Talk:WannaCry ransomware attack/Archive 1

Portal listing
I've left a note about the event on the Current Events Portal talkpage. — Sasuke Sarutobi (talk) 16:53, 12 May 2017 (UTC)

Useful news links

 * 1) https://www.usatoday.com/story/news/world/2017/03/15/cyber-attack-targets-major-twitter-accounts/99199366/
 * 2) http://timesofindia.indiatimes.com/world/uk/british-hospitals-say-hit-by-suspected-national-cyber-attack/articleshow/58647516.cms
 * 3) http://www.nato.int/docu/review/2013/Cyber/timeline/EN/index.htm
 * 4) http://www.zerohedge.com/news/2015-07-08/what-first-world-cyber-war-looks-global-real-time-cyber-attack-map
 * 5) http://www.nato.int/docu/review/2013/Cyber/timeline/EN/index.htm
 * 6) http://timesofindia.indiatimes.com/world/uk/british-hospitals-say-hit-by-suspected-national-cyber-attack/articleshow/58647516.cms
 * 7) https://www.theguardian.com/world/2017/jan/31/czech-cyber-attack-russia-suspected-of-hacking-diplomats-emails
 * 8) https://www.techopedia.com/definition/24748/cyberattack
 * 9) https://en.wikipedia.org/wiki/Cyber-attack
 * 10) http://www.hackmageddon.com/2015/08/10/july-2015-cyber-attacks-statistics/
 * 11) https://en.wikipedia.org/wiki/WannaCry
 * 12) https://www.yahoo.com/tech/russias-interior-ministry-says-computers-hit-virus-attack-212133477.html
 * 13) https://www.investing.com/news/technology-news/suspected-russia-backed-hackers-target-baltic-energy-networks-483145
 * 14) https://www.bing.com/images/search?q=Reed
 * 15) http://abc7.com/archive/7659840/
 * 16) http://www.dailymail.co.uk/news/article-193396/Millions-hit-virus.html
 * 17) https://home.mcafee.com/virusinfo/global-virus-map?ctst=1
 * 18) https://cybermap.kaspersky.com/
 * 19) https://home.mcafee.com/VirusInfo/Threat-Activity
 * 20) https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2765010
 * 21) http://www.hackmageddon.com/2015/08/10/july-2015-cyber-attacks-statistics/
 * 22) https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#7aee0717e599
 * 23) http://www.bbc.co.uk/news/health-39899646
 * 24) http://itlaw.wikia.com/wiki/Computer_Virus_Attacks
 * 25) https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20
 * 26) https://www.theguardian.com/politics/2017/may/12/15m-oldsters-in-their-graves-could-swing-second-eu-vote-says-ian-mcewan
 * 27) https://www.theguardian.com/us-news/2017/may/12/donald-trump-threatens-james-comey-fbi-tapes
 * 28) https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack
 * 29) https://digital.nhs.uk/article/1491/Statement-on-reported-NHS-cyber-attack
 * 30) https://motherboard.vice.com/en_us/article/a-massive-ransomware-explosion-is-hitting-targets-all-over-the-world
 * 31) http://www.bbc.co.uk/news/uk-england-humber-37863949
 * 32) http://thelincolnite.co.uk/2016/11/delays-still-expected-at-lincolnshire-hospitals-cyber-attack/
 * 33) https://www.scmagazineuk.com/updated-ransomware-attack-on-40-nhs-trusts-all-over-the-uk/article/658864/
 * 34) http://thelincolnite.co.uk/2016/11/delays-still-expected-at-lincolnshire-hospitals-cyber-attack/
 * 35) http://www.bbc.co.uk/news/live/uk-england-lincolnshire-37833078
 * 36) https://www.scmagazineuk.com/breaking-nhs-trust-crippled-by-cyberattack/article/570117/
 * 37) http://www.lincolnshirelive.co.uk/disruption-for-patients-as-systems-go-down-at-lincoln-county-hospital-after-massive-nhs-cyber-attack/story-30329254-detail/story.html
 * 38) https://www.pressandjournal.co.uk/fp/news/aberdeen/828084/nhs-grampian-faces-outbreak-of-cyber-attacks/
 * 39) https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20
 * 40) http://www.desinerd.co.in/wannacry-ransomware-hits-spain-italy-portugal-russia-and-ukraine/
 * 41) https://twitter.com/JakubKroustek/status/863045197663490053
 * 42) https://www.telefonica.com/es
 * 43) https://www.telefonica.com/es/web/shareholders-investors/calendario?p_p_id=122_INSTANCE_WlzkF2O3JKJf&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=_118_INSTANCE_pJnMvwVf6Mbn__column-2&p_p_col_count=1&p_r_p_564233524_resetCur=true&p_r_p_564233524_categoryId=123453735%2C311118
 * 44) http://www.nhs.uk/pages/home.aspx
 * 45) https://twitter.com/nhs
 * 46) http://www.nhsonline.org/
 * 47) https://uk.news.yahoo.com/u-k-national-health-hit-153708430.html
 * 48) https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack
 * 49) https://www.theguardian.com/world/2017/may/12/popularity-of-sushi-has-brought-rise-in-parasitic-infections-warn-doctors-anisakiasis
 * 50) https://www.theguardian.com/politics/live/2017/may/12/general-election-2017-no-more-handholding-trump-corbyn-politics-live
 * 51) http://www.ibtimes.co.uk/telefonica-hack-ransomware-attack-internal-network-forces-computer-shut-down-1621350
 * 52) http://www.ibtimes.co.uk/nhs-cyberattack-ransomware-assault-paralyses-uk-hospitals-putting-thousands-risk-1621375
 * 53) http://www.bbc.co.uk/news/health-37186455
 * 54) http://www.bbc.co.uk/news/health-39899646
 * 55) http://www.bbc.co.uk/news/world-europe-39870460
 * 56) https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack
 * 57) https://uk.news.yahoo.com/telef-nica-hack-ransomware-attack-131624307.html
 * 58) http://ex.ibt.uk/tv/promotion
 * 59) http://www.ibtimes.co.uk/3d-printing-future-f1-racing-1615985
 * 60) https://finance.yahoo.com/news/spanish-companies-hit-ransomware-cyber-132052215.html
 * 61) http://www.bbc.co.uk/news/health-39899646
 * 62) https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack
 * 63) https://teiss.co.uk/2017/05/12/telefonica-ransomware-attack-employees-asked-pull-plug-computers/
 * 64) http://www.bbc.co.uk/news/health-39899646
 * 65) https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html?_r=0
 * 66) http://www.bbc.com/news/technology-38934822
 * 67) http://www.zdnet.com/article/nomx-the-most-secure-email-service-can-be-easily-hacked/
 * 68) https://www.infosecurity-magazine.com/news/nomx-researchers-defend-unfair-test/
 * 69) https://www.scmagazineuk.com/updated-nomx-secure-email-server-challenged-by-british-researchers/article/653222/
