Editor's Note: This report was produced in collaboration with Threat Lens, Stratfor's unique protective intelligence product. Designed with corporate security leaders in mind, Threat Lens enables industry professionals to anticipate, identify, measure and mitigate emerging threats to people and assets around the world. Learn more here.
Details are still emerging about the massive ransomware attack that has targeted institutions and individuals around the world over the past few days. According to Chinese security firm Qihoo 360, the May 12 operation compromised nearly 30,000 computers in China over the weekend, some 4,000 of which belonged to higher education organizations. Other Asian countries reported less exposure; Japan's Hitachi firm was hit, as were two hospitals in Jakarta. As companies and countries alike move to mitigate the rather unsophisticated threat that the Wannacrypt virus poses, the rate of infection will likely continue to drop off.
The success of ransomware attacks is measured in the amount of income they generate for perpetrators as victims pay to regain access to their devices. Wannacrypt is currently raking in a little over $10,000 per day — by no means the most profitable ransomware attack the world has ever seen. But that could change in the next few days, depending on whether the low participation rate seen so far stems from victims' unwillingness to meet the ransom, or the fact that they haven't yet grown desperate enough to pay up. In the case of the latter, delays could prove costly: The ransom payment demanded to release a device infected by Wannacrypt jumps from $300 to $600 after three days; after seven days, the virus permanently encrypts all of the victim's files.
Of course, some victims don't have the resources to heed these warnings. Hospitals, for instance, are notoriously easy targets for ransomware attacks because many have outdated and underfunded IT networks backing up their critical services. Given the high rate of infection in Russia and across college campuses in China, moreover, there appears to be a correlation between Wannacrypt victims and users known for their use of pirated software. (Because pirated software doesn't receive automatic security updates, it is more vulnerable to cyberattacks that rely on known exploits.)
In this particular case, victims of Wannacrypt appear to have either used old Microsoft programs or failed to install security updates to newer Microsoft programs. The virus also gained access to users' systems through phishing attacks that prompted victims to click links or download files without first verifying their authenticity. Microsoft warned customers in February of the vulnerability Wannacrypt targeted and issued a patch for it in March. Though many have blamed the attack on the U.S. National Security Agency for initially pointing out the vulnerability, hackers are known for reverse-engineering patches and creating malware designed to take advantage of the weaknesses identified by the patches.
The good news is that taking the right precautions can mitigate ransomware attacks. Both consumers and companies should use licensed software and regularly update their machines and systems. Firms, meanwhile, may want to consider having their IT departments train employees to detect phishing attacks. It's also important to keep critical systems isolated on separate networks and back up information often; that way, even if systems go down, companies can recover more quickly by removing the malware and turning to their back-ups. As individuals, corporations and countries take these preventive steps, they will make for more difficult targets, ensuring that Wannacrypt runs its course more quickly.