Talk:WannaCry ransomware attack/Archive 2

Archive 1Archive 2Archive 3

WannaCry

I have created a stub for the virus itself (this article is about the attack itself), and encourage others here to help expand that article (not my area of expertise, nor do I have the time at present). Thanks! — InsertCleverPhraseHere 23:15, 15 May 2017 (UTC)

I've changed it into a redirect back to this article; I don't think we're going to have a separate article for the worm itself, it can be all covered here unless the article gets too long.GliderMaven (talk) 00:33, 16 May 2017 (UTC)
@ GliderMaven I don't agree. Take it to AfD if you want it as a redirect. — InsertCleverPhraseHere 01:08, 16 May 2017 (UTC)
I don't wish to delete it, I've simply merged it back into this article, which doesn't require an AFD. If other people agree with you they can trivially revert my edits, and I'm OK with that if people are going to actually unstub it.GliderMaven (talk) 01:20, 16 May 2017 (UTC)
It had already been undone multiple times, so I just took it to AFD. ViperSnake151  Talk  22:09, 18 May 2017 (UTC)

Merger proposal

The following discussion is closed. Please do not modify it. Subsequent comments should be made in a new section. A summary of the conclusions reached follows.
The result of this discussion was to Merge. There seems a pretty clear consensus to merge, and as the creator of the stub article, I am going to be bold and redirect it here, as Anna Frodesiak has already done the work of the merger (and then some, the section is a very good start). As for discussions about the rename to WannaCry following the merger, that argument belongs in the RM discussion above, however I would argue that the RM should really be restarted, as the article and situation have significantly changed since the original RM proposal (and for the record I would personally agree with ViperSnake151's assessment at the bottom of this discussion). — InsertCleverPhraseHere 22:29, 18 May 2017 (UTC)

I propose that WannaCry be merged into WannaCry ransomware attack. I think that the content in the WannaCry article can easily be explained in the context of WannaCry ransomware attack, and the WannaCry ransomware attack article is of a reasonable size that the merging of WannaCry will not cause any problems as far as article size or undue weight is concerned. GliderMaven (talk) 01:39, 16 May 2017 (UTC)