 * 70) http://www.msn.com/en-sg/money/technology/massive-cyber-attack-grinds-liberias-internet-to-a-halt/ar-AAjSeBP
 * 71) http://www.telegraph.co.uk/technology/2016/11/04/unprecedented-cyber-attack-takes-liberias-entire-internet-down/
 * 72) https://www.theguardian.com/technology/2016/nov/03/cyberattack-internet-liberia-ddos-hack-botnet
 * 73) http://www.telegraph.co.uk/technology/2016/11/04/how-a-cyber-attack-could-sabotage-the-us-election/
 * 74) http://europe.newsweek.com/hackers-take-down-liberias-internet-series-cyberattacks-517141?rm=eu
 * 75) http://www.telegraph.co.uk/technology/2016/11/04/how-a-cyber-attack-could-sabotage-the-us-election/
 * 76) http://www.rappler.com/technology/news/151338-cyber-attack-disrupts-internet-liberia
 * 77) http://www.nst.com.my/news/2016/11/186023/huge-cyber-attack-disupts-internet-liberia
 * 78) http://themarketghana.com/news/technology/12784/Massive_CyberAttack_Grinds_Liberias_Internet
 * 79) https://amp.theguardian.com/technology/2016/oct/22/cyber-attack-hackers-weaponised-everyday-devices-with-malware-to-mount-assault
 * 80) https://www.cnbc.com/amp/2016/10/21/major-websites-across-east-coast-knocked-out-in-apparent-ddos-attack.html
 * 81) http://www.onenewspage.com/video/20161021/5839140/FBI-Is-Investigation-Cyber-Attack-on-Internet-Infrastructure.htm
 * 82) http://www.41nbc.com/2016/10/24/cyber-attacks-now-closer-to-your-home-than-ever/
 * 83) http://finance.yahoo.com/news/companies-urged-multiple-vendors-wake-014037572.html;_ylt=AwrBT9YN.w1Yq.gA02NXNyoA;_ylu=X3oDMTEyaHZjYzhtBGNvbG8DYmYxBHBvcwMxBHZ0aWQDQjE4NzlfMQRzZWMDc2M-
 * 84) http://www.nbcnews.com/tech/security/amp/internet-outage-shows-how-sophisticated-attacks-can-target-your-home-n671561
 * 85) https://www.yahoo.com/tech/twitter-spotify-disrupted-internet-provider-reports-attack-131047632.html
 * 86) http://www.pcmag.com/article2/0,2817,2396611,00.asp
 * 87) http://www.theregister.co.uk/2014/08/27/nowegian_oil_hack_campaign/
 * 88) https://nakedsecurity.sophos.com/2014/08/28/massive-cyber-attack-on-oil-and-energy-industry-in-norway/
 * 89) http://www.scmagazineuk.com/hundreds-of-norwegian-energy-companies-hit-by-cyber-attacks/article/368539/
 * 90) http://www.csoonline.com/article/2599258/cyber-attacks-espionage/50-norweigian-oil-companies-suffer-cyber-attack.html
 * 91) http://www.digitaljournal.com/internet/anonymous-norway-claim-massive-cyber-attack-on-norwegian-banks/article/389030
 * 92) https://www.yahoo.com/tech/twitter-netflix-slow-return-reported-163619988.html
 * 93) http://www.thenational.ae/uae/technology/uae-is-vulnerable-to-cyber-attacks
 * 94) https://www.yahoo.com/tech/twitter-spotify-disrupted-internet-provider-reports-attack-131047632.html
 * 95) http://baltimore.cbslocal.com/2016/10/22/cyber-attack-affects-major-websites-culprit-still-to-be-named/
 * 96) https://www.yahoo.com/tech/twitter-spotify-disrupted-internet-provider-reports-attack-131047632.html
 * 97) http://baltimore.cbslocal.com/2016/10/22/cyber-attack-affects-major-websites-culprit-still-to-be-named/
 * 98) http://www.foxnews.com/tech/2016/10/21/major-disruptions-online-as-cyber-attack-hits-internet-services-company.html
 * 99) http://baltimore.cbslocal.com/2016/10/23/baltimore-city-officer-does-the-juju-on-that-beat-dance/?e=mPHwhqydQAK1LA
 * 100) http://baltimore.cbslocal.com/2016/10/21/big-questions-after-cyber-attacks-cripple-east-coast/?e=lKbN-K*JDwCUXw
 * 101) http://baltimore.cbslocal.com/2016/10/21/naval-academy-to-break-ground-for-new-cybersecurity-building/?e=lKbN-K*JDwH4RQ
 * 102) https://www.ready.gov/cyber-attack
 * 103) https://www2.fireeye.com/PPC-security-predictions-for-2016-threat-research.html
 * 104) http://www.nbcnews.com/tech/security/cyber-attack-power-grid-could-cost-1-trillion-report-n388581
 * 105) https://www.yahoo.com/tech/twitter-spotify-disrupted-internet-provider-reports-attack-131047632.html
 * 106) http://www.reuters.com/article/us-usa-cyber-idUSKCN12L1ME
 * 107) https://www.yahoo.com/tech/twitter-spotify-disrupted-internet-provider-reports-attack-131047632.html
 * 108) https://en.wikipedia.org/wiki/Dyn_(company)
 * 109) https://en.wikipedia.org/wiki/Dyn_(company)#Distributed-Denial-of-Service_attack
 * 110) http://www.tech.com.pk/2016/10/waves-cyber-attacks-hit-netflix-spotify-twitter.html
 * 111) http://www.bbc.co.uk/news/technology-37728015
 * 112) https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/
 * 113) http://www.theverge.com/2016/10/21/13362354/dyn-dns-ddos-attack-cause-outage-status-explained
 * 114) http://www.informationsecuritybuzz.com/hacker-news/__trashed-2/
 * 115) http://europe.newsweek.com/hackers-take-down-liberias-internet-series-cyberattacks-517141?rm=eu
 * 116) http://www.bbc.co.uk/news/technology-37859678
 * 117) https://krebsonsecurity.com/2016/11/did-the-mirai-botnet-really-take-liberia-offline/
 * 118) http://www.information-age.com/liberias-internet-hacked-123463064/
 * 119) http://www.myrtlebeachonline.com/news/nation-world/world/article112624328.html
 * 120) https://metroble.com/news/no-hackers-apparently-didnt-take-down-the-entire-liberian-internet#.WCrIfhqLTcs
 * 121) https://www.theguardian.com/technology/2016/nov/03/cyberattack-internet-liberia-ddos-hack-botnet
 * 122) http://www.bbc.co.uk/news/technology-37859678
 * 123) https://krebsonsecurity.com/2016/11/did-the-mirai-botnet-really-take-liberia-offline/
 * 124) http://allafrica.com/stories/201611081145.html
 * 125) https://fronteranews.com/news/africa/kenya-fears-an-even-bigger-cyber-attack-is-coming/
 * 126) https://www.yahoo.com/tech/russias-interior-ministry-says-computers-hit-virus-attack-212133477.html
 * 127) https://www.investing.com/news/technology-news/suspected-russia-backed-hackers-target-baltic-energy-networks-483145
 * 128) https://www.bing.com/images/search?q=Reed
 * 129) http://abc7.com/archive/7659840/
 * 130) http://itlaw.wikia.com/wiki/Computer_Virus_Attacks


