Cyber Incident Victim: Guilin University of Aerospace Technology
Date:
May 2017
Location:
China
Summary
The WannaCry ransomware attack exploited a Windows vulnerability (MS17-010) using the EternalBlue exploit, initially impacting systems at Guilin University of Aerospace Technology and spreading globally to over 230,000 computers across 150 countries. It encrypted files and demanded Bitcoin ransoms, affecting hospitals, governments, and educational institutions, with total payments reaching approximately $130,000. The attack was halted by a cybersecurity researcher who activated a kill switch via a DNS sinkhole, though residual infections persisted. Attribution evidence suggested involvement by North Korea's Lazarus Group.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The WannaCry ransomware attack began on May 12, 2017, initially infecting systems in Asia before rapidly spreading globally through exploitation of the EternalBlue vulnerability (MS17-010) in unpatched Windows systems. This vulnerability, originally discovered by the NSA and later leaked by the Shadow Brokers hacker group, enabled the ransomware's worm-like propagation across networks without user interaction. Within hours, the attack infected over 10,000 devices hourly, ultimately compromising more than 230,000 computers across 150 countries. Russia, China, Ukraine, Taiwan, India, and Brazil experienced the highest concentration of incidents, with critical infrastructure including hospitals, transportation systems, government agencies, and educational institutions like Guilin University of Aerospace Technology among the affected entities. The ransomware encrypted files and demanded payments of $300 in Bitcoin, displaying multilingual ransom notes threatening permanent data deletion if unpaid within specified timeframes.
The attack's global spread was halted on May 16, 2017, when cybersecurity researcher Marcus Hutchins activated a kill switch by registering a domain name that WannaCry attempted to contact before executing encryption. This DNS sinkhole stopped new infections but did not decrypt already compromised systems. Attackers subsequently attempted to disable the kill switch through DDoS attacks using Mirai botnet variants. Approximately 330 victims paid ransoms totaling 51.6 Bitcoin ($130,634), though most payments did not result in file recovery. The incident caused widespread operational disruptions, particularly in healthcare systems where emergency services were diverted and medical procedures canceled. While Microsoft had released a patch for the vulnerability in March 2017, many organizations had not applied the update, leaving them exposed. Residual WannaCry activity continued through 2018, including an attempted infection at Boeing that was contained without significant damage. The attack demonstrated the cascading consequences of unpatched vulnerabilities and established ransomware as a persistent global cybersecurity threat.