WannaCry ransomware: Now the US says North Korea was to blame

'Cowardly, costly and careless' ransomware attack was the work of North Korean hackers, according to the White House.
Written by Steve Ranger, Global News Director

Video: The three best practices for protecting yourself from WannaCry and other ransomware attacks

North Korea was behind the WannaCry ransomware attack that caused chaos around the world earlier this year, according to the US government.

"After careful investigation, the U.S. today publicly attributes the massive WannaCry cyberattack to North Korea," Thomas Bossert, US Homeland security advisor, wrote in an article for the Wall Street Journal.

"North Korea has acted especially badly, largely unchecked, for more than a decade, and its malicious behaviour is growing more egregious. WannaCry was indiscriminately reckless," Bossert said.

The WannaCry attack in May was the biggest crisis of its type so far. The ransomware demands $300 in bitcoin for unlocking encrypted files -- a price which doubles after three days. If the ransom wasn't paid, users were threatened with having their files permanently deleted.

The malware spread rapidly, and more than 300,000 PCs fell victim.

"It was costly, cowardly and careless. The attack was widespread and cost billions, and North Korea is directly responsible," said Bossert. The US administration is expected to also make an official statement about WannaCry.

The NHS in the UK was particularly affected. In total, one-third of NHS trusts in England were disrupted by the WannaCry attack, with 81 of the 236 trusts impacted and 595 GP practices also hit, resulting in thousands of operations and appointments being cancelled. None paid the ransom demanded by those behind WannaCry.

The ransomware worm is so potent because it exploits a known software vulnerability called EternalBlue. In a twist worthy of a spy novel this Windows flaw was one of many zero-days that apparently was known to the NSA -- before being leaked by the Shadow Brokers hacking collective. While a patch existed for the flaw by the time WannaCry hit, many organisations had failed to apply it.

This is not the first time that North Korea has been linked with the WannaCry attack: as early as June this year the UK's intelligence agencies were investigating a potential link to North Korean hacking operation the Lazarus Group, which has been associated with a number of high-profile cyberattacks in recent years, including the $80m Bangladeshi bank heist and 2014's Sony Pictures hack. In October a UK government minister also said that North Korea was behind the attack.

So while the accusations are not new, the US statement comes at a time of rising tensions as the White House tries to put more pressure on North Korea over its nuclear programme.

Figuring out what motivated the WannaCry attack in the first place may be even more difficult. In January this year, US intelligence chiefs warned that Pyongyang "remains capable of launching disruptive or destructive cyber attacks to support its political objectives".

However, it also possible that North Korea is using its hackers to raise cash. Bossert noted that the country is "increasingly using cyberattacks to fund its reckless behaviour and cause disruption across the world".

If WannaCry was an attempt to generate income for Pyongyang it hasn't been particularly successful, especially considering the chaos it caused. While the attack cost organisations billions, it didn't generate much ransom, perhaps as little as $200,000.

And yet, even as recently as last week someone paid a ransom. While the worst of the WannaCry storm has passed, its effects will be felt for some time to come.

Recent and related coverage

After WannaCry ransomware attack, the NHS is toughening its cyber defences

£20m to be spent on Security Operations Centre in order to help protect the UK's hospitals and health services against cyber attacks

This malware just got more powerful by adding the WannaCry trick to its arsenal

The Retefe banking trojan is now using the EternalBlue exploit that helped spread WannaCry to make attacks more effective.

WannaCry ransomware attack at LG Electronics takes systems offline

The consumer electronics company has confirmed WannaCry was found on a self-service kiosk in South Korea and systems were shut down for two days to prevent its spread.


Editorial standards