Cyber Incident Victim: Dalian Maritime University
Date:
May 2017
Location:
China
Summary
The WannaCry ransomware attack exploited the EternalBlue vulnerability in unpatched Windows systems, leveraging NSA-developed tools leaked by The Shadow Brokers, to encrypt data and demand Bitcoin payments. The worm rapidly propagated globally, impacting over 300,000 computers across 150 countries, including Dalian Maritime University, disrupting operations at numerous organizations. A kill switch discovered by researchers temporarily mitigated further spread. US and UK authorities attributed the attack to North Korea-linked actors, though they denied involvement, while financial damages reached hundreds of millions. The incident highlighted systemic vulnerabilities from unpatched systems and intelligence agencies' stockpiling of exploits.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The WannaCry ransomware attack commenced globally on May 12, 2017, originating in Asia at 07:44 UTC and rapidly spreading across 150 countries within hours. The cryptoworm exploited EternalBlue, a Windows Server Message Block vulnerability developed by the U.S. National Security Agency and leaked by the Shadow Brokers hacker group in April 2017. Despite Microsoft issuing patches for supported Windows versions in March 2017, many organizations using outdated systems like Windows XP or unpatched machines remained vulnerable. The malware encrypted files on infected devices, demanding ransoms of $300-$600 in Bitcoin while displaying multilingual ransom notes. Initial propagation occurred through exposed SMB ports rather than phishing emails, enabling lateral movement across networks. Within 24 hours, over 230,000 systems were compromised, including critical infrastructure, transportation networks, educational institutions, and healthcare providers. Dalian Maritime University, Guilin University of Aerospace Technology, and multiple Chinese public security bureaus were among confirmed victims in China. The attack severely disrupted operations at Taiwan Semiconductor Manufacturing Company, Renault-Nissan plants, and Deutsche Bahn railway systems.
Security researcher Marcus Hutchins discovered and activated a kill switch domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) at 15:03 UTC on May 12, halting further infections by causing the malware to abort if the domain resolved. This action prevented new encryptions but did not help already compromised systems. Microsoft released emergency patches for end-of-life Windows versions on May 13, while cybersecurity firms developed decryption tools like WannaKey and Wanakiwi to recover files from memory residues on unrebooted XP and Windows 7 machines. Forensic analysis revealed code similarities to North Korea's Lazarus Group, with metadata indicating UTC+09:00 timezone settings and Hangul font usage in ransom notes. The U.S. and UK formally attributed the attack to North Korea in December 2017, though payments totaled only 51.6 BTC ($130,634). Economic damages reached hundreds of millions to billions of dollars, with the UK's National Health Service incurring £92 million in disruption costs. Subsequent variants emerged without kill switches, but initial containment limited their spread. The incident exposed systemic vulnerabilities from unpatched systems and intelligence agencies' stockpiling of cyberweapons, prompting legislative proposals like the U.S. PATCH Act to regulate exploit disclosures.