What we know about the global cyberattack

Associated Press

NEW YORK

As danger from a global cyberattack that hit some 150 nations continues to fade, analysts are starting to assess the damage.

Hard-hit organizations such as the U.K.’s National Health Service appear to be bouncing back, and few people seem to have actually paid the ransom. But the attack has served as a live demonstration of a new type of global threat, one that could encourage future hackers.

Researchers are still puzzling out how WannaCry got started. Figuring that out could yield important clues to the identity of its authors.

The malware spread rapidly inside computer networks by taking advantage of vulnerabilities in mostly older versions of Microsoft Windows. That weakness was purportedly identified and stockpiled for use by the U.S. National Security Agency; it was subsequently stolen and published on the internet.

But it remains unclear how WannaCry got onto computers in the first place. Experts said its rapid global spread suggests it did not rely on phishing, in which fake emails tempt the unwary to click on infected documents or links. Analysts at the European Union cybersecurity agency said the hackers likely scanned the internet for systems that were vulnerable to infection and exploited those computers remotely.

Once established, WannaCry encrypted computer files and displayed a message demanding $300 to $600 worth of the digital currency bitcoin to release them. Failure to pay would leave the data scrambled and likely beyond repair unless users had unaffected backup copies.

Investigators are closely watching three bitcoin accounts associated with WannaCry, where its victims were directed to send ransom payments. The digital currency is anonymized, but it’s possible to track funds as they move from place to place until they end up with an identifiable person.

So far, there have been no withdrawals from those accounts.

Several sets of investigators have reported tentative findings that suggest hackers linked to North Korea might have been involved with WannaCry. But they could all be drawing conclusions from a very small set of clues.