 * 79.77.211.89 (talk) 23:04, 12 May 2017 (UTC)

Merge proposal
It seems there's another page about this topic. Do we merge its information to this page?  —   Gestrid  ( talk ) 22:05, 12 May 2017 (UTC)
 * Yes, I would go for it. Mz7 (talk) 22:22, 12 May 2017 (UTC)
 * No, clearly this contains hoax material, such as the demonstrably false "Many hospitals in Great Britain were closed for months, only treating near-dead patients". Drchriswilliams (talk) 22:35, 12 May 2017 (UTC)
 * Please consider your phrasing. It wasn't a hoax, it was simply not correct information. Next time you are welcome to correct errors by editing the article.--Rævhuld (talk) 23:10, 12 May 2017 (UTC)
 * There's a reason why current event says the article may be inaccurate.  —   Gestrid  ( talk ) 23:11, 12 May 2017 (UTC)
 * Thanks for pointing that out. I removed that bit of unsourced content, then redirected the article here. Looks like one section that could be merged has already been merged. Mz7 (talk) 22:44, 12 May 2017 (UTC)
 * ✅. Mz7 (talk) 22:44, 12 May 2017 (UTC)

Kaspersky Lab note
Why is this in here, it literally has nothing to do with the content of the article? Sephiroth storm (talk) 02:33, 13 May 2017 (UTC)
 * Agreed: the only mentions of the two together that I can find online are quotes from KL on the threat and its remediation, and some news articles saying that they were the first to announce the threat. Conflating that with other political issues to do with Russia is misleading, or WP:Synthesis at best. Uncle Roy (talk) 02:39, 13 May 2017 (UTC)

Russian ministries
Just deleted this from the intro. If three Russian ministries avoided being infected by "repulsing" the attack, why is it news? In fact the references (when translated) say that "the servers were not infected because they run 'a different operating system'", and at the Ministry of Internal Affairs the attack, "was localized, no leakage of information occurred" - the same could, and was, said of the NHS. Snori (talk) 19:36, 13 May 2017 (UTC)

Map image
I added this. Feel free to remove it if you feel it doesn't add much to the article. It wasn't much effort to make or upload. Anna Frodesiak (talk) 21:10, 13 May 2017 (UTC)

Systems affected
Is it just Microsoft that is having issues with this, or are apple and ibm and other computer groups experiencing this same issue? Also, is it safe to go online with a Microsoft machine right now? I have mine physically disconnected from the internet line when I am not there to use it with this exact situation in mind, but I have no idea how to check and see if I have the patch needed to keep my machine uninfected. 2600:1011:B018:196E:3925:4863:EC2:A9C8 (talk) 23:42, 13 May 2017 (UTC)
 * It's a Windows problem. If Apple or IBM computers are running Windows, they're vulnerable. - Nunh-huh 00:14, 14 May 2017 (UTC)

Wikileaks?
Someone named Kurt Knutsson who was on Fox Business blamed it on last month's Wikileaks document "dump"--perhaps this should be mentioned in this article, if there is an RS.Zigzig20s (talk) 07:49, 13 May 2017 (UTC)
 * No. The KK chap is misinformed. It's surreal and confusing, but attack toolkits from both the CIA and the NSA have been leaked recently. The ones Wikileaks leaked were the CIA's. Snori (talk) 10:38, 13 May 2017 (UTC)
 * No. Fox News is not a reliable news agency.--Rævhuld (talk) 12:21, 13 May 2017 (UTC)
 * What absolute rubbish. They are as reputable as any other major news network. HammerFilmFan (talk) 04:58, 14 May 2017 (UTC)
 * Fox News is citable like any other news agency. Not all commentary meets the criteria to be cited, but please do not spread misinformation. Fox News is cited throughout Wikipedia. Whamper (talk) 14:48, 13 May 2017 (UTC)
 * I was asking for an RS anyway. Not a TV interview. But I provided the youtube link to show where I heard the info (I didn't make it up). Are there RS which deny the info please?Zigzig20s (talk) 18:37, 13 May 2017 (UTC)

Splitting of attack/ransomware pages
should there be 2 separate pages about Wannacry and the attack respectively, the page about Wannacry would cover the ransomware only and the attack page would cover the 12th May cyber attack and its fallout / reactions. — Popeter45  21:20, 12 May 2017 (UTC)
 * That was my reasoning for moving the page, though I'm not sure if there is enough information out there just yet for a standalone article on just the ransomware itself.  —   Gestrid  ( talk ) 21:25, 12 May 2017 (UTC)
 * What about the original phishing mails? How they were worded, etc. They must have been multi-language, and convincing.217.75.18.23 (talk) 08:35, 14 May 2017 (UTC)

Stopped the virus spread
'Accidental hero' finds kill switch to stop spread of ransomware cyber-attack https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack Can we place this in the article. Sherenk1 (talk) 04:48, 13 May 2017 (UTC)
 * Is now included. Snori (talk) 10:42, 13 May 2017 (UTC)
 * Malwarebytes is reporting that the "killswitch" won't work on the many corporate networks that access the internet through a proxy: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r (There's some debate in the comments though and the original source blog says they haven't tested it in a VM, so it might be fair to wait for confirmation of this.) See also: https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware/ --Thomas B&#9816; talk 17:09, 13 May 2017 (UTC)
 * We can't use blogs as sources per WP:BLOGS. They generally don't have as much, if any, editorial oversight as news websites do.  This is even true for blogs run by news websites such as, for example, Fox News Insider.  —   Gestrid  ( talk ) 19:56, 13 May 2017 (UTC)
 * Thanks Gestrid. Don't worry, I wasn't recommending we do so. I was adding information to the talk thread that may be of use to those seeking more information while we await more substantial verification. But for the record, you seem to be misstating the policy on blogs, which are sources that should be used with care (just never used for living persons). Remember, "The appropriateness of any source depends on the context." Peer reviewed sources are the best sources, so if multiple independent security researchers comment on each others' work through cross-referenced blog posts with actual code samples that are subject to easy independent verification, then that may merit inclusion. The Guardian's process for verification of a quick moving story on a highly technical subject involves asking a few people at a single point in time, so it may not produce the same level of reliable content. Remember, the goal of WP:SOURCES is reliability and verifiability. The heuristic of preferring journalistic sources over blogs is just a heuristic, and there may be special cases that break that rule. This may be one such case, maybe not. But there is certainly no hard and fast prohibition on blogs, or even blogs run by newssites, which WP:SOURCES even explains how to reference. --Thomas B&#9816; talk 23:05, 13 May 2017 (UTC)

Could you add an explanation why the kill switch {what mean unplugging the comp from power line } is not working. The personal yps devices era designed so the lame victims (aka customer or user ) can not power off they attachments. There is no way to remove the battery and the turn off button is merely pp fake for peace of mind decoration. This was visible by netmonitoring (eg wireshark's taps) years ago where believed turn off devices exchanged to Mbase encrypted packets //and this is so manufactured day to day operation. [knwnxample:= the turn off tv verting spk to mik] — Preceding unsigned comment added by 99.90.196.227 (talk) 09:40, 14 May 2017 (UTC)

University of Waterloo?
Cite note doesn't work... — Preceding unsigned comment added by 2607:FEA8:4EE0:784:EDF1:D58A:EA07:1855 (talk) 07:53, 14 May 2017 (UTC)
 * doesn't work: D0 you mean they didn't send BT yet? — Preceding unsigned comment added by 99.90.196.227 (talk) 09:44, 14 May 2017 (UTC)

"We will have free events for users who are so poor that they couldn't pay in 6 months" ?
What is the significance of that? 80.140.197.186 (talk) 10:34, 13 May 2017 (UTC)
 * Blather. If you trust malware authors, and if you can wait 6 months, they *might* give you a decryption key. Not much comfort there. Snori (talk) 10:41, 13 May 2017 (UTC)
 * above POV? 6m this is the estimated time the agency need for transfer all users data to central storage and not too overload available links. the spook/zbuk deceive humane. dont be fooled see who designed it in first place. — Preceding unsigned comment added by 99.90.196.227 (talk) 09:54, 14 May 2017 (UTC)

Technical analysis of worm
See The worm that spreads WanaCrypt0r (detailed analysis of code)  Esowteric + Talk  16:04, 14 May 2017 (UTC)

How is the bitcoin-value evaluated?
Are there any reports out there that describe how the bitcoin is evaluated by the software? Is it the time of the payment? If so what data is used for that? Is it getting fetched from the Internet?

