Important lessons from the first NSA-powered ransomware cyberattack

nsa cyberattack wannacry ransomware

Last Friday, a weaponized version of a NSA exploit was used to infect over three hundred thousand computers in over 150 countries with the WannaCry ransomware.

In addition to government ministries and transportation infrastructure, the British National Health Service (NHS) was crippled, disrupting treatment and care for thousands of patients, and putting countless lives at risk. The indiscriminate use of a NSA authored weapon on the general public is terrifying, and only made worse by the fact that the NSA could have largely prevented the attack. Instead, because the NSA stood by and did nothing, we have ended up in the scary world where American cyberweapons are being used to potentially kill British citizens in their hospital beds.

What went wrong?

The WannaCry infection that caused global chaos on Friday relied upon a Windows exploit called EternalBlue which was originally written by the NSA. Instead of responsibly disclosing the vulnerability when it was discovered, the NSA instead weaponized it and sought to keep it secret, believing that this weapon could be safely kept hidden.

Predictably, this was not the case, and in August 2016, the NSA was itself compromised, and their entire arsenal of illicit cyberweapons stolen. It’s rather ironic that the world’s largest surveillance agency believed that they would never be compromised.

It has become abundantly clear over the past decade that the notion of keeping attackers out forever is fundamentally flawed. Compromises are not a matter of if, but a matter of when (in fact, this is why we designed ProtonMail to be the first email service that can protect data even in the event of a compromise). If there’s anybody that should know this, it should be the NSA.


NHS trust ransomware wannacry
Hospitals across the UK suffered major IT malfunctions as a result of the ransomware cyberattack.

It gets even worse

It’s clear that in weaponizing a vulnerability instead of responsibly disclosing it (so hospitals and transportation infrastructure can be protected), the NSA made a critical error in judgment that put millions of people at risk. However, one would think that after learning 10 months ago that their entire cyberweapon arsenal had been stolen and was now out “in the wild”, the NSA would have immediately taken action and responsibly disclosed the vulnerabilities so systems around the world could be patched.

Unfortunately, there is no indication that they did so. If we read carefully the statement from Microsoft today, it appears the NSA deliberately withheld the information that would have allowed critical civilian infrastructure like hospitals to be protected. In our view, this is unforgiveable and beyond irresponsible.

Instead, the Windows engineering team was left to work by themselves to find the vulnerabilities, which they finally did in March 2017, 8 months after the NSA learned the exploits had been stolen. More critically, Microsoft only managed to patch the vulnerabilities 2 months before last Friday’s attacks, which is not nearly enough time for all enterprise machines to be updated.


wannacry ransomware infection map
Nearly 400’000 computer systems around the world have been infected.

What is the bigger impact?

We think that US Congressman Ted Lieu is spot on when he wrote on Friday: “Today’s worldwide ransomware attack shows what can happen when the NSA or CIA write malware instead of disclosing the vulnerability to the software manufacturer.”

Friday’s attack is a clear demonstration of the damage that just a SINGLE exploit can do. If we have learned anything from the NSA hack, and the more recent CIA Vault7 leaks, it’s that potentially hundreds of additional exploits exist, many targeting other platforms, not just Microsoft Windows. Furthermore, many of these are probably already out “in the wild” and available to cybercriminals.

At this point, the NSA and CIA have a moral obligation to responsibly disclose all additional vulnerabilities. We would say that this goes beyond just a moral obligation. When your own cyber weapons are used against your own country, there is a duty to protect and defend, and responsible disclosure is now the only way forward.

Lessons Learned

Anybody working in online security will tell you that protecting against the bad guys is hard enough. The last thing we need is for the supposed “good guys” to be wreaking havoc. An undisclosed vulnerability is effectively a “back door” into supposedly secure computing environments, and as Friday’s attack aptly demonstrates, there is no such thing as a back door that only lets the good guys in.

This is the same fundamental issue that makes calls for encryption backdoors counterproductive and irresponsible. Despite repeated warnings from security industry experts, government officials in both the US and the UK have repeatedly called for encryption backdoors, which could grant special access into end-to-end encrypted systems like ProtonMail.