  • Oppose. The ransomware and the attack are two different subjects despite the fact that this software was used in the attack. Much like there are separate articles on ammunition and guns, specifically the AK-47, despite that fact that ammunition is used in a gun. Or separate articles on gasoline and internal combustion engines. This stub was created specifically to build content on the software and if the article remains a stub with no mores content than exists now, then by all means merge. We should not conflate the technology used with the process, as there is not a universal one-to-one relationship between them. - Becksguy (talk) 03:08, 16 May 2017 (UTC)
In fact there is a one-to-one relationship as the WannaCry ransomware was specifically written for this attack and it's only going to be used in this one ongoing attack. The WannaCry software specifically uses the EternalBlue security hole and that hole will have been overwhelmingly plugged up afterwards, so the software will no longer work. Rewriting the sofware to use a different security hole would cause it to be known by a different name by the antivirus people to avoid confusion and it would operate differently and will not be considered at all to be the same.GliderMaven (talk) 04:08, 16 May 2017 (UTC)
  • Oppose. I feel like the malware itself deserves it's own article separate from this event. If anything, the merger would normally go the other way (with other malware attacks and articles), and the normal way is that the attacks are part of an article on the software. Because we currently have very little discussion of the software itself, how it works, etc. that isn't possible obviously (and was opposed quite heavily in the RM above. You say that the content there can be easily explained here, but the content there is a bare bones stub that was created today with the intention of being greatly expanded. Give it some time for goodness sake. We will know after the WannaCry article is expanded whether it would be appropriate to merge the two articles. I'll Support instead per the compromise offered by Anna Frodesiak. — InsertCleverPhraseHere 04:12, 16 May 2017 (UTC)
WP:FUTURE. I think it's wrong creating a stub like this and hope for the best. We should stick to the present and have a single article about WannaCry and its events. If anything, if there will be a need to split a section of the main article into a separate article, only then we shall talk about it. Titore (talk) 15:03, 16 May 2017 (UTC)
  • Oppose; Kaspersky (primary source/blog) reports that the software has been active before the current attack. Though, if the WannaCry article remains a stub and/or there's no sourcing for it beyond this attack then a merge is probably best. ansh666 05:29, 16 May 2017 (UTC)
  • Support. There's very little information about it on the WannaCry article, while there is plenty on this profile, with enough technical information that it could easily be rewritten to be for both the ransomware and the attack. TussilagoFanfara (talk) 08:37, 16 May 2017 (UTC)
  • Oppose per my opposition in #Requested move 15 May 2017. The event and the software that caused it are two separate things, and sufficient technical information is now available that separate articles can be written about each. Personally speaking, I had been wanting to create a separate article for WannaCry itself, but I was holding off until the end of the discussion under #Requested move 15 May 2017 (which includes WannaCry as a proposed page), as I felt it would end up muddying the water in this way. That in mind, I would also like to move that this proposal is closed, and carried out under #Requested move 15 May 2017. — Sasuke Sarutobi (talk) 08:52, 16 May 2017 (UTC)
The disgustingly large problem with that is they're not in any way separable. The features of the software and the actions of the software and the reactions of 3rd parties to the sofware are inextricably linked.GliderMaven (talk) 14:29, 16 May 2017 (UTC)
  • Oppose. I had originally closed this as snow, but the proposer disputed the closure, so I'll just add a vote instead now. I echo the thoughts of Becksguy and ICPH.Anarchyte (work | talk) 13:39, 16 May 2017 (UTC) Having thought about it some more, I'm changing my !vote to Suppport. @GliderMaven: Apolgies for the incorrect closure, my mistake. There should be a background of the malware section in this article and we can think about expanding the stub when/if more content specific to the malware is posted. Cheers, Anarchyte (work | talk) 22:03, 16 May 2017 (UTC)
  • Comment How does anyone think that is ever going to work as a standalone article? Nobody has even copied information into it, even now, when the attack is in full sway. If they haven't now, when would they?? And what you would want over there would have to be copied/duplicated from this article, but that's just copying information, which is not a good idea.
The secret rule of Wikipedia is sticking to one article per topic. The topic here is the worm and everything about the worm, and everything surrounding it. Creating a second article on exactly the same topic is not going to improve Wikipedia or help the readers or help the editors in any way.GliderMaven (talk) 14:29, 16 May 2017 (UTC)
Actually, the technical analysis of the programme itself is still coming out. As the attack is on-going, the sources are all busy discussing its impacts; the technical analysis takes longer to come out, but details are already emerging. There is a enough for a reasonable-length article on its own, but given that there is still an active move discussion that includes the title at which the stub is located, I am (and probably several other editors are) holding off on expanding the article further until that debate is addressed. To my mind, though, the technical specifics of the worm and the social impacts of its spread are two separate topics, aimed at two separate audiences. — Sasuke Sarutobi (talk) 15:15, 16 May 2017 (UTC)
  • Merge as the notability is from the attack, and size. Note we have links to constituent parts, but this malware and the attack are currently inseparable as a topic. Widefox; talk 14:41, 16 May 2017 (UTC)
  • Oppose actually the twice articles are small but there is big difference between the virus and the event in the future we will see differents new parts of the wanacry article created.--Bachounda (talk) 14:51, 16 May 2017 (UTC)
  • Support. There simply isn't enough information right now that justifies the existence of two different articles, that is, the ransomware and its spread almost overlap. Even if there was, a simple section in the main article would suffice.
    As I said in a comment, WP:FUTURE. I think it's wrong creating a stub like this and hope for the best, as GliderMaven just said. We should stick to the present and have a single article about WannaCry and its events. If anything, if there will be a need to split a section of the main article into a separate article, only then we shall talk about it. Titore (talk) 15:03, 16 May 2017 (UTC)
  • Support. There already was a section on the functionality of the malware (the malware itself) in article. However it was removed and nobody reverted it (nor was there a discussion on the talk page about whether it should be kept). I don't think a separate article is warranted / useful here. The malware is of no separate notability besides the single attack it has been created and used for. Also people will come to this article - diffusing the content into multiple articles will only cause confusion. --Fixuture (talk) 18:25, 16 May 2017 (UTC)
  • Support - This WannaCry ransomware attack article is big enough to follow our standard procedure of giving visitors what they expect and what serves them best: having a section about the thing that caused the event, in this case the software or program or whatever it is. Visitors should not need to go to a separate page to see a three-sentence bit about it. If the section here ever gets too big, it can break away to become a standalone, and that is standard procedure too. In fact, where is the section about this software? Don't visitors come to this article and expect that? You have a terrorist attack, and there's a section called "Perpetrators". A bomb attack, and there's a section called "The bomb". Anna Frodesiak (talk) 22:36, 16 May 2017 (UTC)
