May 2017). "'Accidental hero' halts ransomware attack and warns: this is not over". https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack. 
  61. Newman, Lily Hay. "How an Accidental 'Kill Switch' Slowed Friday's Massive Ransomware Attack" (in en-US). Wired Security. https://www.wired.com/2017/05/accidental-kill-switch-slowed-fridays-massive-ransomware-attack/. 
  62. Solon, Olivia (13 May 2017). "'Accidental hero' finds kill switch to stop spread of ransomware cyber-attack". The Guardian (London). https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack. 
  63. Foxx, Chris (13 May 2017). "Global cyber-attack: Security blogger halts ransomware 'by accident'". BBC. https://www.bbc.co.uk/news/technology-39907049. 
  64. Kan, Micael (12 May 2017). "A 'kill switch' is slowing the spread of WannaCry ransomware". http://www.pcworld.com/article/3196515/security/a-kill-switch-is-slowing-the-spread-of-wannacry-ransomware.html. 
  65. "How an Accidental 'Kill Switch' Slowed Friday's Massive Ransomware Attack". 12 May 2017. https://www.computerworld.com/article/3196686/security/kill-switch-helps-slow-the-spread-of-wannacry-ransomware.html/. 
  66. Wong, Joon Ian (15 May 2017). "Just two domain names now stand between the world and global ransomware chaos". https://qz.com/983569/a-second-wave-of-wannacry-infections-has-been-halted-with-a-new-killswitch/. 
  67. "The Hours of WannaCry". 17 May 2017. https://umbrella.cisco.com/blog/2017/05/16/the-hours-of-wannacry/. 
  68. "WannaCry – New Kill-Switch, New Sinkhole". 15 May 2017. https://blog.checkpoint.com/2017/05/15/wannacry-new-kill-switch-new-sinkhole/. 
  69. Khandelwal, Swati. "It's Not Over, WannaCry 2.0 Ransomware Just Arrived With No 'Kill-Switch'" (in en-US). The Hacker News. http://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html. 
  70. Shieber, Jonathan. "Companies, governments brace for a second round of cyberattacks in WannaCry's wake". TechCrunch. https://techcrunch.com/2017/05/14/companies-governments-brace-for-a-second-round-of-cyberattacks-in-wannacrys-wake/. 
  71. Chan, Sewell; Scott, Mark (14 May 2017). "Cyberattack's Impact Could Worsen in 'Second Wave' of Ransomware". The New York Times. https://www.nytimes.com/2017/05/14/world/europe/cyberattacks-hack-computers-monday.html. 
  72. "Warning: Blockbuster 'WannaCry' malware could just be getting started" (in en). NBC News. https://www.nbcnews.com/news/us-news/blockbuster-wannacry-malware-could-just-be-getting-started-experts-n759356. 
  73. Greenberg, Andy (19 May 2017). "Botnets Are Trying to Reignite the Ransomware Outbreak". WIRED. https://www.wired.com/2017/05/wannacry-ransomware-ddos-attack/. Retrieved 22 May 2017. 
  74. Gibbs, Samuel (22 May 2017). "WannaCry hackers still trying to revive attack says accidental hero". The Guardian. https://www.theguardian.com/technology/2017/may/22/wannacry-hackers-ransomware-attack-kill-switch-windows-xp-7-nhs-accidental-hero-marcus-hutchins. 
  75. "Protection from Ransomware like WannaCry" (in en). Boston University. https://www.bu.edu/eng/2017/05/18/protection-from-ransomware-like-wannacry/. 
  76. Kolodenker, Eugene (16 May 2017). "PayBreak able to defeat WannaCry/WannaCryptor ransomware". University College London. https://www.benthamsgaze.org/2017/05/16/paybreak-able-to-defeat-wannacrywannacryptor-ransomware/. 
  77. Suiche, Matt (19 May 2017). "WannaCry — Decrypting files with WanaKiwi + Demos". https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d. 
