WannaCry Ransomware: What We Know Monday

A world map shows where computers were infected by WannaCrypt ransomware since Sunday, as recorded by MalwareTech.com.
A world map shows where computers were infected by WannaCrypt ransomware since Sunday, as recorded by MalwareTech.com. Malwaretech.com/Screenshot by NPR
A world map shows where computers were infected by WannaCrypt ransomware since Sunday, as recorded by MalwareTech.com.
A world map shows where computers were infected by WannaCrypt ransomware since Sunday, as recorded by MalwareTech.com. Malwaretech.com/Screenshot by NPR

WannaCry Ransomware: What We Know Monday

WBEZ brings you fact-based news and information. Sign up for our newsletters to stay up to date on the stories that matter.

A ransomware attack that began in Europe on Friday is lingering — and hitting new targets Japan and China. The WannaCry software has locked thousands of computers in more than 150 countries. Users are confronted with a screen demanding a $300 payment to restore their files. The attack has hit more than 200,000 computers.

Because of its success infiltrating systems, the software — also known as WannaCrypt, Wana Decryptor or WCry — is already inspiring imitators.

Here’s a rundown of what we know on Monday:


In the U.S., “the list of victims is very small,” a Department of Homeland Security official says in a background briefing, noting that it’s still relatively early in the WannaCry attack. The victims, the official says, range widely in scope, from a few computers at companies and organizations to networks of many more.

“The U.S. is still in a relatively good place — I don’t want to jinx it,” the official says. “We don’t have a large number of victims right now, and we for the most part are not seeing significant operational impacts for those who have been victimized. They’ve been able to manage through it.”

The agency and its partners in the global security community are now in a “sort of cat-and-mouse” competition with hackers, as variants of the software emerge that foil previous solutions, the official says.


Businesses and networks across Asia are coping with the first wave of WannaCry during their work week — the initial attack started after many offices had closed on Friday.

In China, many users can’t access Microsoft’s software patch to fix the vulnerability “because many Chinese computers run on pirated Microsoft operating systems,” NPR’s Rob Schmitz reports from Shanghai. He says Chinese security companies have been offering their help.

“More than 40,000 businesses and institutions in China have been struck by the malware, according to state media,” Rob says. “One of the country’s largest oil companies, PetroChina, reported the attack had disrupted its electronic payment systems at its gas stations over the weekend. On China’s most prestigious college campuses, students reported being locked out of their final papers.”

In Japan, several large manufacturers have been hit, reporter John Matthews tells NPR: “Companies including Hitachi have reported several of their systems going down, including computers at a hospital in eastern Japan. However, Hitachi and others have mostly only reported loss of email and other secondary functionalities.”

In India, more than “more than 100 systems of the Andhra Pradesh police department” were affected over the weekend, NDTV reports. Power utilities also reported problems.


Malware-tracking maps show WannaCry has remained active in Europe over the past 24 hours. In the U.K., where the initial attack threw parts of the healthcare system in chaos Friday, the government scheduled an emergency meeting Monday afternoon to discuss the attack.

French automaker Renault and its partner, Nissan, say their plants were hit by the attack, NBC reports.

“The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” Europol’s European Cybercrime Center says.

While ransom payments for users’ stolen data had been notably low, the Security Response blog notes that a bitcoin address linked to the hackers showed a “spike in payments” to the account that began at 8 a.m. Greenwich Mean Time on Monday.

WannaCry’s Origins

“The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency,” Microsoft President Brad Smith says. He says that when the NSA lost control of the software behind the cyberattack, it was like “the U.S. military having some of its Tomahawk missiles stolen.”

Theft of the insidious software was reported in April, when it was published by the Shadow Brokers, a group that’s been linked to Russia. One month earlier, Microsoft had released a patch targeting the vulnerability. But the success of the attack shows that not enough people took advantage of the patch.

“This was not a tool developed by the NSA to hold ransom data,” Homeland Security Adviser Tom Bossert said at Monday’s White House briefing. He said the software attacking a vulnerability had been incorporated with other software and delivered in a way to cause “infection, encryption, and locking.”

Fighting The Malware

A security expert in England has been hailed as an “accidental hero” for quashing the spread of the initial version of the ransomware late Friday. But we’ll note that it’s no accident the expert, who prefers to remain anonymous and uses the name Malware Tech, registered a domain name that was called out in the code and used it to stop the worm from spreading.

The use of that domain is being called a “kill switch” in the malware. Researchers say new variants of the software have a similar kill switch, but they refer to different domains.l

“Thankfully some researchers are already registering the new domains as they identify them,” AlienVault researcher Chris Doman says. “The cat-and-mouse will likely continue until some makes a larger change to the malware, removing the kill-switch functionality completely. At that point, it will be harder to stop new variants.”

The Fix

Windows users should update their software to avoid the ransomware, security experts say.

In addition to Microsoft’s Security Bulletin MS17-010 that patched the vulnerability in March, the company also issued a separate patch on Friday for users of older and unsupported operating systems such as Windows XP.

Other advice includes these six tips from the No More Ransom site, edited here for length:

  1. Back up your computer and store the safety version in the cloud or on a drive that’s not connected to your computer.
  2. Use robust antivirus software.
  3. Keep all the software on your computer up to date. Enable automatic updates.
  4. Never open attachments in emails from someone you don’t know. And remember that any account can be compromised.
  5. Enable the ‘Show file extensions’ option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files. Stay away from file extensions like ‘.exe’, ‘.vbs’ and ‘.scr’.
  6. If you find a problem, disconnect your machine immediately from the internet or other network connections (such as home Wi-Fi).

Copyright 2017 NPR. To see more, visit http://www.npr.org/.