This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the
current talk page.
The following is a closed discussion of a
requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. Editors desiring to contest the closing decision should consider a
move review. No further edits should be made to this section.
WannaCry ransomware attack → WannaCry – As mentioned earlier, this article was afflicted by a strange consensus that the malware and the overall attack are distinct subjects, because the malware's actions are a
cyberattack that is independent of the malware itself, rather than just malware. I heavily disagree with this, as it contradicts our previous handling of malware-related articles; the malware is the attack, and I did not feel that they could be separated without contravening notability (working in the spirit of
BLP1E). I am relieved that the merger went through, but now we have to deal with the title. Per this reasoning and
WP:CONCISE, this article should be moved to WannaCry, and the lead should describe it as what it is, rather than paint this as just being an "event". This article requires no disambiguation. ViperSnake151 Talk 00:41, 19 May 2017 (UTC)
Support. While the article would undoubtedly need several small edits to bring the article in line with the new title, the Nom here makes a persuasive case. This does indeed seem how other malware articles are handled, so
WP:CONSISTENCY applies.
WP:COMMONNAME seems unclear in any case. If you do a news search for "WannaCry" you will see quite a few examples of "WannaCry ransomware attack" but also plenty that just refer to the malware by name instead. — InsertCleverPhraseHere00:45, 19 May 2017 (UTC)
Support. As I just said
above, I think this article already suffers from recentism. We can talk about the recent attacks without making a news article, and the current title actually doesn't help with that.
Titore (
talk)
00:52, 19 May 2017 (UTC)
Oppose ...and close snowingly. We just did this. This article is still primarily about the event. It contains a section on the virus itself. Consider a RM at a future date.
Anna Frodesiak (
talk)
02:03, 19 May 2017 (UTC)
No, that was a different issue. If there is consensus for covering the malware as a single article rather than the prior, unusual state of covering the malware as an event instead, this is the next step. We were doing too many things at once earlier. The article's current state should not be what the factor is; it can be changed. ViperSnake151 Talk 02:41, 19 May 2017 (UTC)
Strong oppose; the malware has been seen in the wild before May per Kaspersky, so there is a distinction between the thing itself and its recent spread.
ansh66607:37, 19 May 2017 (UTC)
Related note, as MalwareTech and others have pointed out, the proper name for the malware is
WannaCrypt, but given our rules on common name and all that, it's probably okay as is.
ansh66607:39, 19 May 2017 (UTC)
Oppose per
WP:RECOGNIZABLE. Call me ignorant, but I barely heard of the exact malware name as I only superficially followed the news; or then, ask our readers in three years from now whether they remember "WannaCry". I'd even go so far to rename this to
2017 worldwide ransomware attack, but I find the current title satisfying enough. The article is focused on the event rather than on the malware itself anyway.
No such user (
talk)
10:21, 19 May 2017 (UTC)
Strong Oppose There are
a lot of sources that uses "WannaCry attack" or "WannaCry ransomware attack". I don't see them using "WannaCry" in terms of the attack. Edit: Also, "WannaCry" is a ransomware and it attack computers recently. There are no previous attack so I see no point moving it here for now.
103.1.70.5 (
talk)
10:37, 19 May 2017 (UTC)
Comment. I see some people opposing saying WannaCry was only used for the attack. While that's true, I don't see why it should be a reason to oppose. The point to move to WannaCry is exactly beacause WannaCry and the attack almost overlap, and the move is requested for consistency and conciseness. In the article we're still gonna continue to talk about WannaCry and its attacks and effects, but maybe from a wider point of view. People saying the article is all about the event should consider checking what wikipedia is and what wikinews is (hint:
WP:NOTNP), and while we can and should continue talking about the event, the article as it is now has a lot of problems in that regard that we need to fix.
Titore (
talk)
11:16, 19 May 2017 (UTC)
Strong oppose. As other editors have said, we have only just finished this discussion. Now that both of the previous proposals are closed, I feel it is better that we just get on with the article and then revisit this if/when:
We decide that we have an article that is sufficiently uneven in scope or length (with respect to the attack / the software itself) and have taken enough from source material that we can justify moving / splitting / otherwise changing the location of the material;
Further attacks occur that require us to differentiate between them and this attack;
Something else occurs that renders the title very clearly not the best one.