  78. "Windows XP hit by WannaCry ransomware? This tool could decrypt your infected files". https://www.zdnet.com/article/windows-xp-hit-by-wannacry-ransomware-this-tool-could-decrypt-your-infected-files/. 
  79. "Windows XP PCs infected by WannaCry can be decrypted without paying ransom". 18 May 2017. https://arstechnica.co.uk/security/2017/05/windows-xp-wannacry-decryption/. 
  80. Greenberg, Andy (18 May 2017). "A WannaCry flaw could help some windows XP users get files back". Wired. https://www.wired.com/2017/05/wannacry-flaw-help-windows-xp-victims-get-files-back/. Retrieved 18 May 2017. 
  81. "More people infected by recent WCry worm can unlock PCs without paying ransom". 19 May 2017. https://arstechnica.com/security/2017/05/more-people-infected-by-recent-wcry-worm-can-unlock-pcs-without-paying-ransom/. 
  82. Volz, Dustin (17 May 2017). "Cyber attack eases, hacking group threatens to sell code". Reuters. https://www.reuters.com/article/us-cyber-attack-idUSKCN18B0AC. 
  83. Leyden, John (26 May 2017). "WannaCrypt ransomware note likely written by Google Translate-using Chinese speakers". https://www.theregister.co.uk/2017/05/26/wannacrypt_ransom_note_linguistics/. 
  84. Condra, Jon; Costello, John; Chu, Sherman (25 May 2017). "Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors". Flashpoint. https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/. "Flashpoint assesses with high confidence that the author(s) of WannaCry's ransomware notes are fluent in Chinese, as the language used is consistent with that of Southern China, Hong Kong, Taiwan, or Singapore. Flashpoint also assesses with high confidence that the author(s) are familiar with the English language, though not native. [...] Flashpoint assesses with moderate confidence that the Chinese ransom note served as the original source for the English version, which then generated machine translated versions of the other notes. The Chinese version contains content not in any of the others, though no other notes contain content not in the Chinese. The relative familiarity found in the Chinese text compared to the others suggests the authors were fluent in the language—perhaps comfortable enough to use the language to write the initial note." 
  85. Greenberg, Andy (15 May 2017). "The Ransomware Outbreak Has a Possible Link to North Korea". Wired. https://www.wired.com/2017/05/wannacry-ransomware-link-suspected-north-korean-hackers/. Retrieved 25 March 2018. 
  86. "Google Researcher Finds Link Between WannaCry Attacks and North Korea". https://thehackernews.com/2017/05/wannacry-lazarus-north-korea.html. 
  87. Mehta, Neel [@neelmehta] (15 May 2017). "9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598 ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4 #WannaCryptAttribution". https://twitter.com/neelmehta/status/864164081116225536. 
  88. McMillan, Robert (16 May 2017). "Researchers Identify Clue Connecting Ransomware Assault to Group Tied to North Korea". The Wall Street Journal. https://www.wsj.com/articles/researchers-identify-clue-connecting-ransomware-assault-to-group-tied-to-north-korea-1494898740. 
  89. 89.0 89.1 89.2 Solong, Olivia (15 May 2017). "WannaCry ransomware has links to North Korea, cybersecurity experts say". The Guardian. https://www.theguardian.com/technology/2017/may/15/wannacry-ransomware-north-korea-lazarus-group. 
  90. Talmadge, Eric (19 May 2017). "Experts question North Korea role in WannaCry cyber attack". independent.ie. AP. https://www.independent.ie/world-news/experts-question-north-korea-role-in-wannacry-cyber-attack-35732827.html. 
  91. Nakashima, Ellen. "The NSA has linked the WannaCry computer worm to North Korea". The Washington Post. https://www.washingtonpost.com/world/national-security/the-nsa-has-linked-the-wannacry-computer-worm-to-north-korea/2017/06/14/101395a2-508e-11e7-be25-3a519335381c_story.html. 
