Talk:WannaCry ransomware attack/Archive 3
This is an archive of past discussions about WannaCry ransomware attack. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page. |
Archive 1 | Archive 2 | Archive 3 |
Requested move 19 May 2017
- The following is a closed discussion of a requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. Editors desiring to contest the closing decision should consider a move review. No further edits should be made to this section.
The result of the move request was: Not Moved.(non-admin closure) Closed per nominator withdrawal and WP:SNOW. — InsertCleverPhraseHere 06:05, 22 May 2017 (UTC)
WannaCry ransomware attack → WannaCry – As mentioned earlier, this article was afflicted by a strange consensus that the malware and the overall attack are distinct subjects, because the malware's actions are a cyberattack that is independent of the malware itself, rather than just malware. I heavily disagree with this, as it contradicts our previous handling of malware-related articles; the malware is the attack, and I did not feel that they could be separated without contravening notability (working in the spirit of BLP1E). I am relieved that the merger went through, but now we have to deal with the title. Per this reasoning and WP:CONCISE, this article should be moved to WannaCry, and the lead should describe it as what it is, rather than paint this as just being an "event". This article requires no disambiguation. ViperSnake151 Talk 00:41, 19 May 2017 (UTC)
- Support. While the article would undoubtedly need several small edits to bring the article in line with the new title, the Nom here makes a persuasive case. This does indeed seem how other malware articles are handled, so WP:CONSISTENCY applies. WP:COMMONNAME seems unclear in any case. If you do a news search for "WannaCry" you will see quite a few examples of "WannaCry ransomware attack" but also plenty that just refer to the malware by name instead. — InsertCleverPhraseHere 00:45, 19 May 2017 (UTC)
- The point is that they're using WannaCry, at all. ViperSnake151 Talk 01:05, 19 May 2017 (UTC)
- Yes WP:CONCISE applies too. — InsertCleverPhraseHere 01:08, 19 May 2017 (UTC)
- The point is that they're using WannaCry, at all. ViperSnake151 Talk 01:05, 19 May 2017 (UTC)
- Support. As I just said above, I think this article already suffers from recentism. We can talk about the recent attacks without making a news article, and the current title actually doesn't help with that. Titore (talk) 00:52, 19 May 2017 (UTC)
- Snow oppose we just closed this exact move, and the consensus was a no; you don't get to keep asking the same question over and over again.GliderMaven (talk) 01:53, 19 May 2017 (UTC)
- Oppose ...and close snowingly. We just did this. This article is still primarily about the event. It contains a section on the virus itself. Consider a RM at a future date. Anna Frodesiak (talk) 02:03, 19 May 2017 (UTC)
- No, that was a different issue. If there is consensus for covering the malware as a single article rather than the prior, unusual state of covering the malware as an event instead, this is the next step. We were doing too many things at once earlier. The article's current state should not be what the factor is; it can be changed. ViperSnake151 Talk 02:41, 19 May 2017 (UTC)
- Hi ViperSnake151. Okay, so you're saying that the addition of a section about the virus means we should discuss all over again? I mean, it is still about the event, right? There was a SNOW decision to keep the current title because it is about the event. You are aware of Talk:WannaCry ransomware attack#Requested move 15 May 2017, right? Best, Anna Frodesiak (talk) 03:41, 19 May 2017 (UTC)
- No, that was a different issue. If there is consensus for covering the malware as a single article rather than the prior, unusual state of covering the malware as an event instead, this is the next step. We were doing too many things at once earlier. The article's current state should not be what the factor is; it can be changed. ViperSnake151 Talk 02:41, 19 May 2017 (UTC)
- Strong oppose; the malware has been seen in the wild before May per Kaspersky, so there is a distinction between the thing itself and its recent spread. ansh666 07:37, 19 May 2017 (UTC)
- Related note, as MalwareTech and others have pointed out, the proper name for the malware is WannaCrypt, but given our rules on common name and all that, it's probably okay as is. ansh666 07:39, 19 May 2017 (UTC)
- Oppose This article is obviously about an event, so the current title is still appropriate. Cheers, FriyMan talk 07:59, 19 May 2017 (UTC)
- Oppose per WP:RECOGNIZABLE. Call me ignorant, but I barely heard of the exact malware name as I only superficially followed the news; or then, ask our readers in three years from now whether they remember "WannaCry". I'd even go so far to rename this to 2017 worldwide ransomware attack, but I find the current title satisfying enough. The article is focused on the event rather than on the malware itself anyway. No such user (talk) 10:21, 19 May 2017 (UTC)