Or was it hardcoded into the software and used data at the time of the malware's creation?

In either case this needs to be specified.

Also note that this information is important for instance because uninformed victims might buy exactly $300 worth of bitcoin, the evaluated price might come from some up-to-date source, the malware might be very exact with its minimum payment requirement, the bitcoin-value might fluctuate so that $300 worth of bitcoin becomes $290 worth of bitcoins and many affected systems might be critical to lives and society.

--Fixuture (talk) 16:57, 14 May 2017 (UTC)

G7
Should content about the G7 meeting be added to the "Reactions" section? I'm not sure as I couldn't find any direct reference to this particular cyberattack in their statements so far.

E.g. this:


 * On a May 2017 meeting G7 financial leaders stated that they "recognize that cyber incidents represent a growing threat for our economies and that appropriate economy-wide policy responses are needed".

--Fixuture (talk) 17:57, 14 May 2017 (UTC)

Rename
To WannCry cyber attack, as most readers are unfamiliar with "ransomware". fgnievinski (talk) 23:38, 13 May 2017 (UTC)
 * I've created a redirect at WannaCry cyber attack. If you want to start a move request, take a look at WP:RM. All the instructions are there.  Anarchyte  ( work  &#124;  talk )   05:53, 14 May 2017 (UTC)
 * As no objections had been raised, I conclude the proposal was non-controversial, so I took the liberty of going ahead with it. fgnievinski (talk) 06:48, 14 May 2017 (UTC)
 * May I suggest "cyber-attack", rather than "cyber attack"? The former is more widely used, and "cyber" hasn't attacked anything. Uncle Roy (talk) 19:25, 14 May 2017 (UTC)

WP:ENGVAR
Which EngVar should this article be in? I'm currently seeing mixed BrE and AmE. Adam9007 (talk) 21:27, 14 May 2017 (UTC)


 * Kind of inevitable considering the footfall that is occurring. Strictly, it should be the variant from the original stable version.  But with the traffic that is unlikely.  I suggest we wait awhile then sort it out later. 86.145.209.23 (talk) 21:47, 14 May 2017 (UTC)

Technical details
Technical details - https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware — Preceding unsigned comment added by Abhishikt (talk • contribs) 00:06, 13 May 2017 (UTC)

This article is by far the most complete technical article about WannaCry. Should we use this instead of the Symantec one, which does not have that much info? Or both? https://www.bleepingcomputer.com/news/security/wannacry-wana-decryptor-wanacrypt0r-technical-nose-dive/ — Preceding unsigned comment added by Rylheh (talk • contribs) 23:43, 14 May 2017 (UTC)

Page title
I propose we move the page to WannaCry ransomware attack (2017). This way, we can leave this page open to be used as an article about WannaCry in general.  —   Gestrid  ( talk ) 18:23, 12 May 2017 (UTC)
 * Agreed. Makes sense. Go for it. 109.155.194.215 (talk) 20:12, 12 May 2017 (UTC)
 * ✅ Went ahead and WP:BOLDly moved the page.  —   Gestrid  ( talk ) 20:48, 12 May 2017 (UTC)

I think just WannaCry would be more appropriate, the disambiguation is not needed. ViperSnake151  Talk  02:52, 15 May 2017 (UTC)

Advice?
Shouldn't there be a section referencing advised solutions if infected? As I don't see any info spoken about in the article. Are people being advised to pay, are people paying (wisely or otherwise), and does paying actually get their machines decrypted? And other related questions. Jimthing (talk) 22:09, 15 May 2017 (UTC)

How to defend my XP computer ?
How do I get a patch to defend my XP against this please ? Many thanks ! Darkman101 (talk) 00:19, 16 May 2017 (UTC)  JTP (talk • contribs) 00:32, 16 May 2017 (UTC)

OR, duplicate sections, and a number of other problems
There has been a massive amount of amateurish/incorrect edits made by one user, User:GliderMaven, over the past day. The user made no attempt at talk page discussion nor collaboration, and unfathomably reverted legitimate edits by other users on at least one occasion.

These are examples of edits that blatantly fall under WP:OR or WP:SYNTH: 

https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780294423

https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780317291

https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780318804

These edits are factually incorrect or misleading:

https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780194041 (this incorrectly identifies one person as "researchers", etc.)

https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780294423 (this contains a sheer fabrication)

https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=780317291&oldid=780316995 (would be WP:OR if this is true, but it isn't even true if you actually look at the data)

https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=780321147&oldid=780320163 (these two are overlapping)

https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=780323500&oldid=780323351 (incorrect interpretation of phishing)

https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780322912 (the edit summary also makes zero sense)

https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780324990 (this is uncited/OR, and is technically confusing, and is probably incorrect, depending on your interpretation. In any case, it's clear he doesn't understand the relationship between phishing attack and antivirus software.)

These are attempts to improve grammar/prose that are grammatically incorrect or very awkward:

https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780293149

https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=780338512&oldid=780338198

https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780295658 ("registering for a DNS sinkhole" does not make technical sense either)

https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780292481 ("may be a bug whose code..." - again, both grammatically and technically incorrect)

These are other edits that are contrary to WP:MoS and usual practice:

https://en.wikipedia.org/w/index.php?title=WannaCry_cyber_attack&diff=prev&oldid=780319655

A number of other edits are attempts to adjust his own copyedit oversights, such as this edit. I haven't included mistakes that had been corrected by himself and other users, but there is a decent number of these, as some other editors can testify.

Finally, the user also made a bizarre attempt to swap a content section with a paragraph in the lede. He then reverted back 5 edits, including his own, and added back some of the content himself It's not clear if this is a good faith attempt followed by bad editorial practice, or if he has an issue with WP:OWN and is trying to camouflage other edits as his own.

Otherwise, this is a clear case of a user with good faith who doesn't meet WP:CIR. The user is not familiar with basic WP:MoS guidelines. The user evidently does not possess the minimum competency to be altering technical information for a front page article. The user is also likely ESL or has poor verbal fluency.