  92. Harley, Nicola (14 October 2017). "North Korea behind WannaCry attack which crippled the NHS after stealing US cyber weapons, Microsoft chief claims". The Telegraph. ISSN 0307-1235. https://www.telegraph.co.uk/news/2017/10/14/north-korea-behind-wannacry-attack-crippled-nhs-stealing-us/. 
  93. Hern, Alex (26 October 2017). "NHS could have avoided WannaCry hack with basic IT security' says report". The Guardian. https://www.theguardian.com/technology/2017/oct/27/nhs-could-have-avoided-wannacry-hack-basic-it-security-national-audit-office. 
  94. Nakashima, Ellen (18 December 2017). "U.S. declares North Korea carried out massive WannaCry cyberattack". The Washington Post. https://www.washingtonpost.com/world/national-security/us-set-to-declare-north-korea-carried-out-massive-wannacry-cyber-attack/2017/12/18/509deb1c-e446-11e7-a65d-1ac0fd7f097e_story.html. 
  95. Bossert, Thomas P. (18 December 2017). "It's Official: North Korea Is Behind WannaCry". The Wall Street Journal. https://www.wsj.com/articles/its-official-north-korea-is-behind-wannacry-1513642537. 
  96. Uchill, Joe (19 December 2017). "WH: Kim Jong Un behind massive WannaCry malware attack". The Hill. http://thehill.com/policy/cybersecurity/365580-wh-kim-jong-un-ordered-release-of-disastrous-wannacry-malware. 
  97. "White House says WannaCry attack was carried out by North Korea". CBS News. 19 December 2017. https://www.cbsnews.com/news/white-house-says-wannacry-attack-was-carried-out-by-north-korea/. 
  98. Hern, Alex; McCurry, Justin (19 December 2017). "UK and US blame WannaCry cyber-attack on North Korea". The Guardian. https://www.theguardian.com/technology/2017/dec/19/wannacry-cyberattack-us-says-it-has-evidence-north-korea-was-directly-responsible. 
  99. "North Korea says linking cyber attacks to Pyongyang is 'ridiculous'". Reuters. 19 May 2017. https://www.reuters.com/article/us-cyber-attack-northkorea-idUSKCN18F1X3. 
  100. "Experts Question North Korea Role in WannaCry Cyberattack". The New York Times. 19 May 2017. https://www.nytimes.com/aponline/2017/05/19/world/asia/ap-as-nkorea-wannacry-cyberattack-.html. 
  101. Sanger, David; Benner, Katie; Goldman, Adam (6 September 2018). "North Korean Spy to Be Charged in Sony Pictures Hacking". The New York Times. https://www.nytimes.com/2018/09/06/us/politics/north-korea-sony-hack-wannacry-indictment.html. 
  102. Talley, Ian; Volz, Dustin (16 September 2019). "U.S. Targets North Korean Hacking as National-Security Threat". https://www.msn.com/en-us/news/world/us-targets-north-korean-hacking-as-national-security-threat/ar-AAHkAGU. 
  103. "Cyber-attack: Europol says it was unprecedented in scale". BBC. 13 May 2017. https://www.bbc.com/news/world-europe-39907965. 
  104. Jones, Sam (14 May 2017). "Global alert to prepare for fresh cyber attacks". Financial Times. 
  105. Millar, Sheila A.; Marshall, Tracy P.; Cardon, Nathan A. (22 May 2017). "WannaCry: Are Your Security Tools Up to Date?". The National Law Review (Keller and Heckman LLP). https://www.natlawreview.com/article/wannacry-are-your-security-tools-to-date. 
  106. "Global cyberattack strikes dozens of countries, cripples U.K. hospitals". CBS News. https://www.cbsnews.com/news/hospitals-across-britain-hit-by-ransomware-cyberattack/. 
  107. Ungoed-Thomas, Jon; Henry, Robin; Gadher, Dipesh (14 May 2017). "Cyber-attack guides promoted on YouTube". The Sunday Times. https://www.thetimes.co.uk/article/cyber-attack-guides-promoted-on-youtube-972s0hh2c. 