  • @Anna Frodesiak: Since this is the only ransomware attack like this, the details about the software have become very intertwined with the details about the attack. The list of external links left in the article (which I have to check against WP:ELNO) may provide more detail about the software itself. Gestrid (talk) 22:47, 16 May 2017 (UTC)
Hi Gestrid. :) I understand but I'm not clear on your point. Anna Frodesiak (talk) 23:16, 16 May 2017 (UTC)
Anna, I was answering your question about why there's no section about the software. Gestrid (talk) 23:31, 16 May 2017 (UTC)
Hi Gestrid. Ah, okay. Thank you kindly, my friend. :) So, do you think we could actually start a section now with basic facts, like maybe things in point form, like size, method of delivery, type, etc? We could add a {{main}} to the section. Would that undermine, and cause confusion with, this debate? Anna Frodesiak (talk) 23:46, 16 May 2017 (UTC)
@Anna Frodesiak: I'm not sure. I'd have to take a closer look at the article, which I don't have time to do right now. I might have time in a few days. There's no deadline, so it doesn't have to be added right away, anyway. Gestrid (talk) 00:14, 17 May 2017 (UTC)
  • Strong oppose because I believe the software is notable in and of itself. Being a stub does not merit merging/deletion, see WP:ASZ. Since there is nothing to merge, I move this be closed and listed at AfD, where the notability of the software can be discussed properly. It is possible this software may be used in the future (WP:CRYSTAL but whatever), and then we would need a separate article describing it. Laurdecl talk 07:41, 17 May 2017 (UTC)
  • Support per arguments above regarding trying to decide if it will need a separate article in a later date. — Preceding unsigned comment added by 12.216.31.179 (talk) 09:34, 17 May 2017 (UTC)
  • Support because WannaCry will stay stub for a long period. Title of one article should be simply "WannaCry" (as the page was originally created and then moved). --Obsuser (talk) 10:22, 17 May 2017 (UTC)
  • Support. There is barely any information here, so there is no need for it to have its own page. Nixinova (talk) 20:11, 17 May 2017 (UTC)
  • Comment I have already expressed my opinion that it is nonsensical to carry on two competing proposals simultaneously (especially since both concern the existance of an article entitled simply WannaCry), and now I feel it is becoming counter-productive; we have an apparent consensus at #Requested move 15 May 2017 in favour of WannaCry ransomware attack because the article is about the ransomware attack, but in this proposal we find that WannaCry should be merged into this article because the article shouldn't just be about the ransomware attack. This is clearly contradictory, and will only cause problems until the contradiction is resolved (in either direction). If both proposals are closed with the current consensus, we will end up with the article "WannaCry ransomware attack" disambiguating itself against an article that doesn't exist (because it absorbed it).
I have already expressed my opinion that this article should be about the ransomware attack, and that the WannaCry article expanded with technical details that are still coming to light. I would also like to emphasise that I am not editing either article until this is clarified (and please be clear, I do not think that this is some kind of threat that I am withdrawing work, but simply that it is counter-productive to contribute when a change in article scope is likely), and I suspect that others may be tentative in some of their work as well.
Whether an article is a stub at this time is irrelevant to merge proposals; the question to be addressed is whether it can only ever exist as a stub on the basis of currently available information from RS. — Sasuke Sarutobi (talk) 10:50, 17 May 2017 (UTC)
  • Comment Personally, I don't see why this proposal was even started (or allowed to continue, for that matter) after the move discussion was started since they both concern the exact same articles (this one and WannaCry). It just makes the situation that much more confusing. One proposal at a time! (Full disclosure: I just got off my nightshift job, so please forgive me if I sound a little incoherent.) Gestrid (talk) 13:37, 17 May 2017 (UTC)
  • Comment this merge proposal is really an AfD in disguise. As I suggested at the very beginning, this should have been taken to AfD at the start. There is nothing to merge, so deciding on a merge at the moment is tantamount to deleting the article. The article being a stub is a chicken and egg situation, this merger was proposed within hours of the creation of that stub, and no one is contributing to it because of the threat of deletion. — InsertCleverPhraseHere 20:12, 17 May 2017 (UTC)
Au contraire, dear Insertcleverphrasehere, merging is tantamount to breathing life into it. Once it arrives back here, it will get plenty of eyes that encourage edits, and with no threat of deletion, ought to expand. It might even expand to the point of being worth a standalone. Anna Frodesiak (talk) 20:35, 17 May 2017 (UTC)
As long as there is an express commitment to actually make a section in this article about the nature of the software itself (a collection of technical aspects, what security flaws it exploits, how it works, etc) I don't have a problem with merging per se. But as presented here, and previously attempted, that's not what is happening or happened previously. GliderMaven redirected the article without creating such a section in the article (which is essentially the same as deletion), and no such section is proposed as part of the merge proposal above. If such a section is intended to be part of the merge proposal I would like some clarification from GliderMaven in the proposal, and if so, I don't object nearly as much. — InsertCleverPhraseHere 22:52, 17 May 2017 (UTC)
Good points, Insertcleverphrasehere. Okay, I think we're nearing a solution. I see four opposers and a ton of supporters (making darn good points) for the merger. It looks like it will close with the merger. So, To editors Becksguy, Ansh666, Sasuke Sarutobi and Bachounda: would you object to starting a section about the virus itself within this article with a temporary {{main}} to WannaCry? If so, we can all chip in and get the section expanded and worthwhile. If you (or most of you) agree, then we're all good. We can move forward in the direction this will go anyway, but just faster and better. So, yes? Yes? Hmmmm? Yes?     Anna Frodesiak (talk) 00:56, 18 May 2017 (UTC)
Sounds like a good compromise and solution to the issues both here and in the RM above. — InsertCleverPhraseHere 01:07, 18 May 2017 (UTC)
Despite my bolded oppose, I'm actually in support of merging (per my last sentence). Confusing, I know :) ansh666 03:04, 18 May 2017 (UTC)
@Anna Frodesiak: I've started the section. Take a look here. Anarchyte (work | talk) 07:46, 18 May 2017 (UTC)
Thank you so much, [User:Anarchyte|]]! That's a great step forward. :) Anna Frodesiak (talk) 22:05, 18 May 2017 (UTC)
@Anna Frodesiak: If we are merging WannaCry into WannaCry ransomware attack, does that mean we're going to then move WannaCry ransomware attack to just be called WannaCry (against the consensus in the other proposal), since there's nothing to disambiguate against? — Sasuke Sarutobi (talk) 09:30, 18 May 2017 (UTC)
Hi, Sasuke Sarutobi. No. It looks like, in the end, "WannaCry ransomware attack" will be the name of the article, "WannaCry, the virus" or something, will be a section within that article, and "WannaCry" will be a redirect that section within the article titled "WannaCry ransomware attack". Anna Frodesiak (talk) 22:05, 18 May 2017 (UTC)
Terrariola - just to clarify, the proposal is for the merge to happen the other way around - "WannaCry" into "WannaCry ransomware attack". See also the other proposal for the title of this article to be changed to "WannaCry". — Sasuke Sarutobi (talk) 11:04, 18 May 2017 (UTC)
Oppose- Especially since the attacks and their fallout seem to be still developing. Ceannlann gorm (talk) 17:03, 18 May 2017 (UTC)

