WannaCry Ransomware Explained

This advice proved wise during the WannaCry attack as, reportedly, the coding used in the attack was faulty. When victims paid their ransom, the attackers had no way of associating the payment with a specific victim’s computer.

What is WannaCry ransomware?

Is your computer vulnerable to attack from WannaCry ransomware? Read on to find out as we explore all there is to know about the WannaCry ransomware attack.

In this article, you will learn:

• What WannaCry ransomware is
• How the WannaCry ransomware attack worked
• The impact of the WannaCry ransomware attack
• How to protect your computer from ransomware

WannaCry ransomware explained

WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money.

Ransomware does this by either encrypting valuable files, so you are unable to read them, or by locking you out of your computer, so you are not able to use it.

Ransomware that uses encryption is called crypto ransomware. The type that locks you out of your computer is called locker ransomware.

Like other types of crypto-ransomware, WannaCry takes your data hostage, promising to return it if you pay a ransom.

WannaCry targets computers using Microsoft Windows as an operating system. It encrypts data and demands payment of a ransom in the cryptocurrency Bitcoin for its return.

What was the WannaCry ransomware attack?

The WannaCry ransomware attack was a global epidemic that took place in May 2017.

This ransomware attack spread through computers operating Microsoft Windows. User’s files were held hostage, and a Bitcoin ransom was demanded for their return.

Were it not for the continued use of outdated computer systems and poor education around the need to update software, the damage caused by this attack could have been avoided.

How does a WannaCry attack work?

The cybercriminals responsible for the attack took advantage of a weakness in the Microsoft Windows operating system using a hack that was allegedly developed by the United States National Security Agency.

Known as EternalBlue, this hack was made public by a group of hackers called the Shadow Brokers before the WannaCry attack.

Microsoft released a security patch which protected user’s systems against this exploit almost two months before the WannaCry ransomware attack began. Unfortunately, many individuals and organizations do not regularly update their operating systems and so were left exposed to the attack.

Those that had not run a Microsoft Windows update before the attack did not benefit from the patch and the vulnerability exploited by EternalBlue left them open to attack.

When it first happened, people assumed that the WannaCry ransomware attack had initially spread through a phishing campaign (a phishing campaign is where spam emails with infected links or attachments lure users to download malware). However, EternalBlue was the exploit that allowed WannaCry to propagate and spread, with DoublePulsar being the ‘backdoor’ installed on the compromised computers (used to execute WannaCry).

What happened if the WannaCry ransom was not paid?

The attackers demanded $300 worth of bitcoins and then later increased the ransom demand to $600 worth of bitcoins. If victims did not pay the ransom within three days, victims of the WannaCry ransomware attack were told that their files would be permanently deleted.

The advice when it comes to ransom payments is not to cave into the pressure. Always avoid paying a ransom, as there is no guarantee that your data will be returned and every payment validates the criminals’ business model, making future attacks more likely.

This advice proved wise during the WannaCry attack as, reportedly, the coding used in the attack was faulty. When victims paid their ransom, the attackers had no way of associating the payment with a specific victim’s computer.

There’s some doubt about whether anyone got their files back. Some researchers claimed that no one got their data back. However, a company called F-Secure claimed that some did. This is a stark reminder of why it is never a good idea to pay the ransom if you experience a ransomware attack.

What impact did the WannaCry attack have?

The WannaCry ransomware attack hit around 230,000 computers globally.

One of the first companies affected was the Spanish mobile company, Telefónica. By May 12 th , thousands of NHS hospitals and surgeries across the UK were affected.

A third of NHS hospital trusts were affected by the attack. Terrifyingly ambulances were reportedly rerouted, leaving people in need of urgent care in need. It was estimated to cost the NHS a whopping £92 million after 19,000 appointments were canceled as a result of the attack.

As the ransomware spread beyond Europe, computer systems in 150 countries were crippled. The WannaCry ransomware attack had a substantial financial impact worldwide. It is estimated this cybercrime caused $4 billion in losses across the globe.

Ransomware protection

Now you understand how the WannaCry ransomware attack took place and the impact that it had, let’s consider how you can protect yourself from ransomware.

Here are our top tips:

Update your software and operating system regularly

Computer users became victims of the WannaCry attack because they had not updated their Microsoft Windows operating system.

Had they updated their operating systems regularly, they would have benefited from the security patch that Microsoft released before the attack.

This patch removed the vulnerability that was exploited by EternalBlue to infect computers with WannaCry ransomware.

Be sure to keep your software and operating system updated. This is an essential ransomware protection step.

Do not click on suspicious links

If you open an unfamiliar email or visit a website, you do not trust, do not click on any links. Clicking on unverified links could trigger a ransomware download.

Never open untrusted email attachments

Avoid opening any email attachments unless you are sure they are safe. Do you know and trust the sender? Is it clear what the attachment is? Were you expecting to receive the attached file?

If the attachment asked you to enable macros to view it, stay well clear. Do not enable macros or open the attachment as this is a common way ransomware and other types of malware are spread.

Do not download from untrusted websites

Downloading files from unknown sites increases the risk of downloading ransomware. Only download files from websites you trust.