- Support per Insertcleverphrasehere. feminist 10:30, 19 May 2017 (UTC)
- Strong Oppose There are a lot of sources that uses "WannaCry attack" or "WannaCry ransomware attack". I don't see them using "WannaCry" in terms of the attack. Edit: Also, "WannaCry" is a ransomware and it attack computers recently. There are no previous attack so I see no point moving it here for now. 103.1.70.5 (talk) 10:37, 19 May 2017 (UTC)
- Comment. I see some people opposing saying WannaCry was only used for the attack. While that's true, I don't see why it should be a reason to oppose. The point to move to WannaCry is exactly beacause WannaCry and the attack almost overlap, and the move is requested for consistency and conciseness. In the article we're still gonna continue to talk about WannaCry and its attacks and effects, but maybe from a wider point of view. People saying the article is all about the event should consider checking what wikipedia is and what wikinews is (hint: WP:NOTNP), and while we can and should continue talking about the event, the article as it is now has a lot of problems in that regard that we need to fix. Titore (talk) 11:16, 19 May 2017 (UTC)
- Strong oppose. As other editors have said, we have only just finished this discussion. Now that both of the previous proposals are closed, I feel it is better that we just get on with the article and then revisit this if/when:
- We decide that we have an article that is sufficiently uneven in scope or length (with respect to the attack / the software itself) and have taken enough from source material that we can justify moving / splitting / otherwise changing the location of the material;
- Further attacks occur that require us to differentiate between them and this attack;
- Something else occurs that renders the title very clearly not the best one.
- To be honest, though, talk of article titles themselves I feel is fairly academic. Besides the difference it makes to SEO scores (which is relatively irrelevant for Wikipedia, given its size), most readers will care little whether it is called "WannaCry" / "WannaCry ransomware attack" / "WannaCry cyber attack" / "That scary piece of software that stole loads of people's data" or anything else, as long as it is clear that they are reading about the thing that they want to read about. More important to them is that the article has the information they want. At the end of the day, we have redirects. — Sasuke Sarutobi (talk) 11:29, 19 May 2017 (UTC)
- Strong oppose - as per other arguments listed above, and that the previous discussion has barely had time for the electronic ink to dry. Chaheel Riens (talk) 12:32, 19 May 2017 (UTC)
- Oppose. The article and its contents are about the attack, not the ransomware itself; when it is about the ransomware it's only to explain how it works and how broadly it affected computers. I believe this article should stay like so, name and all, until another attack using WannaCry or a possible variant occurs; at that point, then I believe WannaCry should get it's own article, using some of the info from this attack and a possible future attack. We can't name the article solely Wannacry based off just one attack using it, the article is about the attack and the name should reflect that. Firework917 (talk) 14:38, 19 May 2017 (UTC)
- This is exactly the notion that I was trying to avoid. As was mentioned by me and others, WannaCry is the event, and we've reached a consensus earlier that they are inseparable. CryptoLocker is a good place to start, since I foresaw the sections being Operations > Mitigation > Impact (with subheadings for affected organizations) > Money paid, etc. How WannaCry has apread is no different than other self-replicating malware, it started off slow, but then just started spreading like wildfire. It is a story either way. ViperSnake151 Talk 15:11, 19 May 2017 (UTC)
- Suggestion Eight opposes? The chance of this ending in "support" is near zero. I suggest we stop wasting community keystrokes and reads on this for now. As Firework917 says above: "...until another attack using WannaCry or a possible variant occurs; at that point, then I believe WannaCry should get it's own article...". Please, can we close this and move on? Would that be okay with you, ViperSnake151? Anna Frodesiak (talk) 17:49, 19 May 2017 (UTC)
- Oppose Clearly WP:RECOGNIZABLE trumps WP:CONCISE here. Concise is not even an issue nor a valid reason to move in this instance as the name is not so long as to be burdensome. With that in mind, we always follow the sources and use the Common Name, which is where we already are. Removing words solely to make a title shorter, while at the same time you make it less informative, is clearly against our naming convention. To compare, most articles about mass shootings have the word "shooting" or "incident" or similar in their title. A title should be short, but it must be descriptive or it is of no use. The current title is already concise enough. Dennis Brown - 2¢ 20:24, 19 May 2017 (UTC)
