Cyber Incident Victim: Guilin University of Electronic Technology
Date:
May 2017
Location:
China
Summary
The WannaCry ransomware attack exploited a Windows vulnerability via the EternalBlue exploit, rapidly spreading across 150 countries and impacting over 230,000 systems, including Guilin University of Electronic Technology alongside government agencies, hospitals, and businesses. Attributed to North Korea's Lazarus Group, the wormable ransomware encrypted files and demanded bitcoin payments, causing significant operational disruptions globally until a cybersecurity researcher triggered a kill switch by registering a sinkhole domain. Despite this mitigation, residual infections persisted, with limited ransom payments made and broader damages exceeding direct financial losses. The incident underscored risks from unpatched systems and legacy infrastructure vulnerabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The WannaCry ransomware attack began on May 12, 2017, with initial infections detected in Asia before rapidly propagating globally. The malware exploited a Windows vulnerability designated MS17-010 through the EternalBlue exploit tool, which leveraged a software weakness originally discovered by the NSA but not disclosed to Microsoft until after its theft by the Shadow Brokers hacker group. Microsoft had released a security patch for this vulnerability in March 2017, but unpatched systems remained exposed. WannaCry's worm-like functionality enabled exponential spread, infecting approximately 10,000 devices per hour across 150 countries within the first day. Primary impacted nations included Russia, China, Ukraine, Taiwan, India, and Brazil, with victims spanning government agencies, hospitals, transportation networks, universities, and private companies. The ransomware encrypted files on infected systems and demanded payments of $300 in Bitcoin, displaying explicit ransom notes on compromised devices.
Cybersecurity researcher Marcus Hutchins halted the primary attack wave on May 16, 2017, by identifying and activating a kill switch through domain registration that created a DNS sinkhole. This mechanism exploited WannaCry's design feature where the malware would abort infection if it successfully connected to a specific unregistered URL. During the following days, attackers attempted to disable this countermeasure using Mirai botnet variants to execute DDoS attacks against the sinkhole domain. Approximately 330 victims paid ransoms totaling 51.6 Bitcoin (equivalent to $130,634 at transaction time), though the broader economic damages significantly exceeded these payments. Despite Microsoft's patch availability and the kill switch's effectiveness, residual WannaCry infections continued, including a March 2018 incident at Boeing that was contained without major disruption. The attack demonstrated the viability of combining stolen exploits with ransomware payloads, inspiring subsequent malware variants like Petya and NotPetya that employed similar propagation methods through the EternalBlue vulnerability.