  108. 108.0 108.1 108.2 108.3 "NHS cyber-attack: GPs and hospitals hit by ransomware" (in en-GB). BBC News. 12 May 2017. https://www.bbc.co.uk/news/health-39899646. 
  109. Wong, Julia Carrie; Solon, Olivia (12 May 2017). "Massive ransomware cyber-attack hits 74 countries around the world". The Guardian. London. https://www.theguardian.com/technology/2017/may/12/global-cyber-attack-ransomware-nsa-uk-nhs. 
  110. Smyth, Chris (18 April 2018). "Every hospital tested for cybersecurity has failed" (in en). The Times. ISSN 0140-0460. https://www.thetimes.co.uk/article/every-hospital-tested-for-cybersecurity-has-failed-97vc6rqkq. 
  111. "Cyber-attack on the NHS". https://publications.parliament.uk/pa/cm201719/cmselect/cmpubacc/787/787.pdf. 
  112. 112.0 112.1 112.2 Marsh, Sarah (12 May 2017). "The NHS trusts hit by malware – full list". The Guardian. London. https://www.theguardian.com/society/2017/may/12/global-cyber-attack-nhs-trusts-malware. 
  113. Sharman, Jon (13 May 2017). "Cyber-attack that crippled NHS systems hits Nissan car factory in Sunderland and Renault in France". https://www.independent.co.uk/news/uk/home-news/nissan-sunderland-cyber-attack-ransomware-nhs-malware-wannacry-car-factory-a7733936.html. 
  114. Rosemain, Mathieu; Le Guernigou, Yann; Davey, James (13 May 2017). "Renault stops production at several plants after ransomware cyber attack as Nissan also hacked". https://www.mirror.co.uk/news/world-news/renault-stops-production-several-plants-10413994. 
  115. 115.0 115.1 Larson, Selena (12 May 2017). "Massive ransomware attack hits 99 countries". CNN. https://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/. 
  116. "The WannaCry ransomware attack has spread to 150 countries". 14 May 2017. https://www.theverge.com/2017/5/14/15637888/authorities-wannacry-ransomware-attack-spread-150-countries. 
  117. Hern, Alex; Gibbs, Samuel (12 May 2017). "What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS?". The Guardian (London). ISSN 0261-3077. https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20. 
  118. "Lucky break slows global cyberattack; what's coming could be worse". Chicago Tribune. https://www.chicagotribune.com/news/nationworld/ct-nsa-cyberattacks-20170513-story.html. 
  119. 119.0 119.1 119.2 119.3 Helmore, Edward (13 May 2017). "Ransomware attack reveals breakdown in US intelligence protocols, expert says". The Guardian. https://www.theguardian.com/technology/2017/may/13/ransomware-cyber-attack-us-intelligence. 
  120. "The Latest: Researcher who helped halt cyberattack applauded". Star Tribune. http://www.startribune.com/the-latest-turkey-among-countries-hit-in-cyberattack/422161813/. 
  121. "Global 'WannaCry' ransomware cyberattack seeks cash for data". Washington Post. https://www.washingtonpost.com/world/europe/uk-working-to-restore-hospital-systems-after-cyberattack/2017/05/13/472ef544-37c1-11e7-ab03-aa29f656f13e_story.html. 
  122. ""WannaCry" ransomware attack losses could reach $4 billion" (in en). https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/. 
  123. "Andhra police computers hit by cyberattack" (in en). 13 May 2017. http://timesofindia.indiatimes.com/india/andhra-police-computers-hit-by-cyberattack/articleshow/58658853.cms. 
  124. ""Χάκαραν" και το ΑΠΘ στην παγκόσμια κυβερνοεπίθεση!" (in el). Proto Thema. 13 May 2017. http://www.protothema.gr/greece/article/679082/hakaran-kai-to-apth-stin-pagosmia-kuvernoepithesi/. 