- WikiProject Malware does have naming guidelines, but it seems to account more for situations requiring disambiguation, and not using what the antivirus exactly calls it, rather than titles of malware strain articles when disambiguation is unneeded. Of course, by the consensus that has been implied, this is not considered a malware article, but a cyberattack article, which means this likely is invalid. ViperSnake151 Talk 01:17, 20 May 2017 (UTC)
- This is an article on an event, not a strain. This seems to be the problem you are having, differentiating the difference between the two. If someone wants to start an article on this specific piece of software, then the rules would be different. Dennis Brown - 2¢ 16:34, 21 May 2017 (UTC)
- WikiProject Malware does have naming guidelines, but it seems to account more for situations requiring disambiguation, and not using what the antivirus exactly calls it, rather than titles of malware strain articles when disambiguation is unneeded. Of course, by the consensus that has been implied, this is not considered a malware article, but a cyberattack article, which means this likely is invalid. ViperSnake151 Talk 01:17, 20 May 2017 (UTC)
- Oppose, implication that the article is about the ransomware itself, when it's actually about the attack. Plus, per other users and WP:RECOGNIZABLE, shortening the title to simply "WannaCry" would not only make it more difficult for users to identify it as the ransomware, but it would also be cherry-picking since it is known by other names such as "WanaCrypt0r", "WanaDecrypt0r", "WannaCrypt", among others. κατάσταση 23:27, 19 May 2017 (UTC)
- Support. The article should be simply WannaCry. Now that the 'dust has settled' somewhat, it's helpful to look to articles like Morris worm, and Blaster (computer worm) for guidance. It's in the nature of worms to be sudden impressive 'events' - but both of these articles (and others like SQL Slammer, Conficker and Code Red (computer worm)), manage to cover the event part as well as the malware description bit. How this is generally done is to have both (i) A 'history'/'timeline' section and (ii) A "tech details" section - with as much detail as necessary in both. Snori (talk) 05:58, 20 May 2017 (UTC)
- Strong oppose per User:Anna Frodesiak's rationale. This article is not just about the malware but about the entire attack/incident/cyberpandemic/... (which includes its impact and analysis etc). --Fixuture (talk) 10:48, 20 May 2017 (UTC)
- But that is, in fact, what every major malware article does, per Snori. Will we have to rename them all to be about the attack itself rather than just the software? Malware is inherantly an event. Disambiguation is not needed. ViperSnake151 Talk 15:08, 20 May 2017 (UTC)
- @ViperSnake151: Well you have a point there, however:
- Malware is not inherently an event in that sense - there can also be malware that doesn't get into the wild etc
- The malware's variants are also part of the attack (no matter how impactful they were/are)
- The exploits are also part of the attack - it was a (at least) two-sided attack that didn't just consist of the malware
- (Targeted surveillance-gathering, sabotage- and (more or less) non-damaging, non-sudden.. cybercrime-malware (such as cryptominers) may not be best described as "attacks")
- Its abrupt, rapid nature is not characteristic for malware in general but characteristic for an attack/incident/...
- WP:AON is about what not to do
- It could potentially be moved to another title such as "Global WannaCry ransomware attack" or "WannaCry ransomware cyberpandemic" or alike
- --Fixuture (talk) 16:41, 20 May 2017 (UTC)
- The exploits are used by the malware. Variants of a malware are typically not notable enough for their own articles, so they are typically considered branches of the parent article. Regardless of how structured or abrupt the spread is, it's still malware. ViperSnake151 Talk 16:55, 20 May 2017 (UTC)
- @ViperSnake151: Well you have a point there, however:
- But that is, in fact, what every major malware article does, per Snori. Will we have to rename them all to be about the attack itself rather than just the software? Malware is inherantly an event. Disambiguation is not needed. ViperSnake151 Talk 15:08, 20 May 2017 (UTC)
- Oppose Create new page for malware. groig (talk) 19:57, 20 May 2017 (UTC) (edited)
- Comment Hi ViperSnake151. You make good points. They have weight. But they are pitted against what the media calls this, and the fact that nothing substantial has changed since the last RM days ago. It may very well end up being called WannaCry, but not from this RM.
- So, how about a compromise? Let's close this and you do a RM in a few months. Would that be okay?
