Before WannaCry Was Unleashed, Hackers Plotted About It on the Dark Web

Homeland Security Adviser Tom Bossert speaks about recent cyberattacks during a briefing at the White House on May 11.

Mark Wilson/Getty Images

Last weekend, more than 150 countries and 300,000 machines experienced the largest cyberattack to date. The attack did not come out of nowhere: It exploited a known flaw in some versions of Windows. Microsoft issued the patch for it back in March, but many people failed to update their systems, leaving them vulnerable. The hackers knew that many machines would have been left unprotected. In fact, they were counting on it.

Hackers network with one another through many platforms, and a very popular one is forums. These forums work like regular messaging boards where people create profiles and post in threads among different categories. The difference here is that all posters are anonymous, and the forums are present on both the Clearnet (hackerspeak for the regular, less private internet) and the darkweb. Most of the time discussions are harmless and focus on current events or white-hat coding, but sometimes, as in this case, they are used to identify vulnerabilities and exploits as the beginning of cyberattack plans. A 2012 report from Imperva studied a popular hacker forum and found that posts mentioning SQL injection (a web hacking technique) and distributed denial-of-service attacks each generated 19 percent of the discussion volume studied, making them the most discussed topics on that forum. Hackers can give each other ideas and help troubleshoot obstacles in these forums, making them very important to monitor.

WannaCry was no exception. The cybersecurity company CYR3CON, where I am a researcher, found evidence of hackers discussing the attacks before they happened on darkweb forums in several languages including English, Russian, and Arabic. (Disclosure: CYR3CON is an Arizona State University spinout. The university is partnered with Slate and New America in Future Tense.) The forum posters discussed the specific exploit used for WannaCry and recognized its potential for a widespread attack. This exploit was revealed by a Russian hacking group called the Shadow Brokers, who leaked it in a dump of stolen NSA tools on April 14. On the forum CYR3CON monitored, the hackers indicated they were surprised about the lack of patching for the vulnerability and saw it as an opportunity to act fast before it was resolved.

CYR3CON identified a post in a Russian-language darkweb forum that specifically named medical centers as prime targets. This is because in the past, some similar institutions had paid ransomware. The poster figured that tens of thousands of systems would be susceptible. He or she was relatively new to the forum but participated in widely read threads. The hackers on these discussions recognized that although Microsoft released a patch in March, few enough systems had been updated that an attack of this scale was possible. The slow pace of patching plus the exploits’ availability combined to inevitably allow for the global attack. The hackers have received 296 ransom payments so far, totaling almost $100,000.

The WannaCry attack is a reminder that most cyberattacks are carried out using known and reported vulnerabilities. The 2015 Verizon Data Breach Investigations Report stated that 99 percent of breaches were due to known vulnerabilities. A study from the University of Maryland suggested that only 1 to 3 percent of vulnerabilities are exploited “in the wild,” though given the number of devices out there, that’s still a huge number. According to an unpublished study conducted by researchers here at Arizona State University, 30 percent of vulnerabilities listed in a database maintained by the National Institute of Standards and Technology that have been mentioned on the dark web are found to be exploited. Knowing where an exploit is being posted and discussed can help organizations with vulnerability prioritization.

Cybersecurity researchers are trying to change how vulnerabilities and potential attacks are discovered by using both human analysts and advanced machine learning capabilities to search for red flags on the darkweb and Clearnet. These red flags include zero-day exploits for sale, undetectable malware for sale, freelance hackers for hire, tutorials about malicious hacking for download, and discussions among hackers about malicious activities. Hackers are aware of weaknesses and will exploit them—and they’re not shy about admitting it on the dark web. A telling quote from the now-closed Hell Forum said: “There is no right or wrong, my friend. There are only the weak and the strong.” Keeping an eye on hacker chatter can help strengthen the efforts to keep the internet safe.