As the world relaxes out of its brace position with few new cases announced, we’ve gathered together what we know about how China was affected by the WannaCry ransomware attack. 

An internet security firm reported 29,372 organizations were affected by Sunday. Most notably, colleges and energy companies were hardest hit in the first (and so far only) wave of attacks and the government then announced things were under control and some “self-insepection” was needed.

The ransomware attack known as WannaCry and WannaCrypt (sometimes translated as 想哭) first started infecting Windows computers on Friday morning hitting Telefonica in Spain then users in the UK – most noticeably National Health Service hospitals – then the rest of Europe, Russia and China. It has since spread worldwide reaching the the US, where it affected FedEx.

Qihoo 360 map China WannaCry
Map of distribution of WannaCry infections in China by 7pm local time May 13. Credit: Qihoo 360

What makes this piece of ransomware stand out are its strengths and weaknesses. It has been able to spread by its use of a tool called EternalBlue which had been developed by the US National Security Agency then leaked online. But it had a vulnerability or ‘kill switch’ which a British researcher accidentally activated by registering the domain name which the virus looked for when it infected a computer. If it couldn’t access the domain – a long, nonsensical string of characters – it would attack. So the researcher, who wants to remain anonymous but goes by the monicker MalwareTech on social media, registered the domain which meant when the worm subsequently entered computers, it could find the domain and so didn’t activate, as he explained in his blog.

However, the virus has since been amended without this kill switch, as was announced on Sunday in joint agency notice by the Beijing Cyberspace Administration, Beijing Public Security Bureau and the Municipal Commission of Economy and Information Technology. The announcement named the mutation WannaCry 2.0, which was adopted by subsequent coverage.

CNPC gas station wannacry
China National Petroleum Corporation gas station payment terminal displaying WannaCry lock out screen.

According to reports in local media, quoting a report by internet security company Qihoo 360, universities appear to have been hardest hit. Of 28,000 organizations affected by 7pm Saturday, rising to 29,372 by Sunday, 4,341 were educational institutions. Others affected were post offices, government departments, energy firms and train stations.

Zhejiang and Jiangsu, wealthy provinces on the eastern seaboard, were worst affected, according to Qihoo 360. Qihoo 360 has set up a microsite dedicated to coverage of the outbreak with news site Beijing Times.

Social media networks were busy with users re-reporting and disseminating tips and instructions for how to defend computers and servers. In parts of China mobile networks have pushed out texts via the normal service numbers on safety such as this one from Guangdong.

Guangdong Text Message Wannacry warning
SMS advice to China Mobile users in Guangdong, from the province’s telecoms watchdog. Credit: Carl Joseph DeMarco

There has been relatively little coverage of the attack in China, possibly in part due to the fact that so many column inches and pixels have been given over to coverage of the One Belt One Road forum which took place in Beijing over the weekend. What limited coverage there has been has also been somewhat circumspect, reporting little on the domestic situation and even resorting to hearsay.

But then, in terms of an official response, late Monday morning the Cyberspace Administration of China announced via an interview that there had been a “certain impact on industries and government departments” but that “the rate of spread had clearly slowed.”

The Beijing News reported that its journalist had it confirmed on Sunday that the China Securities Regulatory Commission (CSRC), the China Banking Regulatory Commission (CBRC) as well as other securities and banking organizations that the CSRC and CBRC is issuing a document requiring all regions’ securities  and banking inspection bureaux, banking and fund-based organizations etc to “conduct self-inspection and make good their defences.”

China domain attempt
Suspected hack attempt on MalwareTech’s registered domain. Credit: Pastebin.

Meanwhile, China National Petroleum Corporation (PetroChina) announced that as of noon on Sunday, 80% of the affected payment machines at its gas stations had been recovered. The attack had meant many consoles were blocked from taking cards or third party payment such as Alipay and drivers had to pay in cash.

MalwareTech, the British researcher has since tweeted that he suspects Chinese hackers of trying to take control of his domain registration and posted the code on Pastebin.

The rumour mill has been equally active with all manner of fake news and Photoshopping of images from ATMs to old Nokia handsets displaying the WannaCry ransom demands.

Frank Hersey is a Beijing-based tech reporter who's been coming to China since 2001. He tries to go beyond the headlines to explain the context and impact of developments in China's tech sector. Get in...

Leave a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.