- I say this because we have to look at the cost/benefit. The cost is that the template is a blight and draws a lot of people here. This talk page has 143 watchers and hundreds of visits. People come and read through all these arguments --- the same arguments as in the last RM. The benefit is nothing. The chance of the outcome you wish is zero. So, what do you say? Anna Frodesiak (talk) 23:53, 20 May 2017 (UTC)
- This seems sensible. — InsertCleverPhraseHere 02:22, 21 May 2017 (UTC)
- I unfortunately, must accept. The problem with this article is that it focuses too much on WannaCry as an event rather than a piece of malware. It is clear, per the coverage in sources, as well as the consensus of Wikipedia editors, that WannaCry must be classified as a cyberattack conducted using multiple Ransomware malwares with similar connections, rather than just a single Ransomware malware. Wikipedia articles must align with the perspectives of reliable secondary sources, and if they cover this as an attack rather than malware, we must do so as well. ViperSnake151 Talk 22:53, 21 May 2017 (UTC)
- This seems sensible. — InsertCleverPhraseHere 02:22, 21 May 2017 (UTC)
- That is great news, and much appreciated. Anna Frodesiak (talk) 23:36, 21 May 2017 (UTC)
So, can we close this and get that dreadful template off the article now, please? Anna Frodesiak (talk) 23:36, 21 May 2017 (UTC)
- Yes, from me. As argued, this is probably the best for now. Snori (talk) 23:50, 21 May 2017 (UTC)
- Oppose. A lot of my childhood friends had a Baby WannaCry doll. (Yes, I'm that old.) And no, WannaCry is pretty much guaranteed to have been used in more than one context; the ransomware is only the most recent use of that "term". Simply put, it's nowhere near distinct enough. Risker (talk) 03:00, 22 May 2017 (UTC)
- The above discussion is preserved as an archive of a requested move. Please do not modify it. Subsequent comments should be made in a new section on this talk page or in a move review. No further edits should be made to this section.
Cause
The infobox says the cause is EternalBlue. Could the cause be hacking? The vulnerability? Is EternalBlue correct? Anna Frodesiak (talk) 06:12, 22 May 2017 (UTC)
- Good spotting, have changed to WannaCry worm. Snori (talk) 06:22, 22 May 2017 (UTC)
- Cheers! :) Anna Frodesiak (talk) 06:23, 22 May 2017 (UTC)
Follow ons
Seems like someone's created a new worm, EternalRocks that targets the same SMB vulnerability, and comes bundled with seven NSA-created hacking tools. Esowteric+Talk 15:57, 22 May 2017 (UTC)
The map with all the red
Please comment here. Cheers, Anna Frodesiak (talk) 01:45, 22 May 2017 (UTC)
- Now back to a more reasonable version. Snori (talk) 07:06, 22 May 2017 (UTC)
- Thank you kindly, my friend. :) Anna Frodesiak (talk) 07:19, 22 May 2017 (UTC)
- What does 'initially' mean though? How are we defining what countries are coloured red on this map? I was under the impression this was all the countries it had spread to, but if that isn't the case then this image is misleading. — InsertCleverPhraseHere 09:16, 22 May 2017 (UTC)
- Well, the caption did say "initially", so that would imply within a short time after discovery. But yes, how to define initially? Maybe the BBC article date? Anna Frodesiak (talk) 12:01, 22 May 2017 (UTC)
- It'd be difficult to define. I don't imagine many organisations would wish to publicly disclose being infected if they could avoid disclosure, and those that did probably wouldn't have said anything straight away (save for employees mentioning it, especially when it became prominent, or the organisation realising that they are not out of the ordinary in being infected). So you may have only had a lot of organisations going public when it was clear that it was a widespread issue, making it difficult to define a cut-off at a particular time. — Sasuke Sarutobi (talk) 12:14, 22 May 2017 (UTC)
- Good points. Maybe we should remove it from the article. Trouble is, it is used in many language Wikipedias now. Anna Frodesiak (talk) 13:01, 22 May 2017 (UTC)
- To be honest, I think if we're having trouble defining "initially", then we should just drop the requirement. Even if there are residual attacks still on-going (especially with the fabled "killswitch-free" variants), and defensive work still being done, most major organisations are either now affected or patched. Really, I think we should look at incorporating the list of affected organisations and then placing the map there to illustrate the scale of the effect (especially since the discussion regarding flag usage fizzled out with no real consensus). — Sasuke Sarutobi (talk) 13:11, 22 May 2017 (UTC)
- Good points. Maybe we should remove it from the article. Trouble is, it is used in many language Wikipedias now. Anna Frodesiak (talk) 13:01, 22 May 2017 (UTC)
- It'd be difficult to define. I don't imagine many organisations would wish to publicly disclose being infected if they could avoid disclosure, and those that did probably wouldn't have said anything straight away (save for employees mentioning it, especially when it became prominent, or the organisation realising that they are not out of the ordinary in being infected). So you may have only had a lot of organisations going public when it was clear that it was a widespread issue, making it difficult to define a cut-off at a particular time. — Sasuke Sarutobi (talk) 12:14, 22 May 2017 (UTC)
- Well, the caption did say "initially", so that would imply within a short time after discovery. But yes, how to define initially? Maybe the BBC article date? Anna Frodesiak (talk) 12:01, 22 May 2017 (UTC)