I have painstakingly tried to reverse most of these problematic edits while retaining some legitimate contributions. Please help keep track, and please correct me if I've accidentally removed legitimate changes. 73.61.20.253 (talk) 13:20, 14 May 2017 (UTC)


 * Adding a note: while working on reverting these edits, I've noted that the user has basically duplicated three paragraphs and created an extra section with it. This was disguised by a large number of edits (and other users trying to correct/improve on his edits), but the article as-is made zero logical sense. I've made some quick deletions due to how absurd it was. Again, please correct/amend if anything was accidentally removed. 73.61.20.253 (talk) 14:06, 14 May 2017 (UTC)


 * Your rewriting seemed more factual and clearer, although it was reverted based on the fact you are an anonymous user. Not sure what to do, but I don't wanna feed any troll... Psadm (talk) 15:02, 14 May 2017 (UTC)


 * The correct thing to do is to follow WP:MoS, and to remove the duplicate section that additionally fringes on unattributed copy-and-pasting (i.e. plagiarism) from a front page article. I've taken this incident to WP:ANI, hopefully someone with more time on their hands can deal with the problem user. You should chime in.
 * You're not worried about feeding a troll, you're worried about picking a correct but tedious fight against an incompetent user. Instead you decided to edit war with him on a sourcing issue (that you are completely, and obviously, correct on) while ignoring a number of extremely poor edits he made elsewhere. This is a way too passive approach.73.61.20.253 (talk) 15:27, 14 May 2017 (UTC)


 * With all due respect I am a very experienced computer professional, and I do understand the nuances of this, where apparently you don't 73.61.20.253. Where you're claiming OR, I actually read the articles and understood them, whereas you're taking them completely at face value. All of the sources you've read summarise and oversimplify things, whereas I've actually looked at pieces of the code and so forth. The evidence we have is that it's mostly spreading as a worm by the SMB protocol, but it's believed to also spreading via phishing at lower incidences; the code base was modified from a phishing attack, and that code is still believed to be operational; you removed all information about the nature of the attacks from the article, including many, many references.GliderMaven (talk) 15:11, 14 May 2017 (UTC)


 * I agree that "it is believed" that the infection may have come from a phishing campaign, although no evidence have been found. It is worth mentioning that this is what some might believe, but wikipedia should remain neutral and not states what some people believe as actual facts. The thing is, in its known form the worm is actually able to infect computer remotely, and I cited several articles showing that the number of vulnerable computers directly facing the internet is in the hundreds of thousands. Let's see what was the initial vector, but from what is known, phishing is the least likely explanation, thus wikipedia should not serve it as a fact. Psadm (talk) 15:20, 14 May 2017 (UTC)


 * Except that that's the position of the professionals., and I don't mean me. The point of Wikipedia is to include the opinion of the professionals. Note that the IP who is (essentially) vandalising the article removed even the fact that it's a computer worm. Right?GliderMaven (talk) 15:24, 14 May 2017 (UTC)


 * As a professional myself, this is not my position, to be honest. I agree that the edit was a bit rough and may have unnecessarily removed some correct parts. Although I am confident that if the initial vector was phishing, we would have known by now. Psadm (talk) 15:28, 14 May 2017 (UTC)


 * 'A bit rough' is kind of understating it.


 * For epidemiological reasons the infections found so far in the wild would be completely dominated by the fast reproducing worm. And the researchers know beyond all reasonable doubt how the code was derived; the wanna-crypt type codebase has been around for quite a while but without the EternalBlue attack payload.GliderMaven (talk) 15:53, 14 May 2017 (UTC)


 * You don't seem to understand that EternalBlue is a remote (as in remotely, from far away, exploitable) exploit. 73.61.20.253 is right on both things, you are utterly incompetent and I am way too passive. Anyway, I an done for today but keep in mind that you are the kind of contributor that makes people believe wikipedia is not a credible source. Psadm (talk) 16:05, 14 May 2017 (UTC)
 * Please provide the sources here. I haven't heard anyone claiming that WannaCry is a true remote exploit which would affect any vunerable computer exposed to the internet, nor does our article say so. All info I've seen suggests the main vunerability it exploits is a bug in SMB1 on unpatched Windows systems. However SMB (of any version) is not normally exposed to the internet I'm fairly sure this was the case even before XP SP2's firewall. So this can only generally happen within a local network. For this reason although the worm can spread without the computers affected actually doing anything other than being on and unpatched, it cannot generally spread directly from the internet. It needs to get onto a computer with access to the local network. I'm not even sure if the vector computer itself needs to be vunerable. (I mean theoretically it could be running OS X, Linux or some other OS, including smartphones presuming any LAN firewalls allow them access to the Windows computer's SMB although I haven't heard of any variants that can actually do that.) I've seen several RS saying that the worm often gets on to the first vector computer via emails with attached executables (with a .zip extension before the .exe) although there could have been multiple methods. Note that the SMB1 flaw could arguably be called a remote code execution (and definitely arbitrary code execution), although clarity would be needed that it cannot generally be exploited through the internet. It would also be important for us to be clear, with the support of RS, on the difference between how the worm first gets into a network with vunerable computers and then spreads within that network. Since as said, these networks are generally local ones not the internet. And this means to spread outside a network it either requires some special code (e.g. to spread via emails) or someone actively trying to spread it. This compares to something like Blaster (computer worm) which could spread solely via the internet without needing a different method to get onto systems first. Nil Einne (talk) 03:53, 15 May 2017 (UTC)
 * Reading a bit more, I think I was wrong about the pre SP2 situation. Port 445 was generally exposed by default, although of course the use of a NAT router etc may have meant it wasn't depending on the particular situation. Note that according to, it's estimated there may be 2.35 million computers with SMB exposed. How many of these are running Windows with a vunerable version of SMB, it doesn't estimate; but the more important point is that while this may seem like a lot, considering there are probably over 1 billion Windows computers out there, it actually how rare it is for SMB to be exposed to the internet. This does mean in some ways the key difference between this and Blaster is that the world has move on a lot more since then, and a lot more computers are now behind some sort of basic firewall which ensures these ports aren't normally exposed. Nil Einne (talk) 07:11, 16 May 2017 (UTC) Edit: Forgot to make clear, of course some consumer ISPs are undoubtedly still filtering port 445, perhaps as a result of Blaster so it's not just home user firewalls themselves that make a difference. 11:12, 16 May 2017 (UTC)


 * GliderMaven, you have an extremely limited familiarity on the subject. Please defer to expert users such as ^. Please also address the plagiarism issues and other egregious WP violations before re-inserting your edits, either here or in ANI. 73.61.20.253 (talk) 15:35, 14 May 2017 (UTC)


