WannaCry ransomware

WannaCry ransomware is a cryptomalware worm that attacks Windows PCs. 

It’s a form of malware that can spread from PC to PC across networks (hence the “worm” component) and then once on a computer it can encrypt critical files. 

The perpetrators then demand ransom payments to unlock those files. The name was derived from strings of code detected in some of the first samples of the virus.

WannaCry has been called a “study in preventable catastrophes” because two months before it first spread around the world in 2017, Microsoft issued a patch that would have prevented the worm from infecting computers.

Unfortunately, hundreds of thousands of systems were not updated in time, and an unknown number of such systems remain vulnerable today.

 

What is WannaCry ransomware?

WannaCry, also known as WannaCrypt, WannaCryptor and Wanna Decryptor, spreads using EternalBlue, an exploit leaked from the National Security Agency (NSA). 

EternalBlue enables attackers to use a zero-day vulnerability to gain access to a system. It targets Windows computers that use a legacy version of the Server Message Block (SMB) protocol.

WannaCry is one of the first examples of a worldwide ransomware attack. It began with a cyber attack on May 12, 2017, that affected hundreds of thousands of computers in as many as 150 countries, including systems in the National Health Services of England and Scotland, FedEx, University of Montreal, and Honda.

WannaCry ransomware is particularly dangerous because it propagates through a worm. This means it can spread automatically without victim participation, which is necessary with ransomware variants that spread through phishing or other social engineering methods. Because it encrypts systems, WannaCry is referred to as a cryptoworm or ransomworm.

 

How WannaCry operates

WannaCry exploits a vulnerability in Microsoft’s SMBv1 network resource sharing protocol. 

The exploit enables an attacker to transmit crafted packets to any system that accepts data from the public internet on port 445, the port reserved for SMB. SMBv1 is a deprecated network protocol.

WannaCry uses the EternalBlue exploit to spread. The first step attackers take is to search the target network for devices accepting traffic on TCP port 445, which indicates the system is configured to run SMB. This is generally done by conducting a port scan. 

The next step is to initiate an SMBv1 connection to the device. After the connection is made, a buffer overflow is used to take control of the targeted system and install the ransomware component of the attack.

Once a system is affected, the WannaCry worm propagates itself and infects other unpatched devices, all without any human interaction.

Even after victims paid the ransom, the ransomware didn’t automatically release their computers and decrypt their files, according to security researchers. 

Rather, victims had to wait and hope that WannaCry’s developers would deliver decryption keys for the hostage computers remotely over the internet, a completely manual process that contained a significant flaw: the hackers didn’t have any way to prove who paid the ransom. 

Since there was only a slight chance the victims would get their files decrypted, the wiser choice was to save their money and rebuild the affected systems, according to security experts.

 

The WannaCry impact

WannaCry caused significant financial consequences, as well as extreme inconvenience for businesses across the globe.

Estimates of the total financial impact of the initial WannaCry attack were generally in the hundreds of millions of dollars. 

However, what surprised experts about this attack was how little damage it did compared with the damage it could have done given its worm functionality.

WannaCry did prove to be a wake-up call for the enterprise cybersecurity world to implement better security programs and renew its focus on the importance of patching. 

Many security teams have better educated themselves and IT departments to better protect their organizations against ransomware. 

The WannaCry attacks also ignited the popularity of commercial ransomware attacks among the hacker community.

 

Is WannaCry still a threat?

Even though Microsoft issued updates that fixed the SMBv1 vulnerability on March 14, 2017 (two months before the WannaCry malware was first detected) the exploit that enabled the rapid spread WannaCry ransomware still threatens unpatched and unprotected systems.

Exploits of Microsoft’s SMB protocol have been extremely successful for malware writers, with EternalBlue also being a key component of the destructive June 2017 NotPetya ransomware attacks.

The exploit was also used by the Russian-linked Fancy Bear cyberespionage group, also known as Sednit, APT28 or Sofacy, to attack Wi-Fi networks in European hotels in 2017. 

The exploit has also been identified as one of the spreading mechanisms for malicious cryptominers.

WannaCry is still a threat, in part, because of a radical change in attack vectors and an expanding attack surface. It is also a threat because many companies fail to patch their systems. 

With WannaCry also came the concept of the ransomworm and cryptoworm: code that spreads via remote office services, cloud networks, and network endpoints. 

A ransomworm only needs one entry point to infect an entire network. It then self-propagates to spread to other devices and systems.

 

What happens if the ransom is not paid?

Many leading experts suggest it is unwise to pay WannaCry ransomware, as many of those who did pay were reportedly unable to recover their files from the cyberattackers. 

There are also instances where ransomware attacks like WannaCry were defeated by security researchers due to the criminals’ faulty code. 

Of course, cyberattackers are constantly developing newer, more powerful versions of malware, making it unwise to rely on faulty code in the event of future attacks.

 

How to defend yourself

The first step to preventing WannaCry is to disable SMBv1 and update to the latest software. Version 3.1.1 was released in 2020. Keep all Windows systems patched and up to date. If possible, block traffic on port 445.

Beyond that, organizations can defend against WannaCry and other ransomware variants by doing the following:

• setting up secure backup procedures that can be used even if the network is disabled

• educating users on the dangers of phishing, watering hole attacks, and the use of unsafe/unvetted software

• using antimalware programs with anti-ransomware features

• keeping antimalware and firewall software up to date