Are we ready to close this and move forward? The sooner we get rid of the {{main}} the better. Anna Frodesiak (talk) 22:06, 18 May 2017 (UTC)

Oh, rats. Now we have Wikipedia:Articles for deletion/WannaCry. I guess User:ViperSnake151 did not notice the merger template at the top of WannaCry and this discussion.

I strongly suggest the following:

  • Close this as "support merger"
  • Copy paste any content from WannaCry to this article
  • SNOW close the AfD (linking to this discussion)
  • Turn WannaCry into a redirect to the section in this article about the virus itself.
  • SNOW close the above name change post "Requested move 15 May 2017"

Let's get this cleaned up! Does this sound good? Anna Frodesiak (talk) 22:13, 18 May 2017 (UTC)

  • Merge and re-name to WannaCry. The AFD is closed and is being stricken from the records. I shall post a revised version of my comment here. This article is being afflicted by a strange consensus that, in fact, the malware and the overall attack are distinct subjects, because the malware's actions are a cyberattack that is independent of the malware itself, rather than just malware. I heavily disagree with this, as it contradicts our previous handling of malware-related articles; the malware is the attack, and I do not feel that they can be separated without contravening notability (working in the spirit of BLP1E). Thus, WannaCry is only notable for the WannaCry attack, meaning that the article WannaCry should be deleted, and WannaCry ransomware attack moved to there. Users searching for just WannaCry are now encountering a simple stub page rather than one that is actually about the malware. ViperSnake151  Talk  22:16, 18 May 2017 (UTC)
Hi, ViperSnake151. I trust you have completely read this thread and the above "Requested move 15 May 2017"? Anna Frodesiak (talk) 22:30, 18 May 2017 (UTC)
The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

Requested move 15 May 2017

The following is a closed discussion of a requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. Editors desiring to contest the closing decision should consider a move review. No further edits should be made to this section.

The result of the move request was: Not moved.(non-admin closure) Per WP:SNOW. There seems to be no chance of this RM going anywhere, the original proposal was flawed in offering multiple options without any clear rationale why any of them would be better than the current one, and more importantly, the article and title situation have evolved considerably since the RM was opened (so much so that a new RM could easily be justified). The article is no longer just about the attack (the source of most early Oppose votes), as a section on the software itself has been added as part of the merger discussion below. — InsertCleverPhraseHere 22:54, 18 May 2017 (UTC)



WannaCry ransomware attack → ? – This has been discussed in a few different sections above, though it'd be better to have one centralised discussion. So far, the following names have been brought up:

I lean towards either the current name or WannaCry, though I don't mind (somewhat neutral on the matter, simply opening this to have a centralised discussion, instead of multiple different sections). Pinging all participants of other discussions: @Gestrid, ViperSnake151, Fgnievinski, and Uncle Roy: Anarchyte (work | talk) 03:06, 15 May 2017 (UTC)