To be honest, though, talk of article titles themselves I feel is fairly academic. Besides the difference it makes to SEO scores (which is relatively irrelevant for Wikipedia, given its size), most readers will care little whether it is called "WannaCry" / "WannaCry ransomware attack" / "WannaCry cyber attack" / "That scary piece of software that stole loads of people's data" or anything else, as long as it is clear that they are reading about the thing that they want to read about. More important to them is that the article has the information they want. At the end of the day, we have redirects. —
Sasuke Sarutobi (
talk)
11:29, 19 May 2017 (UTC)
Strong oppose - as per other arguments listed above, and that the previous discussion has barely had time for the electronic ink to dry.
Chaheel Riens (
talk)
12:32, 19 May 2017 (UTC)
Oppose. The article and its contents are about the attack, not the ransomware itself; when it is about the ransomware it's only to explain how it works and how broadly it affected computers. I believe this article should stay like so, name and all, until another attack using WannaCry or a possible variant occurs; at that point, then I believe WannaCry should get it's own article, using some of the info from this attack and a possible future attack. We can't name the article solely Wannacry based off just one attack using it, the article is about the attack and the name should reflect that.
Firework917 (
talk)
14:38, 19 May 2017 (UTC)
This is exactly the notion that I was trying to avoid. As was mentioned by me and others, WannaCry is the event, and we've reached a consensus earlier that they are inseparable.
CryptoLocker is a good place to start, since I foresaw the sections being Operations > Mitigation > Impact (with subheadings for affected organizations) > Money paid, etc. How WannaCry has apread is no different than other self-replicating malware, it started off slow, but then just started spreading like wildfire. It is a story either way. ViperSnake151 Talk 15:11, 19 May 2017 (UTC)
Suggestion Eight opposes? The chance of this ending in "support" is near zero. I suggest we stop wasting community keystrokes and reads on this for now. As
Firework917 says above: "...until another attack using WannaCry or a possible variant occurs; at that point, then I believe WannaCry should get it's own article...". Please, can we close this and move on? Would that be okay with you,
ViperSnake151?
Anna Frodesiak (
talk)
17:49, 19 May 2017 (UTC)
Oppose Clearly
WP:RECOGNIZABLE trumps
WP:CONCISE here. Concise is not even an issue nor a valid reason to move in this instance as the name is not so long as to be burdensome. With that in mind, we always follow the sources and use the Common Name, which is where we already are. Removing words solely to make a title shorter, while at the same time you make it less informative, is clearly against our naming convention. To compare, most articles about mass shootings have the word "shooting" or "incident" or similar in their title. A title should be short, but it must be descriptive or it is of no use. The current title is already concise enough.
Dennis Brown -
2¢20:24, 19 May 2017 (UTC)
WikiProject Malware does have
naming guidelines, but it seems to account more for situations requiring disambiguation, and not using what the antivirus exactly calls it, rather than titles of malware strain articles when disambiguation is unneeded. Of course, by the consensus that has been implied, this is not considered a malware article, but a cyberattack article, which means this likely is invalid. ViperSnake151 Talk 01:17, 20 May 2017 (UTC)
This is an article on an event, not a strain. This seems to be the problem you are having, differentiating the difference between the two. If someone wants to start an article on this specific piece of software, then the rules would be different.
Dennis Brown -
2¢16:34, 21 May 2017 (UTC)
Oppose, implication that the article is about the ransomware itself, when it's actually about the attack. Plus, per other users and
WP:RECOGNIZABLE, shortening the title to simply "WannaCry" would not only make it more difficult for users to identify it as the ransomware, but it would also be cherry-picking since it is known by other names such as "WanaCrypt0r", "WanaDecrypt0r", "WannaCrypt", among others.
κατάσταση23:27, 19 May 2017 (UTC)
Support. The article should be simply WannaCry. Now that the 'dust has settled' somewhat, it's helpful to look to articles like
Morris worm, and
Blaster (computer worm) for guidance. It's in the nature of worms to be sudden impressive 'events' - but both of these articles (and others like
SQL Slammer,
Conficker and
Code Red (computer worm)), manage to cover the event part as well as the malware description bit. How this is generally done is to have both (i) A 'history'/'timeline' section and (ii) A "tech details" section - with as much detail as necessary in both.