  125. "Θεσσαλονίκη: Στόχος της παγκόσμιας κυβερνοεπίθεσης το Αριστοτέλειο – Συναγερμός για τον ισχυρό ιό!" (in el). NewsIT. 13 May 2017. https://www.newsit.gr/topikes-eidhseis/thessaloniki-stoxos-tis-pagkosmias-kyvernoepithesis-to-aristoteleio-synagermos-gia-ton-isxyro-io/1027391/. 
  126. "Atacul cibernetic global a afectat și Uzina Dacia de la Mioveni. Renault a anunțat că a oprit producția și în Franța" (in ro). Pro TV. 13 May 2017. http://stirileprotv.ro/stiri/actualitate/atacul-informatic-global-ar-fi-afectat-si-uzina-dacia-de-la-mioveni-reactia-ministrului-comunicatiilor-augustin-jianu.html. 
  127. "Boeing production plant hit with WannaCry ransomware attack" (in en). theverge.com. 28 March 2018. https://www.theverge.com/2018/3/28/17174540/boeing-wannacry-ransomware-attack-production-plant-charleston-south-carolina. 
  128. "Hackers demand $54K in Cambrian College ransomware attack". CBC.ca. http://www.cbc.ca/news/canada/sudbury/cambrian-college-ransomware-hack-1.4093634. 
  129. 129.0 129.1 Mimi Lau (14 May 2017). "Chinese police and petrol stations hit by ransomware attack" (in en). South China Morning Post. http://www.scmp.com/news/china/society/article/2094291/chinese-police-and-petrol-stations-hit-ransomware-attack. 
  130. "Korean gov't computers safe from WannaCry attack". The Korea Herald. http://www.koreaherald.com/view.php?ud=20170515000574. 
  131. 131.0 131.1 131.2 131.3 131.4 131.5 "一夜之间 勒索病毒"永恒之蓝"席卷 国内近3万机构被攻陷 全球 超十万台电脑"中毒"江苏等十省市受害最严重". http://news.163.com/17/0514/08/CKCOOATU000187VI.html. 
  132. "Weltweite Cyberattacke trifft Computer der Deutschen Bahn" (in de). Frankfurter Allgemeine Zeitung. 13 May 2017. https://www.faz.net/aktuell/wirtschaft/unternehmen/hacker-angriff-weltweite-cyberattacke-trifft-computer-der-deutschen-bahn-15013583.html. 
  133. 133.0 133.1 133.2 133.3 "Global cyber attack: A look at some prominent victims" (in es). elperiodico.com. 13 May 2017. http://www.straitstimes.com/world/organisations-hit-by-global-cyberattack. 
  134. "Hackerský útok zasiahol aj Fakultnú nemocnicu v Nitre" (in sk). 15 May 2017. https://www.etrend.sk/ekonomika/hackersky-utok-zasiahol-aj-fakultnu-nemocnicu-v-nitre.html. 
  135. "What is Wannacry and how can it be stopped?" (in en). 12 May 2017. https://www.ft.com/content/af74e3f4-373d-11e7-99bd-13beb0903fa3. 
  136. "เซิร์ฟเวอร์เกม Blade & Soul ของ Garena ประเทศไทยถูก WannaCrypt โจมตี" (in th). blognone.com. 13 May 2017. https://www.blognone.com/node/92406. 
  137. "日立、社内システムの一部に障害 サイバー攻撃の影響か" (in ja). 15 May 2017. http://www.nikkei.com/article/DGXLASFL15HC6_V10C17A5000000. 
  138. "Honda halts Japan car plant after WannaCry virus hits computer network". 21 June 2017. https://www.reuters.com/article/us-honda-cyberattack-idUSKBN19C0EI. 
  139. "Instituto Nacional de Salud, entre víctimas de ciberataque mundial" (in es). El Tiempo. 13 May 2017. http://www.eltiempo.com/tecnosfera/novedades-tecnologia/alerta-por-cibertaque-que-golpeo-a-74-paises-87602. 