- What does 'initially' mean though? How are we defining what countries are coloured red on this map? I was under the impression this was all the countries it had spread to, but if that isn't the case then this image is misleading. — InsertCleverPhraseHere 09:16, 22 May 2017 (UTC)
- Thank you kindly, my friend. :) Anna Frodesiak (talk) 07:19, 22 May 2017 (UTC)
Actually, the source says "...countries affected in the first few hours of the cyber-attack..." Why not quote or paraphrase that? Anna Frodesiak (talk) 18:14, 22 May 2017 (UTC)
- How is that relevant though? What is so special about the first few hours? — InsertCleverPhraseHere 18:59, 22 May 2017 (UTC)
- Good question. I don't know. Maybe visitors would like to know just how fast and how wide it spread in the beginning. Anna Frodesiak (talk) 19:32, 22 May 2017 (UTC)
- It's relevant because the key reason for this worm being notable is the speed with which it spread. We probably don't make this clear enough, but it started at 7:30am and was largly stoppped by the 'sinkhole' at about 3:00pm (both UK time) - that map is derived from a BBC graphic from the next day.
- Then we should explain this in the caption for the map
Toning "attack" down to "infection"
Even if the title retains the "attack" wording, I'd like to pretty much expunge it from the article itself. We currently say "The attack started on Friday..."; where I think we should say "The first infections were detected on Friday...". Compare this article to Stuxnet and Sony Pictures hack. Those may not have been as widespread, but they were much more in the nature of attacks than this poorly executed ransomware. (I will wait a while for feedback before making any edits along this line). Snori (talk) 23:30, 20 May 2017 (UTC)
- Actually, we follow the sources and we do not add our own opinion. The media is using the phrase "attack" 3x more than "infection" by my count. Dennis Brown - 2¢ 08:38, 21 May 2017 (UTC)
- Attack is a loaded word, thus violating the neutral point of view. ViperSnake151 Talk 15:19, 21 May 2017 (UTC)
- WP:NPOV is not even at play here. There is no "victim" or unfairness to any person or group by calling it an attack. WP:TITLE makes it clear in the first paragraph. Even the subsection WP:NPOVNAME says we follow the sources, although I still maintain the title in no way raises neutrality issues. Dennis Brown - 2¢ 16:31, 21 May 2017 (UTC)
- It is the POV of the media to call it an attack specifically. ViperSnake151 Talk 22:51, 21 May 2017 (UTC)
- WP:NPOV is not even at play here. There is no "victim" or unfairness to any person or group by calling it an attack. WP:TITLE makes it clear in the first paragraph. Even the subsection WP:NPOVNAME says we follow the sources, although I still maintain the title in no way raises neutrality issues. Dennis Brown - 2¢ 16:31, 21 May 2017 (UTC)
- Oh dear! Attack is the word used by the sources, and accurately describes the event and intentions. Esowteric+Talk 15:26, 21 May 2017 (UTC)
- cf Attack on Pearl Harbor Esowteric+Talk 15:29, 21 May 2017 (UTC)
- Unless there's someone out there arguing that this ransomware produces some benefit to (as opposed to damaging) infected systems, there's no valid NPOV justification for removing it. ᛗᛁᛟᛚᚾᛁᚱPants Tell me all about it. 18:29, 21 May 2017 (UTC)
I agree that there's a good argument for retaining "attack" in the title - it's the initial common name given, and hence has precedence. Similarly, many of the sources will use the "WannaCry attack" name for that same reason, and it would be wrong to alter or obscure that. However, my argument is that when we, later in the article, mention a machine or organisation being hit with this, then "attack" is not a reasonable word. We should use 'hit', 'infected', 'adversly affected' or whatever seems reasonable for the context - but attack will very seldom be appropriate. User:Esowteric and User:MjolnirPants argue that WannaCry has an 'attack intention', but (unless we hear otherwise) this is simple criminal ransomware. As per my earlier comments, check out the language we use in other articles on ransomware and worms. If you broadly agree, please pop a note here to show consensus.Snori (talk) 21:37, 21 May 2017 (UTC)
- This isn't an article on a virus or worm, it is on the event. Looking at other articles on worms or ransomewear won't help you. You would look at articles on similar events. This point seem to be continually lost by a good many editors. Dennis Brown - 2¢ 21:49, 21 May 2017 (UTC)
- Well, it's about both - as since a recent merge WannaCry redirects here. Note that it's in the nature of worms to spread extremely rapidly, so they are typically "events" (The first, the Morris worm was very big event for the Internet sites of the time). By hitting the NHS, and being based on leaked NSA tools, this just got more than usual attention from the media - so the "event" side of things, quite rightly, gets more than usual attention. Snori (talk) 22:33, 21 May 2017 (UTC)
- In a related note, no media has ever referred to a "defensive response". The section was originally titled as "response". This change to "defensive response" was made by an amateurish, teenage editor with little technical background, most of whose edits have been reverted by other editors. 73.61.20.75 (talk) 17:30, 22 May 2017 (UTC)
- "Attack" and "criminal ransomware" aren't mutually exclusive. Muggers "attack" victims, as do con-men. It's a metaphor, strictly speaking, but it's so common that it's idiomatic. ᛗᛁᛟᛚᚾᛁᚱPants Tell me all about it. 01:29, 23 May 2017 (UTC)
Perpetrators?
