Since our initial post during the breakout of WannaCry ransomware, our Research & Development team has learned more about the spread of this malware. While the outbreak of this ransomware surprised the entire security community, the amount of ransoms collected is estimated to only be just over $100,000 dollars. Given the global reach of this attack and the rate of spread, the figure likely could have been much higher had the malware been more complex and harder to remediate. Nonetheless, the spread of WannaCry has taught us a lot about the security culture of organizations across different sectors around the world.
This post explores the countries hit hardest by WannaCry, the network composition of IP addresses exhibiting the infection, the industries and company sizes affected most, and how BitSight Security Ratings changed across industries for organization’s infected with the malware.global coverage
In the four day period between May 12th and May 15th, the WannaCry ransomware was observed on over 160,000 unique IP addresses. This animated graphic shows the WannaCry events originating from each country as a ratio against events worldwide.
Various countries are impacted at different periods, with China, Russia, the United States, France, UK, Brazil, and Peru having notable periods of a high number of infections compared to other countries. After the malware has infected a specific machine, it scans for other vulnerable systems both external and internal to the network. Strong concentrations of infections within countries often occur due to the worm making headway by infecting a large number of machines behind a set of IP addresses.
Data from Kaspersky has shown the the majority of infections affected Windows 7 platforms, and some of our research also point in this direction. When we looked at the set of IP addresses affected by WannaCry, we extracted the operating systems that are typically used on the machines behind those IP addresses. The following graphic shows our data representing the composition of networks affected by WannaCry.
Note: Recall that this is a distribution of operating systems on machines behind IP addresses that were observed to be affected by WannaCry, and not the individual infected machines. Thus, there might be unaffected machines behind the same IP address as affected machines, and would be present in the distribution above.
There is still ongoing research regarding why Windows 7 is the most popular operating system among victims. It is known that the worm had difficulty infecting Windows XP machines and spreading as it often caused the machine to crash when it attempted to exploit the vulnerabilities. Microsoft has also designed a more seamless automatic update experience for Windows 10 that would have allowed for the MS17-010 patch to be installed on a much larger population of Windows 10 machines compared to older operating systems.
In our previous blog post, we presented a breakdown of the percent of companies within each industry that have been observed to be affected by WannaCry. In order to observe any differences in industries by size, we can separate this data into three distinct buckets representing the number of employees at these organizations. Small being any company with less than 250 employees, medium being companies with less than 1,000, and large being anything greater than or equal to 1,000.
The trends for the overall industry breakdown remain relatively consistent. The utilities industry moves from 5th to 3rd place for large companies affected by WannaCry. Excluding Telecommunications, there are roughly the same number of smaller companies affected than there are medium-sized organizations.
However, another way to view this data is not necessarily by the number of companies affected by industry, but the effect that those infections had caused by industry. This bar chart shows the average change of the BitSight security rating per company within each industry sector.
So while Insurance had ranked fairly low on the percent of companies affected by WannaCry by industry sector, since the Insurance industry performs better overall in comparison to Education and Telecommunications, those companies happen to be hit harder than others. Education and Telecommunication companies are usually rife with various forms of malware and our published industry sector studies have demonstrated this. On the other hand, industry sectors like Healthcare and Finance perform better overall in comparison, and were also more severely hit.