Snori (
talk)
05:58, 20 May 2017 (UTC)
Strong oppose per
User:Anna Frodesiak's rationale. This article is not just about the malware but about the entire attack/incident/cyberpandemic/... (which includes its impact and analysis etc). --
Fixuture (
talk)
10:48, 20 May 2017 (UTC)
@
ViperSnake151: Well you have a point there, however:
Malware is not inherently an event in that sense - there can also be malware that doesn't get into the wild etc
The malware's variants are also part of the attack (no matter how impactful they were/are)
The exploits are also part of the attack - it was a (at least) two-sided attack that didn't just consist of the malware
(Targeted surveillance-gathering, sabotage- and (more or less) non-damaging, non-sudden.. cybercrime-malware (such as cryptominers) may not be best described as "attacks")
Its abrupt, rapid nature is not characteristic for malware in general but characteristic for an attack/incident/...
The exploits are used by the malware. Variants of a malware are typically not notable enough for their own articles, so they are typically considered branches of the parent article. Regardless of how structured or abrupt the spread is, it's still malware. ViperSnake151 Talk 16:55, 20 May 2017 (UTC)
Comment Hi
ViperSnake151. You make good points. They have weight. But they are pitted against what the media calls this, and the fact that nothing substantial has changed since the last RM days ago. It may very well end up being called WannaCry, but not from this RM.
So, how about a compromise? Let's close this and you do a RM in a few months. Would that be okay?
I say this because we have to look at the cost/benefit. The cost is that the template is a blight and draws a lot of people here. This talk page has
143 watchers and
hundreds of visits. People come and read through all these arguments --- the same arguments as in the last RM. The benefit is nothing. The chance of the outcome you wish is zero. So, what do you say?
Anna Frodesiak (
talk)
23:53, 20 May 2017 (UTC)
I unfortunately, must accept. The problem with this article is that it focuses too much on WannaCry as an event rather than a piece of malware. It is clear, per the coverage in sources, as well as the consensus of Wikipedia editors, that WannaCry must be classified as a cyberattack conducted using multiple Ransomware malwares with similar connections, rather than just a single Ransomware malware. Wikipedia articles must align with the perspectives of reliable secondary sources, and if they cover this as an attack rather than malware, we must do so as well. ViperSnake151 Talk 22:53, 21 May 2017 (UTC)
Oppose. A lot of my childhood friends had a Baby WannaCry doll. (Yes, I'm that old.) And no, WannaCry is pretty much guaranteed to have been used in more than one context; the ransomware is only the most recent use of that "term". Simply put, it's nowhere near distinct enough.
Risker (
talk)
03:00, 22 May 2017 (UTC)
The above discussion is preserved as an archive of a
requested move. Please do not modify it. Subsequent comments should be made in a new section on this talk page or in a
move review. No further edits should be made to this section.
What does 'initially' mean though? How are we defining what countries are coloured red on this map? I was under the impression this was all the countries it had spread to, but if that isn't the case then this image is misleading. — InsertCleverPhraseHere09:16, 22 May 2017 (UTC)
Well, the caption did say "initially", so that would imply within a short time after discovery. But yes, how to define initially? Maybe the BBC article date?
Anna Frodesiak (
talk)
12:01, 22 May 2017 (UTC)
It'd be difficult to define. I don't imagine many organisations would wish to publicly disclose being infected if they could avoid disclosure, and those that did probably wouldn't have said anything straight away (save for employees mentioning it, especially when it became prominent, or the organisation realising that they are not out of the ordinary in being infected). So you may have only had a lot of organisations going public when it was clear that it was a widespread issue, making it difficult to define a cut-off at a particular time. —
Sasuke Sarutobi (
talk)
12:14, 22 May 2017 (UTC)
To be honest, I think if we're having trouble defining "initially", then we should just drop the requirement. Even if there are residual attacks still on-going (especially with the fabled "killswitch-free" variants), and defensive work still being done, most major organisations are either now affected or patched. Really, I think we should look at incorporating the list of affected organisations and then placing the map there to illustrate the scale of the effect (especially since the
discussion regarding flag usage fizzled out with no real consensus). —
Sasuke Sarutobi (
talk)
13:11, 22 May 2017 (UTC)
It's relevant because the key reason for this worm being notable is the speed with which it spread. We probably don't make this clear enough, but it started at 7:30am and was largly stoppped by the 'sinkhole' at about 3:00pm (both UK time) - that map is derived from a BBC graphic from the next day.