Shouldn't there be a section (or at least a mention) of who/where the attack is thought to have come from? Coinmanj (talk) 06:30, 24 May 2017 (UTC)
- @Coinmanj: Well there was an "Attribution" section but it was removed by 2604:2d80:8421:e8f0:d442:c6aa:8238:ba81 saying "Cut an unnecessary and over simplified description of the virus that was located in an odd part of the page". You tell me why you and nobody else saw and reverted that edit. Imo a section "Attribution", "Investigation", or "Perpetrators" is very warranted given the available reports on the investigation and its findings so far. --Fixuture (talk) 17:42, 24 May 2017 (UTC)
- Considering I was just a casual reader of the article and then noticed there wasn't such a section, I'm not sure it's up to me to have noticed the removal back on May 22. That said, I've gone and re-added that section since it is definitely needed. Coinmanj (talk) 20:13, 24 May 2017 (UTC)
Botched patch
Move discussion in progress
There is a move discussion in progress on Talk:Marcus Hutchins which affects this page. Please participate on that page and not in this talk page section. Thank you. —RMCD bot 15:18, 26 May 2017 (UTC)
- You're a little late to the party, bot. The move was completed several hours ago without leaving a redirect. — Gestrid (talk) 04:53, 27 May 2017 (UTC)
WannaCrypt note: Use of Google Translate
WannaCrypt ransomware note likely written by Google Translate-using Chinese speakers; signs of machine translation spotted by analysts. Regards Esowteric+Talk 12:46, 26 May 2017 (UTC)
- Added to #Attribution, thanks. ansh666 06:17, 27 May 2017 (UTC)
uqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
What is with "uqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" in this page? Qwertyxp2000 (talk | contribs) 06:28, 27 May 2017 (UTC)
- Someone registered the domain they found in the ransomware's code on a whim and inadvertently found he killswitch to the original ransomware. Turned out that every time a machine was encrypted, the ransomware pinged the domain to see if it had been created. If not, it proceeded to encrypt the machine. If so, that copy of the ransomware would stop copying itself and wouldn't encrypt the user's files. It was hardcoded into the ransomware likely because the hacker wanted a way to stop the spread if, for whatever reason, they wanted to do that. — Gestrid (talk) 06:53, 27 May 2017 (UTC)
- You probably shouldn't go to the website, though, just in case. I'm not sure if the site itself is safe. — Gestrid (talk) 06:56, 27 May 2017 (UTC)
- @Gestrid: Website's fine. All it contains is "sinkhole.tech - where the bots party hard and the researchers harder." Here's a screenshot. Anarchyte (work | talk) 07:16, 27 May 2017 (UTC)
- The site is safe, but it's best to not go to it, because they still use it to determine who's been infected, and to do so they need to filter out manual visits. ansh666 18:04, 27 May 2017 (UTC)
- The reason this was coded into the ransomware was to detect if it was running on an security research lab VM, which would almost always tell the software "Yes, this domain exists" just to see what happens. By doing that, they could prevent malware researchers from detecting the ransomware for a longer time. A botnet sinkhole is a computer that is designed to 'capture' botnet software so that security researchers can analyze it, and "sinkhole.tech" is a registered domain with a primary contact info of botnetsinkhole@gmail.com. ᛗᛁᛟᛚᚾᛁᚱPants Tell me all about it. 20:40, 27 May 2017 (UTC)
Proposed merge with EternalRocks worm
Significant overlap in topic, does not seem to have enough notability to justify standalone article at this point. RA0808 talkcontribs 22:37, 25 May 2017 (UTC)
- EternalRocks uses a couple of the same exploits, but isn't even ransomware. How are the two related, and how would EternalRocks be considered part of this attack? — InsertCleverPhraseHere 22:46, 25 May 2017 (UTC)
- @Insertcleverphrasehere: Because EternalRocks has, thus far, only been described in conjunction with WannaCry and would not be notable without that connection. In fact... there already is a brief section on EternalRocks in this very article. RA0808 talkcontribs 04:31, 26 May 2017 (UTC)