 * Uh huh. Did you even know it's spreading as a worm? You removed that fact from the article? How about you don't make large scale changes to the article like that without confirming that here, and then start swearing at other editors?GliderMaven (talk) 15:53, 14 May 2017 (UTC)
 * Please try Dispute resolution and tone down the rhetoric. Swearing in a section heading is not OK. You might try asking for help from the various relevant WikiProjects. I don't know who might be right in this dispute, but I wanted to comment on this: "Where you're claiming OR, I actually read the articles and understood them, whereas you're taking them completely at face value. All of the sources you've read summarise and oversimplify things, whereas I've actually looked at pieces of the code and so forth." Actually, that does sound like original research. You need to be very careful not to add your own conclusions and ideas into the article. Expertise can be useful in finding and assessing sources, but sometimes it also stands in the way of neutral writing. Fences  &amp;  Windows  16:32, 14 May 2017 (UTC)
 * Yeah I don't want to get into this dispute but I came to check because of ANI and noticed the same thing and was about to say something similar. Making conclusions from the code is WP:OR, so the fact that you've looked at the code doesn't actually help us much. We need to rely on reliable secondary sources. I understand it can be frustrating when the sources seem to be wrong or oversimplified, but you need to use your expertise to find better sources, not introduce content into the article base on what you saw in the source code. Nil Einne (talk) 16:35, 14 May 2017 (UTC)
 * Both of you agree that there are definite signs that the user is incompetent and refuses to budge. A third user, who has worked on the article himself (and had to repeatedly revert the problem user's changes) said as much, that this is a clear WP:CIR case. I'm telling you that the problem is way worse than his WP:OR tendency that you're just starting to discover. I'm telling you some of his edits are literally copy and pasting from unattributed sources. You can take my word at face value and proceed to restore the stable, non-plagiarized, non-OR version of that article, or you can try figuring out the mess yourself and why his version of the article is a disaster.
 * The correct response isn't to spend two paragraphs lecturing to me about my tone before you've figured out the extent of the problem I'm complaining about.73.61.20.253 (talk) 16:47, 14 May 2017 (UTC)
 * No I never agreed that. The fact that a user who's been here for a long time still doesn't understand our OR policies is problematic but not automatically indicative of CIR issues. Perhaps it hasn't come up before for some reason, I don't really know. CIR would only come in to play if they still don't understand our OR policies after multiple attempts to get them to understand, and I see no indication this has happened her yet, it's only just starting. I mean if you want to discuss CIR issues, there is the fact you've made two highly questionable claims namely that the editor isn't involved in discussion when they had been, before you even posted at ANI and you were also part of that discussion; and also that we agree with you there is a CIR issue here, when I at least don't; i.e. that you seem to have trouble either understanding what's going on or for whatever other reason make claims that are untrue could be said to bring up CIR issues. But again even in your case I've seen too little for me to bring up CIR in practice. You've already been told that copyvio issues are a serious matter which could be dealt with at ANI or elsewhere, but you provided no actually clearcut examples of this so of course nothing happened. We generally do not take people's word for anything, whether they are experienced editors or whatever, we always require evidence in the form of diffs etc. Also this article is only a few days old and due to what it covers it's been edited extensively so referring to anything as a stable version is always going to be teneous. Of course reverting to a stable version isn't something that involves administrators anyway, unless the article is fully protected and even there WP:Wrong version means it's very rarely done. Really the only possible administrative actions here would be fully protecting this article which is never going to happen; or blocking participants, which could happen but hopefully won't be required.  And yes, being civil is always important in any discussion. In fact since civility is a behavioural issue, whereas disagreements over content are not, it's easily possible an uncivil editor could be sanctioned whereas the other editor is fine even if most people feel the second editor's content proposals are out of line with our guidelines and policies. This clearly isn't the case here, but if you're complaining about another editor's behaviour and were uncivil in the process, you shouldn't be surprised if the first thing people see is the incivility.  Nil Einne (talk) 02:16, 15 May 2017 (UTC)


 * Ah, too late: https://en.wikipedia.org/wiki/Wikipedia:Administrators%27_noticeboard/Incidents#Competence.2FWP:OWN_issue_on_ITN_article. The first step of dispute resolution is not ANI. Fences  &amp;  Windows  16:37, 14 May 2017 (UTC)
 * The first step of seeing a duplicate section with unattributed quotes that border WP:PLAGIARISM is to remove the problematic parts. I've done 90% of the work to solve this mess so far by going through all his problematic edits and fixing them. All it takes is for an admin to warn him not to re-insert his 50 retarded edits. You instead try to lecture to an IP about language. Your approach is absurd. Your approach is why experienced users quit Wikipedia. Spend less time on policing the community and more time on helping the actual project. 73.61.20.253 (talk) 16:42, 14 May 2017 (UTC) (comment edited by self to rm incivility) 73.61.20.253 (talk) 17:26, 14 May 2017 (UTC)
 * There is no need for an adminstator to warn someone. Anyone is free to warn another editor, and it would carry as much weight if it's suggested a block is needed. If there is question over adequate warning, it will be because of the quality (tone, explaination etc) of the warning, not because of who gave it. Even Arbitration Committee/Discretionary sanctions alerts do not require administrators to issue them, simply that the proper process is followed. If a section is duplicated, you're right it should be removed. Anyone who can edit the article, and that includes you as an IP since this article isn't semi protected, can do so. There should generally be absolutely no need for administrative action. If another editor is repeatedly inserting duplicated sections or adding back a section which is a complete duplicate then yes, may be administrative action i.e. blocking will be needed but it should be very rare this ever happens. For example, in this case a duplicated section was removed by another editor  but this wasn't introduced by the editor you keep complaining about [//en.wikipedia.org/w/index.php?title=WannaCry_ransomware_attack&diff=780366077&oldid=780365699]. It wasn't reverted, probably because it was clear what was being done.  Which highlights another point. The best way to deal with a duplicated section is to remove the section and leave a clear edit summary. If you make a whole bunch of other edits, and even worse if you don't leave a clear edit summary; editors may simple see a bunch of changes including the removal of content and revert you.  I'm not sure if this happened here since I don't actually see any other examples of a duplicated section in the entire article history, maybe because I'm assuming someone actually mentioned something like 'dupl', 'cop', 'repea' in the edit summary. I'm not counting [//en.wikipedia.org/w/index.php?title=WannaCry_ransomware_attack&diff=780098406&oldid=780098259] since it's very minor, and [//en.wikipedia.org/w/index.php?title=WannaCry_ransomware_attack&diff=780376799&oldid=780375950] even if it was justifable, wasn't a clear cut duplicated section but rather a new section which mostly repeated information already covered elsewhere. Also from what I see, no one actually reverted the removal.  The ultimate point is if you find you're having problems getting your removal of a duplicated section to stick, you need to make sure your editing isn't contributing to that. It's unfortunately true that because you are an IP, you're probably going to have more problems than if you were editing from an account.  Dealing with edits which seem to have made an article worse is a part and parcel of the WP:collaborative nature of wikipedia. If the editor appears to be acting in bad faith, then they can be sanctioned quickly. If they are acting in good faith then we are a lot more hesitant to sanction. Whatever the rights and wrongs here, and I'm specifically not commenting on them, I see no evidence anything has rise to the level where sanction is required. As others have said, if another editor's edits seem to have made an article worse than yes you do have to try and civily explain this to them.  Nil Einne (talk) 02:57, 15 May 2017 (UTC)

Background
We might edit the section title to something more suitable? And if someone please could proof read it? I wrote the section, and I don't know if I got something wrong there?--Rævhuld (talk) 23:06, 12 May 2017 (UTC)

I edited some of the grammar there. Tedmarynicz (talk) 14:11, 16 May 2017 (UTC)

Does anyone editing this article understands how it spreads?
Vagueness like "spreads through network defenses" means absolutely nothing. How does this stuff spread? Executable files? Do users have to click on something? Is it a macro-enabled ms office document that drops the payload? What does any of this mean?