Then we should explain this in the caption for the map
Toning "attack" down to "infection"
Even if the title retains the "attack" wording, I'd like to pretty much expunge it from the article itself. We currently say "The attack started on Friday..."; where I think we should say "The first infections were detected on Friday...". Compare this article to
Stuxnet and
Sony Pictures hack. Those may not have been as widespread, but they were much more in the nature of attacks than this poorly executed ransomware. (I will wait a while for feedback before making any edits along this line).
Snori (
talk)
23:30, 20 May 2017 (UTC)
Actually, we follow the sources and we do not add our own opinion. The media is using the phrase "attack" 3x more than "infection" by my count.
Dennis Brown -
2¢08:38, 21 May 2017 (UTC)
WP:NPOV is not even at play here. There is no "victim" or unfairness to any person or group by calling it an attack.
WP:TITLE makes it clear in the first paragraph. Even the subsection
WP:NPOVNAME says we follow the sources, although I still maintain the title in no way raises neutrality issues.
Dennis Brown -
2¢16:31, 21 May 2017 (UTC)
Unless there's someone out there arguing that this ransomware produces some benefit to (as opposed to damaging) infected systems, there's no valid NPOV justification for removing it. ᛗᛁᛟᛚᚾᛁᚱPantsTell me all about it.18:29, 21 May 2017 (UTC)
I agree that there's a good argument for retaining "attack" in the title - it's the initial common name given, and hence has precedence. Similarly, many of the sources will use the "WannaCry attack" name for that same reason, and it would be wrong to alter or obscure that. However, my argument is that when we, later in the article, mention a machine or organisation being hit with this, then "attack" is not a reasonable word. We should use 'hit', 'infected', 'adversly affected' or whatever seems reasonable for the context - but attack will very seldom be appropriate.
User:Esowteric and
User:MjolnirPants argue that WannaCry has an 'attack intention', but (unless we hear otherwise) this is simple criminal ransomware. As per my earlier comments, check out the language we use in other articles on ransomware and worms. If you broadly agree, please pop a note here to show consensus.
Snori (
talk)
21:37, 21 May 2017 (UTC)
This isn't an article on a virus or worm, it is on the event. Looking at other articles on worms or ransomewear won't help you. You would look at articles on similar events. This point seem to be continually lost by a good many editors.
Dennis Brown -
2¢21:49, 21 May 2017 (UTC)
Well, it's about both - as since a recent merge
WannaCry redirects here. Note that it's in the nature of worms to spread extremely rapidly, so they are typically "events" (The first, the
Morris worm was very big event for the Internet sites of the time). By hitting the NHS, and being based on leaked NSA tools, this just got more than usual attention from the media - so the "event" side of things, quite rightly, gets more than usual attention.
Snori (
talk)
22:33, 21 May 2017 (UTC)
In a related note, no media has ever referred to a "defensive response". The section was originally titled as "response". This change to "defensive response" was made by an amateurish, teenage editor with little technical background, most of whose edits have been reverted by other editors.
73.61.20.75 (
talk)
17:30, 22 May 2017 (UTC)
"Attack" and "criminal ransomware" aren't mutually exclusive. Muggers "attack" victims, as do con-men. It's a metaphor, strictly speaking, but it's so common that it's idiomatic. ᛗᛁᛟᛚᚾᛁᚱPantsTell me all about it.01:29, 23 May 2017 (UTC)
Perpetrators?
Shouldn't there be a section (or at least a mention) of who/where the attack is thought to have come from?