- The only similarities here are the ones that the media invented in their desire to create more hype about WannaCry. They are actually wholly unrelated. — InsertCleverPhraseHere 10:25, 28 May 2017 (UTC)
- @Insertcleverphrasehere: Because EternalRocks has, thus far, only been described in conjunction with WannaCry and would not be notable without that connection. In fact... there already is a brief section on EternalRocks in this very article. RA0808 talkcontribs 04:31, 26 May 2017 (UTC)
- Do not merge. The only correlations are that EternalRocks uses the same exploits and disguises itself as WannaCry to evade detection. They should be separate. Frevangelion (talk) 01:06, 26 May 2017 (UTC)
- STRONG oppose completely separate ransomware. topic also appears to meet general notability -- Aunva6talk - contribs 05:39, 26 May 2017 (UTC) -- Aunva6talk - contribs 05:33, 26 May 2017 (UTC)
- Oppose merge; they are completely separate pieces of software. If it's not notable, it should be deleted instead. ansh666 01:14, 27 May 2017 (UTC)
- Oppose merge; they have nothing to do with each-other. GamerGeekWiki (talk) 18
- 53, 28 May 2017 (UTC)
Edit war
Bit of an edit war going on, just now. Esowteric+Talk 17:00, 29 May 2017 (UTC)
86.153.132.218 is confusing the attack (WannaCry) with the vulnerability (CVE-2017-0144). Microsoft chose to patch Windows XP and the media concluded that Windows XP was responsible for WannaCry's impact. However subsequent research showed that Windows XP contribution was insignificant. Another Rob (talk) 22:01, 29 May 2017 (UTC)
- Nobody has argued otherwise apart from your claim that the media concluded Windows XP [alone] was responsible (which they did not). Your repeated edits are claiming that Windows XP was never vulnerable to the ransomware (Your edit: "...researchers found Windows XP was not vulnerable to WannaCry's worm-like spreading mechanism ..."). In which case: what was the purpose of Microsoft's patch and how did Wannacry spread to the (globally) 'insignificant' number of XP machines that were affected? And why are you now claiming in your post above that Windows XP was affected? Which way are you arguing this because you can't have it both ways? 86.153.132.218 (talk) 16:41, 30 May 2017 (UTC)
- I removed that statement entirely, because the source given does not match the claim it cites at all. The ZDNet article given was actually talking about WannaKey. It made no mention to XP being "not vulnerable to WannaCry's worm-like spreading mechanism". ViperSnake151 Talk 17:32, 30 May 2017 (UTC)
- I does mentions that, with this single sentence: "As security researcher Kevin Beaumont pointed out, the NSA's Eternal Blue exploit that WannaCry attackers used to spread the ransomware once inside a network cannot be used to infect Windows XP machines on that network.", citing as a source this tweet. Also, Windows XP did have the SMB vulnerability and Microsoft fixed it, but that doesn't necessarily mean the ransomware was able to exploit it in XP[1]. Just doing the devil's advocate here; that tweet discussion, although very interesting, probably isn't enough to use it as a reliable source on wikipedia, anyway. Titore (talk) 20:07, 30 May 2017 (UTC)
- I removed that statement entirely, because the source given does not match the claim it cites at all. The ZDNet article given was actually talking about WannaKey. It made no mention to XP being "not vulnerable to WannaCry's worm-like spreading mechanism". ViperSnake151 Talk 17:32, 30 May 2017 (UTC)
- Don't know if it counts as reliable, but this does indicate that the versions of EternalBlue and DoublePulsar used in this worm do not function properly on XP. The ransomware package itself does however. ansh666 00:40, 31 May 2017 (UTC)
If WannaCry was unable to infect Windows XP, how was XP at particular risk? It seems to me that unpatched Windows 7 was a higher risk since WannaCry was able to execute, encrypt files, and spread. Another Rob (talk) 02:16, 31 May 2017 (UTC)
- There is ample coverage that some Windows XP machines were affected and encrypted. What there seems to be some disagreement about in the sources is how this came about. 86.149.143.168 (talk) 13:57, 31 May 2017 (UTC)
References
- ^ Only the spreading bit, WannaCry still works on XP locally, according to that source.