  • We should adopt whatever comes out of Talk:Cyber-attack#Requested_move_15_May_2017. fgnievinski (talk) 03:21, 15 May 2017 (UTC)
  • Oppose all variants, what matters according to titling policy is not what we think is best, but what the most common name in reliable sources is. This is, without a doubt, "WannaCry ransomware attack". Laurdecl talk 03:28, 15 May 2017 (UTC)
  • Oppose all variants. This whole thing of sticking "cyber" onto everything is Just Silly in my opinion. Perhaps if this was a targetted nation-state action, then "cyberattack" might be warrented, but that is probably not the case. Are we going to see proposals to rename email spam to "email cyber attack" next? (Note that I'm not against a future split that recognises that there's a difference between the SMB-vuln-based transport mechanism and the ransomware payload - but for the moment neither is an issue except in this combination). Snori (talk) 03:35, 15 May 2017 (UTC)
  • Related discussion about the definition (not the hyphenation) of "cyberattack/cyber-attack": [1], [2], [3]. fgnievinski (talk) 03:39, 15 May 2017 (UTC)
  • Support WannaCry; all the other articles on malware trojans with unique names have them at just the name, see CryptoLocker. The objection seems to be over whether "cyberattack" or "ransomware" should be in the title, but WannaCry is already concise as is. ViperSnake151  Talk  04:04, 15 May 2017 (UTC)
This article is about the attack specifically. If you want to create an article about the software itself, then please do. However, it would be inappropriate to rename this page, because it deals with an event. Laurdecl talk 05:52, 15 May 2017 (UTC)
If this article is about the attack specifically then a year (2017) should be included in its name. 2A02:C7D:CA8A:F200:1180:BC60:6A55:93B9 (talk) 09:51, 15 May 2017 (UTC)
That's generally only necessary when there are two attacks commonly known by similar names that need differentiating. For example, if another attack had occurred last year with WannaCry, then you'd have one article with 2016 in the name, and another with 2017. Currently, this is the only event, so no differentiation is needed on account of dates. — Sasuke Sarutobi (talk) 09:59, 15 May 2017 (UTC)
The malware is the attack. Thus, this title is redundant. ViperSnake151  Talk  22:00, 18 May 2017 (UTC)
  • Oppose all variants The article is not mainly about the WannaCry software. It is about the WannaCry cyber attack, which, more precisely, was a ransomware attack. The article is about the WannaCry ransomware attack, so that is what the media refers to this event as, and that is why we have an "event" infobox, and that is what the article should be called. Anna Frodesiak (talk) 05:24, 15 May 2017 (UTC)
  • Oppose This article documents the WannaCry attack, not the WannaCry software. So technically, the WannaCry attack is a ransomware attack. Hansen Sebastian 06:06, 15 May 2017 (UTC)
  • Oppose all variants per Anna Frodesiak - the main focus of the article is the event itself, which is specifically a ransomware attack (being a type of cyber attack). WannaCry itself should be populated with details of the ransomware itself, so I'd support splitting out any relevant technical content from this article to do so. Other than that, I feel that this is the most appropriate title. — Sasuke Sarutobi (talk) 09:40, 15 May 2017 (UTC)
  • Support WannaCry. This malware is not known for anything rather than encrypting files and demanding ransom. Thus, having "ransomware attack" in the title is over-explicit. 2A02:C7D:CA8A:F200:1180:BC60:6A55:93B9 (talk) 09:57, 15 May 2017 (UTC)
  • This article is about a specific attack, so WannaCry isn't specific enough. You're free to split the general information about the malware out from this article and expand WannaCry from redirect status, of course. Gestrid (talk) 10:50, 15 May 2017 (UTC)
with re-directs from other variants (status quo) :
Xb2u7Zjzc32 (talk) 16:27, 15 May 2017 (UTC)
note this article is about the attack (the event) not the virus (software). We need a separate article on the virus itself (which I encourage someone to make). EDIT: I have created a stub at WannaCry and encourage others here to help expand it. — InsertCleverPhraseHere 22:56, 15 May 2017 (UTC)
The virus is not notable for anything other than the current attack, and there is already an article on the exploit it uses (EternalBlue) There shouldn't be separate articles. TussilagoFanfara (talk) 09:15, 16 May 2017 (UTC)

The above discussion is preserved as an archive of a requested move. Please do not modify it. Subsequent comments should be made in a new section on this talk page or in a move review. No further edits should be made to this section.

The section about WannaCry, the virus itself

It is now a subsection called "WannaCry" within the "Background" section.

Should we make "WannaCry" a main section equal to the section "The cyberattack"? Should we call it "The virus" with the first words in the section "WannaCry is the name of the actual virus..." to make things perfectly clear?

Should we split "EternalBlue and DoublePulsar" into subsections "EternalBlue" and "DoublePulsar" within "The virus"? Why? Because DoublePulsar isn't mentioned until the end of that part. Visitors want to know what it is, and right away.

Should we start the "DoublePulsar" subsection with "DoublePulsar is a backdoor installed..."?

I think that arrangement would make things clear to visitors.

Anna Frodesiak (talk) 22:24, 18 May 2017 (UTC)

It should be a main section, perhaps 'WannaCry malware', 'WannaCry softare', or 'WannaCry ransomware'? I'll leave the rest up to others that know more about it. — InsertCleverPhraseHere 22:38, 18 May 2017 (UTC)

I boldly did it. If not an improvement, please revert and trout me back to the stone age. :) Anna Frodesiak (talk) 23:24, 18 May 2017 (UTC)

Kill switch

My understanding of why registering the gobbledegook domain killed the attack, from reading the original source among others, is that seeking that domain was a trick used by the malware to detect whether it was being run in a test environment—which apparently would generate a false positive to see what happened—or on a real computer—which would obviously fail—so when the domain was registered, all currently-active infections suddenly gained the impression that they were being scrutinised and went into hiding. However this does not seem to be described in the current article: is there a particular reason? TIA HAND —Phil | Talk 10:57, 19 May 2017 (UTC)

  Done. I think it simply hadn't been described yet. I've added it in now. — Sasuke Sarutobi (talk) 12:41, 19 May 2017 (UTC)

Recentism

I placed a {{Recentism}} tag to the reactions section.

Honestly, I think most of the article should belong to wikinews. I know it talks about the attack, but we should focus to the wider effects of the event, and avoid day-to-day updates, more fitting to a news article. Titore (talk) 00:30, 19 May 2017 (UTC)

  Done. I've now restructured it so that the paragraphs are thematic rather than chronological, so that it gives a sense of various strands to the reactions. — Sasuke Sarutobi (talk) 13:28, 19 May 2017 (UTC)

Info on file recovery?

