Reimagining the WannaCry Cyberattack

On Thursday April 6, 2017, President Trump ordered a Tomahawk missile attack on a Syrian military airfield. This was a direct response to President Assad’s use of sarin gas to attack Syrian dissidents. Just two days later, the password to an encrypted archive of cyber weapons (stolen from the U.S. National Security Agency) was posted by the so-called Shadow Brokers cyber group. This hacking group is thought to have connections with Russia, which is the leading supporter of the Assad regime. They were angered by President Trump’s action.

An immediate beneficiary of this password release was the Lazarus Group, linked with North Korea, which had been launching ransomware attacks at targets over the previous several months. What they lacked was an effective tool to propagate their ransomware from computer to computer. This missing tool, a Microsoft Windows bug called “EternalBlue”, they now were gifted thanks to Shadow Brokers.

WannaCry Ransomware Image source: Wikipedia

A month later, on May 12, supercharged by the EternalBlue exploit, WannaCry ransomware was launched. Predominantly, Windows 7 computers were infected. Of the roughly 400 million actively used Windows 7 computers, approximately 0.1 percent were infected. The infection of so many Windows 7 computers was bad enough, but it might have been much worse.

Fortunately, when WannaCry was launched on May 12, the great majority of vulnerable Windows computers were protected by a Microsoft patch issued on March 14, 2017.  But counterfactually, EternalBlue might have been dumped, and WannaCry might have been launched, well before a patch became available. In particular, the Lazarus Group might have acquired the EternalBlue exploit when Shadow Brokers held an auction of their Windows cyber weapons back on January 7.

In the absence of a Microsoft patch, ten times as many Windows 7 computers might have been infected, and the economic loss might have been correspondingly much greater. Indeed, supposing that the kill switch for WannaCry had not been found so rapidly, the U.S. economic insurable loss would have been measured in the billions of dollars.

History is just one realization of what might have happened. There was nothing inevitable about the May 12 date for the WannaCry attack. WannaCry might well have been launched three months earlier, causing the first cyber insurance catastrophe loss.

 

Dr. Gordon Woo will be presenting a counterfactual analysis of the WannaCry cyberattack in an upcoming RMS Cyber Risk Insights webinar on Thursday, November 30 at 4 p.m. UTC, 11 a.m ET, 8 a.m. PST. Click here to send an email and request attendance.

Catastrophist, RMS
Gordon is a catastrophe-risk expert, with 30 years’ experience in catastrophe science, covering both natural and man-made hazards. Gordon is the chief architect of the RMS terrorism risk model, which he started work on a year after joining RMS in December 2000. For his thought leadership in terrorism risk modeling, he was named by Treasury & Risk magazine as one of the 100 most influential people in finance in 2004. He has since lectured on terrorism at the NATO Center of Excellence for the Defense against Terrorism, and testified before the U.S. Congress on terrorism-risk modeling. As an acknowledged, international expert on catastrophes, Gordon is the author of two acclaimed books: “The Mathematics of Natural Catastrophes” (1999) and “Calculating Catastrophe” (2011). Dr. Woo graduated as the best mathematician of his year at Cambridge University and he completed his doctorate at MIT as a Kennedy Scholar and was a member of the Harvard Society of Fellows. He also has an Master of Science in computer science from Cambridge University.

Leave a Reply

Your email address will not be published. Required fields are marked *