On February 10, 2016, Indian cyber security firm Trend Micro released a report that it said was the first such report to quantify the scale of the attack, noting that “the WannaCrypt ransomware campaign impacted over 4 million users in the country, with an estimated revenue of $6.8 billion, with approximately 90% of them located in India.”
The report also noted that “at least 70 percent of these infected users were located in the northeastern states of Maharashtra, Haryana, Andhra Pradesh and Telangana, with the rest concentrated in the southern states of Kerala, Tamil Nadu, Andaman and Nicobar Islands, and in parts of the western provinces of Punjab, Uttar Pradesh, and Bihar.”
A few days later, the same report, published in The Hindu, noted that India had been “lucky” in being able to recover most of its IT assets, adding that “we can’t say if India’s response was adequate or not,” and that “many cyber criminals still have access to some of their data.”
The company also cited “several reports” of cybercrime cases, including “attacks targeting hospitals, schools, public transport, government offices, banks, hotels, cinemas, and public transportation systems.”
The WannaCypher ransomware attack, which targeted the Indian government and the private sector, has been blamed for more than $1 billion in losses, but this is the first time Trend Micro has published such an assessment.
Trend Micro also noted the attack was targeted at an Indian company, as well as “a large number of other companies in India and abroad.”
This is a good thing, because Trend Micro was not the only security firm to assess the scale and scope of the Wannacry attack.
In December 2016, Symantec, which had also assessed the scale, noted in a separate report that the attack had “affected more than 200,000 government and private organizations in 31 countries across the globe.”
SymantEC also noted a large number “of government websites and other online services that rely on the cloud and services to protect sensitive data.”
While this is not the first report to note the scale (although the report itself is not entirely conclusive), it is the most recent one.
What the Trend Micro analysis didn’t say is that most of the data was not encrypted and that it was spread across a variety of different devices, including tablets and smartphones.
This means that it is possible that the malware was also used on other platforms, including Windows machines, iPhones, and Android devices.
While Trend Micro’s analysis does not indicate exactly how much data was affected, it does indicate that “there was no indication that the malicious code was being distributed to servers other than the malicious ones.”
According to the report, “severial instances of malicious activity were found in the malware, including data that was sent to remote servers from one of the malicious domains.
There were also some instances where the malicious scripts were used to download the malicious files.”
This suggests that at least some of the infected devices were also being used to distribute the malware to users.
TrendMicro’s report also notes that “most of the affected sites were operating with an outdated version of the Internet Explorer Web browser, which could result in them having vulnerabilities that would allow attackers to compromise users’ machines.”
TrendMicro also noted “the malicious code used to infect the targeted devices was deployed on an infected machine and it did not appear to have been written using a valid Windows executable or executable file format.”
While these findings are not necessarily proof of a specific attack, the company’s analysis is encouraging in that it indicates that many users were targeted and that the ransomware was distributed using legitimate software.
The attack was also a success, as it “significantly reduced the number of victims that were able to successfully recover from the attack,” which may explain why so many devices were infected.
In terms of the extent of the damage done, Trend Micro estimates that “severa million dollars were lost to ransomware in the first week, which was a significant amount in today’s economic climate.”
According a report from the Indian IT security firm Techcrunch, the number is a bit lower, but the malware is still estimated to have caused around $1.2 billion in damage.
While that’s not a great price tag for the loss of business, the malware attack may have been the biggest disruption to India’s IT ecosystem in years.