I think we need a section on file recovery options in the article. The article currently does not give any indication of actions to be taken after infection, just ways to prevent infection. Are there ways of recovering files other than forking over the cash? Does paying the ransom actually release the files? These questions are not answered in the article (that I can see) and is a major oversight, given that the first port of call for many infected by the virus might be this article. — InsertCleverPhraseHere 23:33, 17 May 2017 (UTC)

We have some advice like [4] which says not to pay them because it 'encourages them', but for users that have files encrypted who's value far outweighs 300-600, this might not carry much weight (and the article gives no indication whether paying the ransome works or not).

[5] apparently europol recommends not to pay, "Europol warns that paying up doesn't guarantee that you'll get everything back. And giving the hackers what they want proves the worm is effective, the agency said." again not great advice to those weighing up their options.

The BBC is more helpful in this article saying that a manual human operator would have to activate decryption directly and that "because of the way in which WannaCry has been designed, the sad fact is that people are very unlikely to regain access to their files, even if they do pay." linking to this post which says that not a single case has been reported of someone getting thier files back dispite $30,000 (another source says $50,000) having been gathered by the hackers. "Unlike its competitors in the ransomware market, WannaCry doesn’t seem to have a way of associating a payment to the person making it. Most ransomware, such as Cerber, generate a unique ID and bitcoin wallet for each victim and thus know who to send the decryption keys to. WannaCry, on the other hand, only asks you to make a payment, and then… Wait... Most A-list ransomware pride themselves on customer support, and are usually very easy to contact. Again, not the case with WannaCry. The only way of contacting the malware creators is through the “Contact Us” option on the ransom note screen. Despite our best efforts, we have yet to receive a reply."

Given the above information, I think we can safely put together a section saying that WannaCry, though purporting to be ransomware, does not in fact have the capability for file recovery, and that paying the ransom will not result in the recovery of files without direct intervention or contact with the hackers (which no one has been able to establish). And furthermore that not a single account of someone getting their files unlocked by paying the ransom has been reported. — InsertCleverPhraseHere 23:33, 17 May 2017 (UTC)

@Insertcleverphrasehere: Then go ahead and WP:FIXIT if you have the sources. We don't need to discuss every change, and I don't believe this is controversial at all. Gestrid (talk) 00:04, 18 May 2017 (UTC)
Fair enough, just being a bit cautious as the last time I was bold regarding this article it stirred up the merger hornet's nest above. — InsertCleverPhraseHere 00:56, 18 May 2017 (UTC)
If you have not rebooted your XP machine since being infected, it's possible the prime number used to generate the encryption key is still in memory (i.e. has not been overwritten)... if so, you could compile the source code located on GitHub and generate your own decryption key. See the readme there. I have not heard of *anyone* paying the ransom and then having a decryption key delivered, by the way. Darr247 (talk) 14:05, 19 May 2017 (UTC)
Further refinement of that method is at github.com/gentilkiwi/wanakiwi Darr247 (talk) 19:02, 19 May 2017 (UTC)

They keep getting added and then reverted.[6][7][8]

I tried adding them directly to wikidata, but that was reverted too. Unsurprisingly, the problem seems to be the title we use...

See the discussion on wikidata. Titore (talk) 13:07, 21 May 2017 (UTC)

And this is another reason why the unusual manner in which we are maintaining this article, due to mere insistence, is a problem. ViperSnake151  Talk  15:18, 21 May 2017 (UTC)

Organizing the Elements of the software section

First, so that I understand, The WannaCry malware contains EternalBlue and DoublePulsar within it? Anna Frodesiak (talk) 19:47, 19 May 2017 (UTC)

Anyone? Anna Frodesiak (talk) 21:21, 19 May 2017 (UTC)