Avoid unknown USBs

Do not insert USBs or other removal storage devices into your computer, if you do not know where they came from. They could be infected with ransomware.

Use a VPN when using public Wi-Fi

Exercise caution when using public Wi-Fi as this makes your computer system more vulnerable to attack.

Use a secure VPN to protect yourself from the risk of malware when using public Wi-Fi.

Install internet security software

Keep your computer protected and prevent ransomware by installing internet security software. Go for a comprehensive solution that protects against multiple complex threats, like Kaspersky’s System Watcher.

Update your internet security software

To ensure you receive the maximum protection your internet security has to offer (including all the latest patches) keep it updated.

Back up your data

Be sure to back up your data regularly using an external hard drive or cloud storage. Should you become victimized by ransomware hackers, your data will be safe if it is backed up. Just remember to disconnect your external storage device from your computer once you’ve backed up your data. Keeping your external storage routinely connected to your PC will potentially expose it to ransomware families that can encrypt data on these devices as well.

Want to sleep easy with maximum ransomware protection? Protect yourself with free Kaspersky Anti-Ransomware Tool or Premium Kaspersky Anti-Ransomware Products

• Data Theft and Data Loss
• The Biggest Ransomware Threats
• WannaCry: Not Dead Yet

What is WannaCry ransomware?

What happened to the WannaCry hacker? We discuss the WannaCry ransomware attack and how to protect your computer.

WannaCry Ransomware Explained

How one of the most dangerous ransomware outbursts happened. Key lessons organizations should learn.

LAST UPDATED ON OCTOBER 27, 2020
INTERMEDIATE READ
Let’s get started!

Ransomware has become one of the main cyber threats that can have devastating effects on organizations, resulting in financial damage, corporate instability, and reputational harm. This type of malware uses complex encryption algorithms which lock up all files on a machine unless a decryption key is used to retrieve the data. A ransom message appears on the device’s screen, demanding the victim to pay a certain amount of money (usually in the Bitcoin cryptocurrency) in exchange for the passkey (with no certainty of the malicious hackers keeping their promise).

This sequence of events occurred one too many times during the past three decades since the first strain of ransomware was created.

Back in 2017, the WannaCry ransomware became one of the most devastating cyber-attacks ever seen. It swept the entire world, locking up critical systems all over the globe and infecting over 230,000 computers in more than 150 countries in just one day.

The UK’s National Health Service (NHS), FedEx, Spain’s Telefónica, or Renault-Nissan are merely a few names that became high-profile victims of crippling WannaCry ransomware attacks.

In this article, I will dissect the WannaCry outbreak and provide tips for organizations to defend themselves against ransomware attacks, so stay tuned until the end.

What is the WannaCry ransomware attack?

WannaCry is a crypto-ransomware type, a malicious type of software used by attackers in the attempt to extort money from their victims. Unlike locker ransomware (which locks targets out of their device so they are unable to use it), crypto-ransomware only encrypts the data on a machine, making it impossible for the affected user to access it.

Just like any type of crypto-ransomware, this is exactly what WannaCry does: it takes the victims’ files hostage, claiming to restore them only if they paid a ransom.

Who was affected by WannaCry?

WannaCry targeted devices running Microsoft Windows OS, encrypting the data and requesting payment in Bitcoin in exchange for their return.

WannaCry behaved like a worm-type attack vector, being able to self-propagate on Windows devices. However, the fact that it was a worm was not the most significant thing about it. Instead, the methods it used to distribute itself were a concern, as they leveraged some critical Windows bugs that had been fixed by Microsoft two months before the outbreak.

WannaCry used an exploit dubbed “EternalBlue”, which took advantage of a security vulnerability that allowed malicious code to propagate without the user’s consent across systems set up for file-sharing.

What is EternalBlue?

EternalBlue is the vulnerability exploit name for the Service Message Block (SMB) protocol (CVE-2017-0144) implementation in Windows. The weakness originated from a bug that made it possible for a remote attacker to execute arbitrary code on a targeted machine and transmit specially designed data packets.

EternalBlue was created by the United States National Security Agency (NSA) as part of a questionable initiative of stockpiling and weaponizing software vulnerabilities rather than reporting them to the relevant provider, according to denouncing comments made by Microsoft.

The malicious hacker group Shadow Brokers leaked the cyberweapon in April 2017 and posted it online.

EternalBlue was one of the most useful tools in the NSA’s cyber arsenal until it got stolen. Security experts spent nearly a year discovering a flaw in Microsoft’s program and writing the code to target it, according to three former NSA insiders. They referred to it originally as EternalBluescreen because it frequently crashed machines. Yet, it became a reliable instrument used in numerous missions of intelligence collection and counter-terrorism.

On March 13, 2017, a month before EternalBlue was leaked, Microsoft patched the flaw. A large number of unpatched servers, however, still existed and were vulnerable to the exploit.

How does WannaCry ransomware spread?