  140. "Ontario health ministry on high alert amid global cyberattack". 13 May 2017. https://www.thestar.com/news/canada/2017/05/13/ontario-health-ministry-on-high-alert-amid-global-cyberattack.html. 
  141. "Laks second Dutch victim of WannaCry". 19 May 2017. http://www.nu.nl/internet/4706262/laks-tweede-nederlandse-slachtoffer-ransomware-wannacry.html. 
  142. "LATAM Airlines también está alerta por ataque informático". Fayerwayer. https://www.fayerwayer.com/2017/05/latam-airlines-tambien-estaria-comprometida-en-ataque-ransomware/. 
  143. "Massive cyber attack creates chaos around the world". news.com.au. 12 May 2017. http://www.news.com.au/technology/online/hacking/massive-cyber-attack-creates-chaos-around-the-world/news-story/b248da44b753489a3f207dfee2ce78a9. 
  144. "Researcher 'accidentally' stops spread of unprecedented global cyberattack". ABC News. https://abcnews.go.com/International/researcher-accidentally-stops-spread-unprecedented-global-cyberattack/story?id=47390745. 
  145. 145.0 145.1 "Cyber-attack that crippled NHS systems hits Nissan car factory in Sunderland and Renault in France" (in en). 13 May 2017. https://www.independent.co.uk/news/uk/home-news/nissan-sunderland-cyber-attack-ransomware-nhs-malware-wannacry-car-factory-a7733936.html. 
  146. "Nach Attacke mit Trojaner WannaCry: Kundensystem bei O2 ausgefallen" (in de). FOCUS Online. http://www.focus.de/digital/es-ist-ein-technischer-fehler-aufgetreten-nutzer-koennen-twitter-nicht-aufrufen_id_7156840.html. 
  147. "Erhebliche Störungen – WannaCry: Kundendienst von O2 ausgefallen – HAZ – Hannoversche Allgemeine" (in de-DE). Hannoversche Allgemeine Zeitung. http://www.haz.de/Nachrichten/Wirtschaft/Deutschland-Welt/WannaCry-Kundendienst-von-O2-ausgefallen. 
  148. 148.0 148.1 148.2 "WannaCry no Brasil e no mundo" (in pt). 13 May 2017. http://www.opovo.com.br/jornal/economia/2017/05/wannacry-no-brasil-e-no-mundo.html. 
  149. "PT Portugal alvo de ataque informático internacional" (in pt). 12 May 2017. http://observador.pt/2017/05/12/portugal-telecom-alvo-de-ataque-informatico-internacional/. 
  150. "Ransomware infects narrowcast radio station" (in en). 15 May 2017. https://www.radioinfo.com.au/news/ransomware-infects-narrowcast-radio-station/. 
  151. "Parkeerbedrijf Q-Park getroffen door ransomware-aanval" (in nl). 13 May 2017. http://www.nu.nl/internet/4691349/parkeerbedrijf-q-park-getroffen-ransomware-aanval.html. 
  152. "France's Renault hit in worldwide 'ransomware' cyber attack" (in es). France 24. 13 May 2017. http://www.france24.com/en/20170512-cyberattack-ransomware-renault-worldwide-british-hospitals. 
  153. "Компьютеры РЖД подверглись хакерской атаке и заражены вирусом". Радио Свобода (Radio Free Europe/Radio Liberty). 13 May 2017. https://www.svoboda.org/a/28483898.html. 
  154. Amjad Shacker [@AmjadShacker] (14 May 2017). "-" (in ar). https://twitter.com/AmjadShacker/status/863749329017868293. 
  155. 155.0 155.1 Vidal Liy, Macarena (15 May 2017). "Putin culpa a los servicios secretos de EE UU por el virus 'WannaCry' que desencadenó el ciberataque mundial" (in es). El País. http://internacional.elpais.com/internacional/2017/05/15/actualidad/1494855826_022843.html. 