It uses those "exploits", but an Exploit (computer security) is not precisely the same as a virus or malware: there might be more than one way to code something that could target the same vunerability to achieve the same end. {The poster formerly known as 87.81.230.195} 2.122.60.183 (talk) 00:32, 20 May 2017 (UTC)
To clarify a bit more, these are really 2 different things. WannaCry uses the EternalBlue exploit to infect computers. This is just taking advantage of the vunerabilities that EternalBlue exposes. I have no idea if they reused the code released. DoublePulsar is a backdoor tool. It is installed after the computer is compromised by WannaCry, probably via the EternalBlue exploit. Again, I have no idea if the version installed by WannaCry (and bear in mind there are many variants of WannaCry anyway) is exactly the same as that released before. I would have expected the attackers to have modified it to make it more difficult for anyone else to use but I haven't read enough to know. The attackers did also apparently take advantage of existing installations of the tool to help spread the malware. Note that although our article puts these together, they are actually mostly separate things. WannaCry could easily install itself using DoublePulsar, without installing DoublePulsar itself, or even have removed it. WannaCry could also have installed DoublePulsar (or some variant), without actually using it to spread, perhaps for future use as a botnet. (Although the ransomware component means many of these computers are going to have DoublePulsar removed as even those paying the ransom are often likely to have their computers inspected.) Nil Einne (talk) 03:36, 20 May 2017 (UTC)
Okay, thanks Nil Einne and IP for the good clarification. So, a big question is: where are the exploits are when WannaCry first wants to infect a computer? I mean, does WannaCry get into the computer then call some IP to get the exploits? Is WannaCry bundled together with the DoublePulsar and EternalBlue code? Anna Frodesiak (talk) 05:17, 20 May 2017 (UTC)
It may help to envisage an analogy; your computer is a house, with windows and doors locked up tight. Wannacry is a burglar. EternalBlue is a little-known manufacturing fault in the window lock that means if you tap it hard in the right place the window springs open, allowing the burglar to gain entry without going through the front door and tripping the alarm. Once said burglar in in the house he uses Doublepulsar, which in this analogy is a master key bought from the alarm supplier to disable the alarm, and then unlocks the door - allowing anybody and everybody to enter the house without alerting the owner.
Exploits and vulnerabilities already exist - they are not downloaded or retrieved for use - but tools that take advantage of the vulnerabilities do: EternalBlue is a vulnerability, DoublePulsar takes advantage of that vulnerability.
That's a broad and general statement (probably incorrect in technicality) but for a quick explanation, it should do. Chaheel Riens (talk) 07:37, 20 May 2017 (UTC)
Hi Chaheel Riens. Thanks for the explanation. So, this EternalBlue is code, right? You say it is a "manufacturing fault in the window lock". But it is not code that is part of Windows, right? It is code that was made by the NSA. It sounds like WannaCry has that code within itself and uses it to exploit fault in the window lock. Is that right? Doublepulsar is also code, right? That code resides within WannaCry. Once WannaCry gets in, it executes this code to infect other computers. Is this right? I want to know so we can arrange that section to help laypeople understand. Thanks. Anna Frodesiak (talk) 08:21, 20 May 2017 (UTC)
Humans are messy creatures ;-). EternalBlue is used to describe all of the following: (1) the combination of bugs in Windows' SMB implementation ("the vulnerability") than enable someone from the outside taking over the machine (2) the method to exploit this vulnerability, and (3) a particular implementation, believed to originate with NSA and leaked, of code that uses the method to exploit the vulnerability. --Stephan Schulz (talk) 09:43, 20 May 2017 (UTC)
Hi Stephan Schulz. Holy moly. Well, reading the "Elements of the software" section, I am not sure visitors will understand that. Could we title it, explain it, and organize the subsections better? Anna Frodesiak (talk) 09:53, 20 May 2017 (UTC)

EternalBlue is a ++so called little-known manufacturing fault in the window... other may call it carefully crafted mechanism which intentionality may be dismissed by manufacturer. There is a lot of unknowns but the goals and means are heurresticlly probable by long accumulated statistic. Please be semanticllay aware of meanings what may be anti semantic. — Preceding unsigned comment added by 2601:248:4301:5A70:4A5D:60FF:FE32:8309 (talk) 18:41, 20 May 2017 (UTC)

Wow. Well, I sure hope we can get this sorted out. I am sure visitors would like to have a clear understanding of all the whats without it sounding too much like simple.wikipedia.
Also, how about some critical info, maybe in bullet form? You know, like size, program it was written in, that sort of thing. Anna Frodesiak (talk) 00:07, 21 May 2017 (UTC)
  • I only read the first three comments, so apologies if I'm repeating anything. I came here from the refdesk.
First, an "exploit" isn't a specific program or body of code. Rather, it's a type of program or body of code. Specifically, it's a type of program that takes advantage of a specific "vulnerability". So if you write code that takes advantage of the sticky keys vulnerability in Windows 7, you've created a "sticky keys" exploit. This can get confusing, because the same name is applied to the vulnerability, the method of taking advantage of it, and the code that does so. So it would be grammatically correct (accounting for jargon) to say that your sticky keys exploit used the sticky keys method to take advantage of the sticky keys vulnerability. That's a mouthful, which is why we would normally just say "Anna used the sticky keys exploit to get in." Of course, even if you didn't write code, but did it manually, we would say the same things. This is due to the fact that we like confusing non-computer geeks because it makes us feel smarter.
The backdoor tool, on the other hand, may actually be a discrete bit of code (it may not be, but if not, then it's a sort of 'generic' or 'variant' version of the original code). The backdoor tool in question doesn't -I think, I may be wrong as I haven't been following this story that closely- use any exploits, but rather simply uses the normal behavior of unpatched Windows computers to execute code remotely on them.
So the end result is, this malware used the exploit (EternalBlue) to install the backdoor (DoublePulsar), which then ran the package (ransomware). ᛗᛁᛟᛚᚾᛁᚱPants Tell me all about it. 05:17, 21 May 2017 (UTC)
MjolnirPants, you've been a big help! Thank you so much!!! :) Anna Frodesiak (talk) 05:48, 21 May 2017 (UTC)

To editors Nil Einne, Stephan Schulz, Chaheel Riens and MjolnirPants: Okay, I made some changes. Did I get any of it right? :) Anna Frodesiak (talk) 06:04, 21 May 2017 (UTC)