Coinmanj (
talk)
06:30, 24 May 2017 (UTC)
@
Coinmanj: Well there was an "Attribution" section but it
was removed by 2604:2d80:8421:e8f0:d442:c6aa:8238:ba81 saying "Cut an unnecessary and over simplified description of the virus that was located in an odd part of the page". You tell me why you and nobody else saw and reverted that edit. Imo a section "Attribution", "Investigation", or "Perpetrators" is very warranted given the available reports on the investigation and its findings so far. --
Fixuture (
talk)
17:42, 24 May 2017 (UTC)
Considering I was just a casual reader of the article and then noticed there wasn't such a section, I'm not sure it's up to me to have noticed the removal back on May 22. That said, I've gone and re-added that section since it is definitely needed.
Coinmanj (
talk)
20:13, 24 May 2017 (UTC)
Someone registered the domain they found in the ransomware's code on a whim and inadvertently found he killswitch to the original ransomware. Turned out that every time a machine was encrypted, the ransomware pinged the domain to see if it had been created. If not, it proceeded to encrypt the machine. If so, that copy of the ransomware would stop copying itself and wouldn't encrypt the user's files. It was hardcoded into the ransomware likely because the hacker wanted a way to stop the spread if, for whatever reason, they wanted to do that. —Gestrid (
talk)
06:53, 27 May 2017 (UTC)
You probably shouldn't go to the website, though, just in case. I'm not sure if the site itself is safe. —Gestrid (
talk)
06:56, 27 May 2017 (UTC)
The site is safe, but it's best to not go to it, because they still use it to determine who's been infected, and to do so they need to filter out manual visits.
ansh66618:04, 27 May 2017 (UTC)
The reason this was coded into the ransomware was to detect if it was running on an security research lab VM, which would almost always tell the software "Yes, this domain exists" just to see what happens. By doing that, they could prevent malware researchers from detecting the ransomware for a longer time. A botnet sinkhole is a computer that is designed to 'capture' botnet software so that security researchers can analyze it, and "sinkhole.tech" is a registered domain with a primary contact info of botnetsinkhole@gmail.com. ᛗᛁᛟᛚᚾᛁᚱPantsTell me all about it.20:40, 27 May 2017 (UTC)
EternalRocks uses a couple of the same exploits, but isn't even ransomware. How are the two related, and how would EternalRocks be considered part of this attack? — InsertCleverPhraseHere22:46, 25 May 2017 (UTC)
@
Insertcleverphrasehere: Because EternalRocks has, thus far, only been described in conjunction with WannaCry and would not be notable without that connection. In fact... there already is a brief section on EternalRocks in this very article. RA0808talkcontribs04:31, 26 May 2017 (UTC)
The only similarities here are the ones that the media invented in their desire to create more hype about WannaCry. They are actually wholly unrelated. — InsertCleverPhraseHere10:25, 28 May 2017 (UTC)
Do not merge. The only correlations are that EternalRocks uses the same exploits and disguises itself as WannaCry to evade detection. They should be separate.
Frevangelion (
talk)
01:06, 26 May 2017 (UTC)
86.153.132.218 is confusing the attack (WannaCry) with the vulnerability (CVE-2017-0144). Microsoft chose to patch Windows XP and the media concluded that Windows XP was responsible for WannaCry's impact. However subsequent research showed that Windows XP contribution was insignificant.
Another Rob (
talk)
22:01, 29 May 2017 (UTC)
Nobody has argued otherwise apart from your claim that the media concluded Windows XP [alone] was responsible (which they did not). Your repeated edits are claiming that Windows XP was never vulnerable to the ransomware (Your edit: "...researchers found Windows XP was not vulnerable to WannaCry's worm-like spreading mechanism ..."). In which case: what was the purpose of Microsoft's patch and how did Wannacry spread to the (globally) 'insignificant' number of XP machines that were affected? And why are you now claiming in your post above that Windows XP was affected? Which way are you arguing this because you can't have it both ways?