  156. 156.0 156.1 156.2 "Ransomware WannaCry Surfaces In Kerala, Bengal: 10 Facts". New Delhi Television Limited (NDTV). http://www.ndtv.com/india-news/ransomware-wannacry-surfaces-in-kerala-bengal-10-facts-1693806. 
  157. Sanjana Nambiar (16 May 2017). "Hit by WannaCry ransomware, civic body in Mumbai suburb to take 3 more days to fix computers" (in en). Hindustan Times. http://www.hindustantimes.com/mumbai-news/hit-by-wannacry-ransomware-civic-body-in-mumbai-suburb-to-take-3-more-days-to-fix-computers/story-eSIMZQ2NFT217erJAFkS0J.html. 
  158. "Un ataque informático masivo con 'ransomware' afecta a medio mundo" (in es). elperiodico.com. 12 May 2017. http://www.elperiodico.com/es/noticias/sociedad/ataque-informatico-masivo-infecta-las-grandes-empresas-espana-6033534. 
  159. Balogh, Csaba (12 May 2017). "Ideért a baj: Magyarországra is elért az óriási kibertámadás" (in hu). HVG. http://hvg.hu/tudomany/20170512_wannacry_zsarolovirus_aldozatok_magyar_ceg. 
  160. "Telkom systems crippled by WannaCry ransomware" (in en). MyBroadband. 21 May 2017. https://mybroadband.co.za/news/security/211576-telkom-systems-crippled-by-wannacry-ransomware.html. 
  161. "Timrå kommun drabbat av utpressningsattack" (in sv). Sveriges Television. 13 May 2017. https://www.svt.se/nyheter/inrikes/timra-kommun-drabbat-av-utpressningsattack. 
  162. Kirk, Jeremy. "WannaCry Outbreak Hits Chipmaker, Could Cost $170 Million". Information Security Media Group, Corp.. https://www.bankinfosecurity.com/chipmaker-tsmc-wannacry-attack-could-cost-us170-million-a-11285. "Taiwan Semiconductor Manufacturing Co., the world's largest chip manufacturer, says a WannaCry infection hit unpatched Windows 7 systems in its fabrication facilities, leaving multiple factories crippled." 
  163. "Virus Ransomware Wannacry Serang Perpustakaan Universitas Jember" (in id). 16 May 2017. https://m.tempo.co/read/news/2017/05/16/058875604/virus-ransomware-wannacry-serang-perpustakaan-universitas-jember. 
  164. "Il virus Wannacry arrivato a Milano: colpiti computer dell'università Bicocca" (in it). 12 May 2017. http://milano.repubblica.it/cronaca/2017/05/12/news/milano_virus_ransomware_universita_bicocca-165302056/. 
  165. "Some University of Montreal computers hit with WannaCry virus". The Globe and Mail. 16 May 2017. https://www.theglobeandmail.com/news/national/universite-de-montreal-computers-hit-with-wannacry-virus/article35004991/. 
  166. Wong, Julia Carrie; Solon, Olivia (12 May 2017). "Massive ransomware cyber-attack hits 74 countries around the world". The Guardian. https://www.theguardian.com/technology/2017/may/12/global-cyber-attack-ransomware-nsa-uk-nhs. 
  167. Heintz, Sylvia Hui, Allen G. Breed and Jim. "Lucky break slows global cyberattack; what's coming could be worse". Chicago Tribune. https://www.chicagotribune.com/news/nationworld/ct-nsa-cyberattacks-20170513-story.html. 
  168. "Ransomware attack 'like having a Tomahawk missile stolen', says Microsoft boss". The Guardian. 14 May 2017. https://www.theguardian.com/technology/2017/may/15/ransomware-attack-like-having-a-tomahawk-missile-stolen-says-microsoft-boss. 
  169. Storm, Darlene (15 May 2017). "WikiLeaks posts user guides for CIA malware implants Assassin and AfterMidnight" (in en). Computerworld. http://www.computerworld.com/article/3196987/security/wikileaks-posts-user-guides-for-cia-malware-implants-assassin-and-aftermidnight.html. 