You wrote: Initially, a piece of code called EternalBlue exploits a vulnerability..., which I think is still greatly misunderstanding how this works. Unlike DoublePulsar, which is a specific tool, the code would not called "EternalBlue". I'm going to try to give a simple-ish explanation of how WannaCrypt works, using various writeups plus some other unsourceable stuff because I've been reading about this a bit too much. My tech knowledge is hopefully enough to understand broadly what's going on but still somewhat limited (I'm a freshly graduated CS-ish major, see my userpage, but I also kind of suck at it) so the explanation shouldn't be too complicated; also, in the interest of trying to keep it accessible things won't necessarily be 100% accurate; stuff in small parenthesis is usually just notes or supplemental info that may or may not be necessary to understand. If this is completely off the mark please feel free to call me on my BSTooltip Bachelor of Science ;).
with parenthetical notes
First, the software enters a Windows system through Server Message Block, or SMB (more on how exactly that happens below). It does a check (trying to reach the "kill switch" domain) to see if it's on a researcher's environment (by the way, we really need to improve our articles on malware research). If it thinks it is (basically, if it can get a response from a supposedly inactive domain, it's not on a "normal" computer), it shuts down; if not, it continues running. The software then does two things. First, it runs the ransomware. At the same time, it starts scanning over SMB (checking both local networks and random IP addresses) to see if any connected devices are potentially vulnerable to the EternalBlue exploit (essentially, if the port that SMB uses is open). If it finds any, it will try to transfer a bit of code over SMB to the target computer; if the computer is vulnerable, this code automatically runs without any security checks (this process is what can be called EternalBlue, as a noun) - the code attempts to install DoublePulsar. If it works, or if DoublePulsar was already installed, it then uses DoublePulsar to download the main malware code to the new computer (via another SMB packet) and then run it, restarting the cycle.
without parenthetical notes
First, the software enters a Windows system through Server Message Block, or SMB. It does a check to see if it's on a researcher's environment. If it thinks it is, it shuts down; if not, it continues running. The software then does two things. First, it runs the ransomware. At the same time, it starts scanning over SMB to see if any connected devices are potentially vulnerable to the EternalBlue exploit. If it finds any, it will try to transfer a bit of code over SMB to the target computer; if the computer is vulnerable, this code automatically runs without any security checks - the code attempts to install DoublePulsar. If it works, or if DoublePulsar was already installed, it then uses DoublePulsar to download the main malware code to the new computer and then run it, restarting the cycle.
Another thing; as far as I can tell (not having seen the content of the leaks), EternalBlue and DoublePulsar were released differently: DoublePulsar was a complete working piece of software, which the creators of WannaCrypt slightly modified; meanwhile EternalBlue was more of a framework, implemented in different ways by several groups. Hope this is of some use, if not for the article, to your own understanding. :) ansh666 09:36, 21 May 2017 (UTC)

I am going to leave this to others from here on in. I am out of my depth and will watch what you all do with this. Feel free to revert or anything you wish. Many thanks again for all the help. Best, Anna Frodesiak (talk) 11:45, 21 May 2017 (UTC)

Well alright then Anna, I didn't mean to scare you off!   I've reworked the section a little bit - could you take a look to see if you understand? Thanks, ansh666 16:32, 21 May 2017 (UTC)
@Ansh666: That was a really good summary, I'm reviewing your edits in a moment, but if they're anything like your comment here, they should be great. ᛗᛁᛟᛚᚾᛁᚱPants Tell me all about it. 18:24, 21 May 2017 (UTC)
Yup. Looks awesome, and pretty much the way I'd have written it. (To be fair, as I mentioned above, I haven't been following this that closely. But I've developed an interest in infosec recently, so part of the reasons I didn't follow closely is because the simple descriptions I read at first just seemed to make the operation of the worm pretty obvious.) ᛗᛁᛟᛚᚾᛁᚱPants Tell me all about it. 18:27, 21 May 2017 (UTC)
One more thing, which was pointed out by someone modifying my edit: EternalBlue is the name of an exploit; the vulnerability that the exploit takes advantage of isn't (and can't be) called EternalBlue. The vulnerability's most official name is "MS17-010", and EternalBlue can be called a MS17-010 exploit, but not the other way around. So it's kind of a strange square vs rectangle kind of thing. In your "sticky keys" example, that's the name of the vulnerability, so it's transitive, but if the specific method/exploit was called, say, "HammerTrousers", it wouldn't be the "HammerTrousers vulnerability", it would still just be the "sticky keys vulnerability". And now I need to go do something else to unknot my mind. ansh666 19:08, 21 May 2017 (UTC)

Fantastique! I can actually read it and understand. Before (May 19), the article really didn't make things clear. Everyone's combined efforts at a description really helped. MjolnirPants's nutshell description and ansh666's copy edits nailed it. Thank you all again! Anna Frodesiak (talk) 22:08, 21 May 2017 (UTC)

"Independent research and development"

Sorry, but this was more of a personal essay built around two tweets by Snowden. This whole WannaCry event got a fair bit of attention for a day or two, but is not significantly different to 101 other security threats out there. There are good sources such as this one for your argument, but they must link to WannaCry to be appropriate - and should just be another item under "Reaction". Snori (talk) 21:00, 20 May 2017 (UTC)

@Snori: Alright. I hope it's okay in this form. Trimmed most of it away and added some more refs. (Diff with the former, full subsection). --Fixuture (talk) 22:00, 21 May 2017 (UTC)
Much better. Snori (talk) 22:37, 21 May 2017 (UTC)