If I have an unpatched computer sitting randomly connected to the internet, how am I affected? Does a virus just pop up out of nowhere? Do I get an email asking me to download a booby trapped word document? Does my computer have to be sent magic packets that somehow runs an executable without prompting me? Seriously, WTF? How the hell is anyone supposed to understand any of the sensational headlines when this basic information is nowhere to be found? — Preceding unsigned comment added by 199.18.157.82 (talk) 03:17, 16 May 2017 (UTC)
 * According to the article, it uses the EternalBlue and DoublePulsar exploits, in addition to email phishing.
 * If I'm reading sources correctly, they allow arbitrary code to be sent over the network. Very nasty.
 * Which is pretty much what you guessed. Magic packets containing executable code. ApLundell (talk) 03:23, 16 May 2017 (UTC)


 * Yes the article already explains it fairly well IMO. It relies on a bug in SMB1 in unpatched versions of Windows. This allows remote code execution without the user's involvement. But as I mentioned above, a computer needs to actually exposing SMB to the, internet something which it would not normally do in the post XP SP2 world except when someone is silly enough to change the default config probably without knowing what they are doing. However since most people aren't going to use SMB over the internet, and getting it to work behind a NAT is complicated anyway, this most likely would only occur if someone completely disabled the firewall. The problem is if your computer accesses a local network. In such a case SMB may very well be open to the local network, and so all it takes is one infected computer. (As I mentioned, technically the vector doesn't have to be vunerable itself. It doesn't even need to be running Windows. Although obviously it needs to become a vector somehow.) This may include wifi access points. (Although by default, most modern versions of Windows puts new networks into the 'public' category and SMB is not exposed in the public category. However there's a greater chance someone will accidentally or intentionally change this. Whether exposing SMB on 'public' networks; or classifying something as private when they probably shouldn't.  This incidentally is also why it's a big deal for businesses. There once it gets onto a single computer in some fashion, it can potentially spread to all unpatched computers depending on how they expose SMB. (Many do use it, so it isn't uncommon it's fairly exposed.)  Nil Einne (talk) 07:23, 16 May 2017 (UTC)
 * Read Computer worm, Blaster (computer worm) and Sobig - these things spread fast. Snori (talk) 10:17, 16 May 2017 (UTC)
 * Depends on the vector and the function of the malware. Yes, a worm will by definition spread between machines, but not necessarily rapidly, and not necessarily noticeably (many are used to facilitate the building of botnets). The notability of WannaCry is that it used EternalBlue to spread easily and rapidly within unpatched networks once inside, then lock down affected machines; likewise, Blaster used a typically unguarded port to rapidly spread inside networks. — Sasuke Sarutobi (talk) 11:44, 16 May 2017 (UTC)
 * As I mentioned above, the Blaster situation was somewhat different. At the time, it was still fairly common, and actually even the default that these ports were exposed to the internet provided you were directly connected with no external firewall. (NAT was already fairly common, although surely less so than now, meaning some people escaped by chance.) In other words, a default XP installation with the other requirements would generally be infected. Corporate systems would generally be expected to have one or more firewalls, although if it was acceptable to BYOD, e.g. in a university this may not have mattered. This isn't the case, for any post XP OS, or for XP with SP2; meaning even if they are vunerable the worm won't spread to them from the internet on a default install. (IIRC, for quite a long time, any pre SP2 XP system directly connected and without ISP filtering would have been infected with Blaster or similar quite fast.) If someone screws around and messes things up, they may be vunerable just by being connected to the internet. However if you have an unpatched system you do just need one vector on your local network and you could easily be vunerable on a default set up, Blaster of course also relied on this to some extent except there the initial vector as mentioned could easily be a default config computer with a direct connection, which isn't the case here.  The vector could nominally be any system, with potentially any OS vunerable or not; this also means if even one of your systems is exposing SMB to the internet it can become that factor. (Something I forgot to mention above, a business who still feel they need XP on some systems, for compatibility for example may have blocked it from the internet to try and protect it. This worm illustrates why that isn't a perfect solution.)  Sobig by comparison was a more typical email worm. The reasons why these don't seem to spread so much anymore (Mydoom was I think the last massive email worm; although there were some others that were fairly major like Storm Worm) probably includes more effective ISP filtering both of attachments and of SMTP ports, the rise of webmail and the drop in use of ISP email and the common requirement for authentication, greater protection in email clients and OSes from attachments etc.  WannaCry got around these limitations by to some extent combining both. Email worms may not be so effective, but you may only need to infect one computer in the local network, and then it can often easily spread to vunerable computers. (Although I should be clear AFAIK no current variant of WannaCry has an email worm component. Rather whoever made set up the spread themselves. This perhaps isn't surprising since trying to mass spread en email worm may be more likely to result in all your attachments being blocked, a targeted attack in a spear phising manner could easily work better.)  Nil Einne (talk) 11:54, 16 May 2017 (UTC)

See The worm that spreads WanaCrypt0r (detailed technical analysis of code).  Esowteric + Talk  11:56, 16 May 2017 (UTC)

Till recent 170419 changes routers was vulnerable exposing the private net e.g. 10.* 172. ... to internet by commonly used VOIP/sip. So for spooks there were no problem to access private nets. How such impossible WCry attack penetrated to so many targets ?: The back-doors work in tandemic team and targets must been prepared well before. The Wikileaks logs show zbuk's logs: jumping via sip with payloads. Some like Elinks team dropping features just about Heartbleed and pausing in 2012. Some others obey NSL⋈□. 99.90.196.227 (talk) 03:48, 17 May 2017 (UTC)
 * ps_re: above merge+= 'support' may consider add to earlier extinction event:

Origin
I heard on the radio this morning that more and more "computer experts" are thinking it might originate from North Korea. Any source to back this up? 24.37.29.254 (talk) 12:11, 16 May 2017 (UTC)
 * It seems possible. For example:, ,  , ... etc.   Ghmyrtle (talk) 12:18, 16 May 2017 (UTC)
 * Definitely seems worth reporting as a possibility (with suitable caveats). Bondegezou (talk) 13:46, 16 May 2017 (UTC)
 * Ditto to the above, but don't forget what happened to errant stories about WMD.  Esowteric + Talk  14:03, 16 May 2017 (UTC)

Note that we now have an "Attribution" section covering this. Snori (talk) 01:23, 17 May 2017 (UTC)
 * since somebody did it: if we average the alleged distance {but only eastward} it will just point tomost sad. — Preceding unsigned comment added by 99.90.196.227 (talk) 03:57, 17 May 2017 (UTC)

The figures appear made up
The article (and I presume the sources used) claim that there have been 238 payments totalling $72,144.76. At $300 a pop, from where has the additional 744 dollars, and 76 cents come from? It is possible that 2 payments may be for $600 as the three day deadline has passed, but that still leaves 144 dollars and 76 cents. 86.145.209.23 (talk) 17:07, 17 May 2017 (UTC)
 * As the payments are in dollar-equivalents of bitcoin, not dollars directly, I'd expect that you'd have the same sort of difference that you'd get from rounding error in exchange rate conversions. $744.76 divided by 238 is less than $3.13 per payment, so this seems reasonable (depending on how the exchange rate is calculated and resolves at the time of purchase; I wouldn't be surprised if whomever wrote the code gave themselves a slightly generous calculation). I can't say this is the case for sure, but it seems pretty likely. — Sasuke Sarutobi (talk) 17:16, 17 May 2017 (UTC)

Live Exploit Immunisation
Have removed this again. User:CowthVader's put this back in after I'd removed it with the comment "..poorly written. Computer_worm#Worms_with_good_intent? ...no evidence that anyone's in fact suggesting this", I'm wary of my actions being seen as an edit war, but really this is quiet clearly pure speculation and WP:SYNTH at best. You'll note that CowthVader's had to add a new stub article for Live Exploit Immunisation, which is a pretty good indication that it's "not a real thing". Snori (talk) 01:07, 18 May 2017 (UTC)
 * Oh, if the infosec experts are to be believed, there wasn't a shred of good intent. That'll need some pretty damn convincing sourcing. Didn't read the addition...it seems pretty irrelevant to the attack. So yes, again, will need strong sourcing for inclusion here, and I don't think the ones given work. ansh 666 03:05, 18 May 2017 (UTC)

Identifying main countries of organisations affected
There had previously been various flags for countries of the affected organisations added by, but I see that they are removed as of the current version (although I can't immediately see any comments mentioning this removal). Before any of us gets into adding them back in for someone only to remove them again, I'm looking to get some consensus on how everyone feels about attributing countries of organisations affected, especially since the simultaneous internationality of the event is one of the things that has made the attack notable.