New WannaCry patch for XP from Microsoft (~14 June 2017)
Hi, Microsoft have put out another WannaCry patch for Windows XP. Esowteric+Talk 14:23, 14 June 2017 (UTC)
Related ransomware attacks at UCL
May be related, or of interest:
- University College London Suffers Zero-Day Ransomware Cyber Attack
- Top university under 'ransomware' cyber-attack
Regards, Esowteric+Talk 15:14, 15 June 2017 (UTC)
Article flow
A bot has just changed the heading level of items 1-4 below, due to WP:MOSHEAD. Were 1-4 meant to be sub-headings of the lead? In any case, shouldn't the main body of the article start with 5: Cyberattack? Things like "Kill switch" look oddly placed.
1: "Kill switch"
2: EternalBlue
3: DoublePulsar
4: Attribution
5: Cyberattack
If 1-4 are meant to be part of the lead, maybe use html bold markup rather than heading markup?
Esowteric+Talk 11:10, 24 June 2017 (UTC)
- Looks like some WP:BOLD section reordering is called for. ~Kvng (talk) 13:33, 27 June 2017 (UTC)
Petya (malware) and the main thing
Please see here. Thanks. Anna Frodesiak (talk) 04:03, 28 June 2017 (UTC)
Added name of researcher
Hello,
I have just added the name of the researcher who discovered the killswitch, Marcus Hutchins, AKA MalwareTech. Looking through the history, I noticed this had previously been removed as "doxxing." Unfortunately at this point, the cat is well out of the bag, particularly as MalwareTech has now been arrested in the US and is currently in detention, and his name is now being reported in numerous major publications: https://news.google.com/news/story/dCGCPFgZIPS-8kMuYgoOE_o2cMHGM?ned=us&hl=en
I feel it no longer serves any purpose to keep his name out of this entry. -Mvolz (talk) 18:32, 3 August 2017 (UTC)
- But does it really add any value to the article? In my opinion, no it doesn't. Now I don't fully object to the notion of adding his name to the article, but given the circumstances, it might be wise to discuss it first. SkyWarrior 01:53, 4 August 2017 (UTC)
- IMO it's mostly a matter of transparency; from reading the article, you would assume his identity is unknown, because it's unusual to not identify a person by name unless they're anonymous. That indeed *used* to be the case, but is no longer the case. So it's really a matter the implication caused by *not* having the name, rather than the importance of having it per se, which is why I only added it once (to dispel this assumption). I do think in the rest of the article we should continue to use the pseudonym. (There was also some parts that were rather oddly written because I think probably it's unusual for people to write about pseudonymous individual, although I think that isn't necessarily solved by using the name, but instead just by using the pseudonym correctly.) Mvolz (talk) 16:49, 4 August 2017 (UTC)
- I beleive inclusion of the real name adds value. Since his widely-reported arrest, Marcus Hutchins, the real person, is now an important piece of of connective tissue in this topic area. ~Kvng (talk) 15:03, 7 August 2017 (UTC)
External links modified
Hello fellow Wikipedians,
I have just modified one external link on WannaCry ransomware attack. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
- Added archive https://web.archive.org/web/20170516182233/http://www.startribune.com/the-latest-turkey-among-countries-hit-in-cyberattack/422161813/ to http://www.startribune.com/the-latest-turkey-among-countries-hit-in-cyberattack/422161813/
When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.
This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}}
(last update: 5 June 2024).
- If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
- If you found an error with any archives or the URLs themselves, you can fix them with this tool.
Cheers.—InternetArchiveBot (Report bug) 06:21, 13 January 2018 (UTC)
FedEx
Is it really appropriate to say FedEx was successfully attacked, when it was really just a Dutch company that FedEx had just happened to have recently acquired?
Also, were there any other US entities affected?
Benjamin (talk) 22:01, 19 March 2018 (UTC)
Also, would this source be good here, saying the extend of US damage is unknown, because of companies not reporting it?[1]
Relevant quote: "Private sector companies infected with ransomware largely tend to keep those incidents secret by privately working with contractors rather than the federal government."
Hello any buddy
I m join to hacking Domickbond (talk) 20:27, 25 April 2020 (UTC)