  170. Smith, Brad (14 May 2017). "The need for urgent collective action to keep people safe online". Microsoft. https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/. 
  171. "Patch Act bill before Congress". https://www.documentcloud.org/documents/3725905-Patch-Act-bill-before-Congress.html. 
  172. Whittaker, Zack. "Congress introduces bill to stop US from stockpiling cyber-weapons" (in en). ZDNet. https://www.zdnet.com/article/congress-introduces-bill-to-prevent-us-from-stockpiling-cyber-weapons/. 
  173. 173.0 173.1 Chalfant, Morgan (12 June 2017). "Lawmakers to hold hearing on 'Wanna Cry' ransomware attack". TheHill. http://thehill.com/business-a-lobbying/337440-lawmakers-to-hold-hearing-on-wanna-cry-ransomware-attack. 
  174. "Finding the kill switch to stop the spread of ransomware – NCSC Site" (in en-gb). https://www.ncsc.gov.uk/blog-post/finding-kill-switch-stop-spread-ransomware-0+. 
  175. 175.0 175.1 "Sky Views: Stop the cyberattack blame game". Sky News. http://news.sky.com/story/sky-views-stop-the-cyberattack-blame-game-10880726. 
  176. "gentilkiwi/wanakiwi" (in en). https://github.com/gentilkiwi/wanakiwi. 
  177. "aguinet/wannakey" (in en). https://github.com/aguinet/wannakey. 
  178. Auchard, Eric (19 May 2017). "French researchers find way to unlock WannaCry without ransom". Reuters. https://www.reuters.com/article/us-cyber-attack-cure-idUSKCN18F1CA. 
  179. Snowden, Edward [@Snowden] (13 May 2017). "When @NSAGov-enabled ransomware eats the internet, help comes from researchers, not spy agencies. Amazing story." (in en). https://twitter.com/Snowden/status/863422022994481152. 
  180. Snowden, Edward [@Snowden] (13 May 2017). "Pause a moment to consider why we're left with researchers, not governments, trying to counter the @NSAGov-enabled ransomware mess. Hint:" (in en). https://twitter.com/Snowden/status/863425539616284673. 
  181. "WannaCry: BSI ruft Betroffene auf, Infektionen zu melden" (in de-DE). heise online. https://www.heise.de/newsticker/meldung/WannaCry-BSI-ruft-Betroffene-auf-Infektionen-zu-melden-3713442.html. 
  182. "The ransomware attack is all about the insufficient funding of the NHS". The Guardian. 13 May 2017. https://www.theguardian.com/commentisfree/2017/may/13/nhs-computer-systems-insufficient-funding. 
  183. "Jeremy Hunt 'ignored warning signs' before cyber-attack hit NHS". The Guardian. 13 May 2017. https://www.theguardian.com/society/2017/may/13/jeremy-hunt-ignored-warning-signs-before-cyber-attack-hit-nhs. 
  184. Larson, Selena (17 May 2017). "Why WannaCry ransomware took down so many businesses" (in en). CNN. https://money.cnn.com/2017/05/17/technology/wannacry-ransomware-business-security/index.html. 
  185. "UPDATED Statement on reported NHS cyber-attack (13 May)". National Health Service. https://digital.nhs.uk/article/1493/UPDATED-Statement-on-reported-NHS-cyber-attack-13-May-. 
  186. "Cyber-attack cost NHS £92m – DHSC". Health Service Journal. 11 October 2018. https://www.hsj.co.uk/technology-and-innovation/cyber-attack-cost-nhs-92m--dhsc/7023560.article. 
  187. "Health chiefs refuse to foot £1bn bill to improve NHS cyber security". Building Better Healthcare. 15 October 2018. https://www.buildingbetterhealthcare.co.uk/news/article_page/Health_chiefs_refuse_to_foot_1bn_bill_to_improve_NHS_cyber_security/147855/cn164706. 

External links