Should we use flags, just mention countries alongside the organisation, or leave it with the names of the organisations? — Sasuke Sarutobi (talk) 12:49, 15 May 2017 (UTC)


 * Use flags. It's not as clunky-looking as having country names in parentheses, and given recent events outside of this one, I think it's important to identify the countries of the organizations impacted.  —   Gestrid  ( talk ) 14:22, 15 May 2017 (UTC)


 * Ambivalent. However, the location by country of the various organisations involved should be documented which it is not at present (unless obvious from the organisation's name). Flags are often a convenient way of doing it, but I am not going to get excited if country names is the preferred option. 86.145.209.23 (talk) 15:13, 15 May 2017 (UTC)


 * No flags per MOS:FLAG - there is no justification in that guidance for using them in this article.   Ghmyrtle (talk) 18:21, 15 May 2017 (UTC)
 * Hierarchal structure of companies put under respective country section/list. – Georgij Michaliutin (talk) 19:54, 15 May 2017 (UTC)


 * Weak support for flags. They make the information more accessible by allowing the reader to more easily see to which country an affected organization belongs in an overseeable way. Per MOS:FLAG I see no reason to not include the flags there. I'm just not sure how useful that list would be as there are probably many affected organizations which won't be identified as victims and as it could be that are too many to list (what would the inclusion criteria be?). As a sidenote it could make the international nature of this clearer. --Fixuture (talk) 20:22, 15 May 2017 (UTC)


 * Support for flags or country names - Gives an idea on which how many countries' enterprise organizations were affected. Sherenk1 (talk) 12:10, 17 May 2017 (UTC)


 * Support for flags - Though the Hierarchal structure idea also has merit. Ceannlann gorm (talk) 16:10, 18 May 2017 (UTC)

Cloud Infrastructure category
Hi Fixuture. With regards as to your question, more than 80% of the systems known to have been so far affected are either cloud based or connected to same. The attack has been in part structured to take advantage of inherent weaknesses in cloud architecture; originally cloud computing was not intended for the creation of permanent, much less secure or mission critical, infrastructure. Rather it was intended to provide a temporary, or at best ad-hoc semi-permanent resource for high intensity and/or resource intensive computing applications where it would not be considered cost effective to procure or lease more permanent infrastructure (or time on same), i.e. hardware. Security and robustness were at best tertiary concerns.

Cloud computing was actually designed in part as a low cost alternative to/revival of traditional timesharing computing, in particular for academic purposes. Unfortunately during the late 2000s, far too many people & organisations forgot or overlooked its origins and attendant shortcomings in the rush to adopt what seemed to them to be a low cost/low risk technology, especially for commercial applications (which it was never intended for). Something which has played a major part in the mess we find ourselves in today. Ceannlann gorm (talk) 16:01, 18 May 2017 (UTC)


 * If you look at the current entries in Cloud infrastructure, I think you will see that this article would stick out like a sore thumb. If the malware was instead an attack on capitalism, following your reasoning (in reverts), would we add it to category:capitalism? Regards,  Esowteric + Talk  16:11, 18 May 2017 (UTC)


 * Hmmm. A new subcat then, perhaps? Ceannlann gorm (talk) 16:14, 18 May 2017 (UTC)
 * Took the plunge and created Category:Cloud infrastructure attacks & failures. Ceannlann gorm (talk) 16:48, 18 May 2017 (UTC)

Claims of new variant
A claim of a new variant without the kill switch keeps being edited into the article by various (probably well meaning) users. In reality, there are no main stream media reports of such a strain having merged. All the media reports are either speculating about a new variation or are quoting various cyber security companies that such a new strain exists (and they have a vested interest in doing so). The claim in the article is flawed because no reliable reference is provided (once the cyber security companies are discounted). I have thus removed it.

It is probably no coincidence, but the recognised stock market index for the UK (the FTSE100) hit a 6 month high this week, all of it driven by the sudden rise in the stock prices of cyber security companies who have had unprecedented demand for their wares. 86.174.152.128 (talk) 16:47, 18 May 2017 (UTC)


 * If you have an issue with what is being reported, you should mention it (with supporting information & sources) in the article itself, rather than delete text with associated references. Ceannlann gorm (talk) 16:55, 18 May 2017 (UTC)
 * . My point is that the supplied references are unreliable because what they report is hearsay from companies with a clear COI. There remains, at this time, no claim from a more reliable source that such a variant exists. Indeed: there have been no reports of an increase in infection rate from such a variant that everyone was predicting. 86.174.152.128 (talk) 17:20, 18 May 2017 (UTC)
 * Then please add to the article a short note (or a more detailed explanation in the main text) to that effect. Ceannlann gorm (talk) 17:27, 18 May 2017 (UTC)
 * Reliable source/s would have to be found which make the link between statements of the variants, the rise in certain stocks, and possible COI. It's not for a wikipedia editor to carry out original research and arrive at such conclusions.  Esowteric + Talk  17:45, 18 May 2017 (UTC)

"Zero day" thing
I've just reverted User:Ceannlann gorm's take on this, and gone back to almost the original wording. AFAIK there were no "shortfalls in the range/scope & application of the initially released patches", except: (a) organisations didn't install them (b) they were not available for products for which support and security updates are no longer produced. Arguing that it has "pretty much the same effect" as a Zero day is far too woolly. Snori (talk) 18:17, 18 May 2017 (UTC)

Should Greece be added in the map of affected countries?
Even though there still hasn't been a large scale attack, there is at least one verified attack in a university in Thessaloniki. Source(in Greek): — Preceding unsigned comment added by 83.212.232.252 (talk) 11:33, 18 May 2017 (UTC)
 * Thanks, Proto Thema is a WP:Reliable source - I'll add that now. Uncle Roy (talk) 14:22, 18 May 2017 (UTC)

Done

Well, since there have been a couple of confirmed attacks in Greece, it should appear on the map. I tried editing the map (goo.gl/mwYDtf) used in the article to include Greece. I cannot upload it (my profile is new) so someone either upload it, or make a better one. A new one should me made, since in my version the color and the borders of countries are a bit off.

The new map: http://i.imgur.com/OhckwUR.png

NickSpGR (talk) 18:59, 18 May 2017 (UTC)