86.153.132.218 (
talk)
16:41, 30 May 2017 (UTC)
I removed that statement entirely, because the source given does not match the claim it cites at all. The ZDNet article given was actually talking about WannaKey. It made no mention to XP being "not vulnerable to WannaCry's worm-like spreading mechanism". ViperSnake151 Talk 17:32, 30 May 2017 (UTC)
I does mentions that, with this single sentence: "As security researcher Kevin Beaumont pointed out, the NSA's Eternal Blue exploit that WannaCry attackers used to spread the ransomware once inside a network cannot be used to infect Windows XP machines on that network.", citing as a source
this tweet. Also, Windows XP did have the SMB vulnerability and Microsoft fixed it, but that doesn't necessarily mean the ransomware was able to exploit it in XP[1]. Just doing the devil's advocate here; that tweet discussion, although very interesting, probably isn't enough to use it as a reliable source on wikipedia, anyway.
Titore (
talk)
20:07, 30 May 2017 (UTC)
Don't know if it counts as reliable, but
this does indicate that the versions of EternalBlue and DoublePulsar used in this worm do not function properly on XP. The ransomware package itself does however.
ansh66600:40, 31 May 2017 (UTC)
If WannaCry was unable to infect Windows XP, how was XP at particular risk? It seems to me that unpatched Windows 7 was a higher risk since WannaCry was able to execute, encrypt files, and spread.
Another Rob (
talk)
02:16, 31 May 2017 (UTC)
There is ample coverage that some Windows XP machines were affected and encrypted. What there seems to be some disagreement about in the sources is how this came about.
86.149.143.168 (
talk)
13:57, 31 May 2017 (UTC)
References
^Only the spreading bit, WannaCry still works on XP locally, according to that source.
New WannaCry patch for XP from Microsoft (~14 June 2017)
A bot has just changed the heading level of items 1-4 below, due to
WP:MOSHEAD. Were 1-4 meant to be sub-headings of the lead? In any case, shouldn't the main body of the article start with 5: Cyberattack? Things like "Kill switch" look oddly placed.
I have just added the name of the researcher who discovered the killswitch, Marcus Hutchins, AKA MalwareTech. Looking through the history, I noticed this had previously been removed as "doxxing." Unfortunately at this point, the cat is well out of the bag, particularly as MalwareTech has now been arrested in the US and is currently in detention, and his name is now being reported in numerous major publications:
https://news.google.com/news/story/dCGCPFgZIPS-8kMuYgoOE_o2cMHGM?ned=us&hl=en
But does it really add any value to the article? In my opinion, no it doesn't. Now I don't fully object to the notion of adding his name to the article, but given the circumstances, it might be wise to discuss it first.
SkyWarrior01:53, 4 August 2017 (UTC)
IMO it's mostly a matter of transparency; from reading the article, you would assume his identity is unknown, because it's unusual to not identify a person by name unless they're anonymous. That indeed *used* to be the case, but is no longer the case. So it's really a matter the implication caused by *not* having the name, rather than the importance of having it per se, which is why I only added it once (to dispel this assumption). I do think in the rest of the article we should continue to use the pseudonym. (There was also some parts that were rather oddly written because I think probably it's unusual for people to write about pseudonymous individual, although I think that isn't necessarily solved by using the name, but instead just by using the pseudonym correctly.)
Mvolz (
talk)
16:49, 4 August 2017 (UTC)
I beleive inclusion of the real name adds value. Since his widely-reported arrest, Marcus Hutchins, the real person, is now an important piece of of connective tissue in this topic area. ~
Kvng (
talk)
15:03, 7 August 2017 (UTC)
External links modified
Hello fellow Wikipedians,
I have just modified one external link on
WannaCry ransomware attack. Please take a moment to review
my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit
this simple FaQ for additional information. I made the following changes:
When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.
This message was posted before February 2018.
After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than
regular verification using the archive tool instructions below. Editors
have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the
RfC before doing mass systematic removals. This message is updated dynamically through the template {{
source check}} (last update: 5 June 2024).
If you have discovered URLs which were erroneously considered dead by the bot, you can report them with
this tool.
If you found an error with any archives or the URLs themselves, you can fix them with
this tool.
Is it really appropriate to say FedEx was successfully attacked, when it was really just a Dutch company that FedEx had just happened to have recently acquired?
Also, would this source be good here, saying the extend of US damage is unknown, because of companies not reporting it?[1]
Relevant quote: "Private sector companies infected with ransomware largely tend to keep those incidents secret by privately working with contractors rather than the federal government."