However, Friday’s attacks clearly demonstrate that when it comes to security, there can be no middle ground. You either have security, or you don’t, and systems with backdoors in them are just fundamentally insecure. For this reason, we are unwilling to compromise on our position of no encryption backdoors, and we will continue to make our cryptography open source and auditable to ensure that there are no intentional or unintentional backdoors.

We firmly believe this is the only way forward in a world where cyberattacks are becoming increasingly common and more and more damaging, both economically and as a threat to democracy itself.

Best Regards,
The ProtonMail Team


If you would like to support the work that the ProtonMail project is doing, you can upgrade to a paid plan or donate. Thank you for your support!

You can also get a free secure email account from ProtonMail here.

About the Author

Andy Yen

Andy is the Founder and CEO of ProtonMail. Originally from Taiwan, he is a long time advocate of privacy rights and has spoken at TED, SXSW, and the Asian Investigative Journalism Conference about online privacy issues. Previously, Andy was a research scientist at CERN and received his PhD in Particle Physics from Harvard University. You can watch his TED talk online to learn more about ProtonMail's mission.


Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

16 comments on “Important lessons from the first NSA-powered ransomware cyberattack

  • This is a widespread tragedy that didn’t have to happen.

    Please talk to your family, friends and neighbors about leaking. Abusive entities, wherever they may be, need to have their information open for public inspection. Leaking is safe and easy. Use Wikileaks or SecureDrop.

    Any text or voice information can be disseminated around the world in 24 hours. Talk to people you know. Encourage them to think of the better world we’ll have after these abusers have been exposed! Good luck to Anonymous, and other groups.

    We will win in the end. There are more of us than there are of them. And did I say “leaking is safe and easy”? I did? 1-2-3-go!


  • Good article. We have been saying this for years (I’m in IT since 1968) but you can’t tell a politician anything – they are born without heading, the space in their brain used for hearing things is used to increase their ego. What is really galling is that the spooks themselves, who do know different, still did it! It’s treason.

  • Good work on staying open source. If this ever changes, it will be taken by Protonmail supporters as a sign that the global intelligence services are now in control. In other words, I and many others will immediately stop using your service.

    But I currently have full confidence in Protonmail and hope this will continue far into the future. Keep up the great work. Looking really forward to Protonmail v.4.

    • To be fair not the entire technology is open sourced (at least to my knowledge).

      Does ProtonMail plan to open source server technology eventually?

    • Sounds nice, but in fact u dont know what software is running at Protonmail, what we know is what they show, i i am a client and like the service.
      But.. to assume that all is safe because people say they are and that they have opensource software does not guaruntee that they use it.

      If u want privacy, be silent ))

  • To be fair, the vulnerability was patched 2 months before the May attack, by Microsoft. In this case it is not Entirely NSA’s fault that the vulnerable computers were not protected and were hacked.

  • Please tell me why your home page attempts “A CANVAS INFO GRAB?” Makes me wonder.
    99.99% of Microcrap users never heard the word Canvas much less know how to stop it.
    I guess you thought those of us who use alternate systems would not report this.
    I consider this to be a huge breach of confidence in your system. So I’ll be posting this on the open web for the useful idiots.

  • “In our view, this is unforgiveable and beyond irresponsible.”

    Hi Andy…

    While it may have been irresponsible and morally wrong, calling it unforgiveable is too extreme. I know someone who’s forgiven me of a LOT of horrendous stuff I did in my past. His Name is Jesus. I know from personal experience that not forgiving someone leads to spiritual and emotional bondage and destruction. Forgiveness is for everyone, regardless of the offense, and it frees you. 🙂

    Apart from that, this is a great service and I want to thank you and your team for offering it! 🙂

    Best wishes…


  • @Nuno
    Same could be said for other email like gmail, outlook, tutanota, etc.
    Just report it as all service can’t be aware of all things. Protonmail does take action against spammer if they know about it.
    You don’t blame car company just because a drunk driver misuse it.

  • @Nuno
    You don’t simply blame car companies just because drunk driver misuse it.
    Just like gmail, outlook, etc, all company can’t be 100% sure that nobody can abuse it. Report to protonmail if you see any and they will suspend their account.