On Thursday April 6, 2017, President Trump ordered a Tomahawk missile attack on a Syrian military airfield. This was a direct response to President Assad’s use of sarin gas to attack Syrian dissidents. Just two days later, the password to an encrypted archive of cyber weapons (stolen from the U.S. National Security Agency) was posted by the so-called Shadow Brokers cyber group. This hacking group is thought to have connections with Russia, which is the leading supporter of the Assad regime. They were angered by President Trump’s action.
An immediate beneficiary of this password release was the Lazarus Group, linked with North Korea, which had been launching ransomware attacks at targets over the previous several months. What they lacked was an effective tool to propagate their ransomware from computer to computer. This missing tool, a Microsoft Windows bug called “EternalBlue”, they now were gifted thanks to Shadow Brokers.
A month later, on May 12, supercharged by the EternalBlue exploit, WannaCry ransomware was launched. Predominantly, Windows 7 computers were infected. Of the roughly 400 million actively used Windows 7 computers, approximately 0.1 percent were infected. The infection of so many Windows 7 computers was bad enough, but it might have been much worse.
Fortunately, when WannaCry was launched on May 12, the great majority of vulnerable Windows computers were protected by a Microsoft patch issued on March 14, 2017. But counterfactually, EternalBlue might have been dumped, and WannaCry might have been launched, well before a patch became available. In particular, the Lazarus Group might have acquired the EternalBlue exploit when Shadow Brokers held an auction of their Windows cyber weapons back on January 7.
In the absence of a Microsoft patch, ten times as many Windows 7 computers might have been infected, and the economic loss might have been correspondingly much greater. Indeed, supposing that the kill switch for WannaCry had not been found so rapidly, the U.S. economic insurable loss would have been measured in the billions of dollars.
History is just one realization of what might have happened. There was nothing inevitable about the May 12 date for the WannaCry attack. WannaCry might well have been launched three months earlier, causing the first cyber insurance catastrophe loss.
Dr. Gordon Woo will be presenting a counterfactual analysis of the WannaCry cyberattack in an upcoming RMS Cyber Risk Insights webinar on Thursday, November 30 at 4 p.m. UTC, 11 a.m ET, 8 a.m. PST. Click here to send an email and request attendance.