WannaCry’s variant that incorporated the EternalBlue exploit first appeared at about 6 a.m. UTC on May 12, 2017, and quickly started circulating. Due to its ability to self-propagate and push itself through the network of an organization and then on to other entities via the Web, it was a novel and incredibly dangerous type of e-threat.

The ransomware used EternalBlue to spread to other machines on the local network until it placed itself on a computer. Besides, in an effort to locate other vulnerable devices, it tried to self-propagate throughout the Internet by analyzing random public IP addresses.

This aggressive dissemination process shows how certain organizations were highly influenced by WannaCry and how it managed to easily leap from one entity to another.

The malware also downloaded the DoublePulsar backdoor (part of the Shadow Brokers leak) following an infection. It was also stated that the malicious code aimed to use the DoublePulsar backdoor, which may have been mounted in a previous attack, even though the EternalBlue exploit failed. The vulnerability would enable the intruder to obtain remote access to the compromised device in order to flood the victim with additional malware or allow for data exfiltration.

WannaCry sought to contact a certain domain while it was activated on a machine. If the domain was inaccessible, it could continue to encrypt the files and try to distribute itself to other devices. Nonetheless, if the domain was reachable, the ransomware would not be downloaded.

The WannaCry kill switch

The WannaCry kill switch functionality was soon accidentally discovered by security researcher Marcus Hutchins, who on May 12, registered a domain found in the ransomware’s binary code. Activating this kill-switch led to a rapid decline in attacks.

However, this practice did not permanently stop the attacks. As the malware could ignore proxy settings, the kill switch was not completely effective, as many affected devices were not directly connected to the Internet. Furthermore, additional variants with other kill switches had already been released, and thus the expansion of the outbreak continued.

Who was responsible for WannaCry?

Although average attacker groups typically release most ransomware, WannaCry allegedly originated from somewhere else. The investigation of an earlier version of WannaCry, which was used in a limited number of targeted attacks, indicated some crucial facts. The former variant was somewhat similar to the one used in May 2017, the only difference being that EternalBlue was not used as a tool for spreading, but rather relied on compromised credentials to propagate through networks.

Specifically, the techniques used in those early attacks have been shown to have close ties to the Lazarus Group, an organization that was engaged in numerous high-profile attacks, including the November 2014 devastating cyber assault on Sony Pictures.

Is WannaCry still a threat?

Almost three and a half years later, WannaCry still remains a threat. As per the ESET Threat Report of Q1 2020, WannaCryptor accounts for 40.5% of ransomware detections.

A timeline of key events in the WannaCry cyberattacks

To put things into perspective, below you can see how the WannaCry events unfolded, in a nutshell.

January 16, 2017

March 2017

• Microsoft publishes the patch for CVE-2017-0144 as part of their usual Patch Tuesday updates almost two months before the outbreak emerged.

April 14, 2017

• The Shadow Brokers cyber attackers group stole the EternalBlue toolkit from the NSA and leaked it on the Dark Web. The exploit targeted machines running the Windows OS and encrypted all files on an infected device, requesting a payment to be made in exchange for the data.

May 12, 2017

• Spanish telecom operator Telefónica was among the first major companies to confirm infection with WannaCry on Friday morning.
• Hospitals and clinics around the UK started reporting concerns to the national cyber incident response center by late morning.
• French carmaker Renault was struck, while Deutsche Bahn became another victim in Germany.
• The Ministry of the Interior, cell phone operator MegaFon, and Sberbank became compromised in Russia.
• The US was not spared either, with the highest-profile victim being FedEx.
• The WannaCry kill switch – by late afternoon, malware analyst Marcus Hutchinsfinds a kill switch and slows down its spread, becoming “an accidental hero for inadvertently stopping the cyberattack by registering a web domain found in the malware’s code”.

May 14, 2017

• Organizations start releasing free decryptors for WannaCry.

Lessons learned: The importance of a good cybersecurity posture

Following the WannaCry outbreak, pressing cybersecurity matters were brought to light. Namely, the importance of setting up secure and regular backups, using proactive cybersecurity software, staying up to date with the latest security patches, and isolating sensitive systems.

What’s more, the flawed patching practices of public and private sector organizations were proved to be an issue. They were (and in some cases still are) an inconsistent, irregular process, not based on a proper patch management policy.

WannaCry’s arrival showed how disruptive cyber incidents can quickly ambush unprepared organizations. The impact of these malicious events on institutions is never overlooked by cybercriminals. In fact, they only set the stage for more attackers who try to pursue similar attack techniques.

Therefore, businesses need to prepare themselves and make sure they have protections in place against all vectors of attack.

To better ensure that attack entry points are covered, organizations need to follow a multi-layered defense approach. This should entail not only periodically patching software flaws and ensuring the backup of sensitive systems, but also the use of interconnected protection technologies. These solutions include essential threat prevention and remediation mechanisms, such as Next-Gen Antivirus & Firewall, DNS Filtering at the endpoint and perimeter level, Email Security, and Privileged Access Management (PAM).

Ransomware can be distributed through various methods, with email remaining one of the main channels. Self-propagation (when it comes to “ransomworms”) can also be used.

Nevertheless, a crucial element in building an organization’s protection against ransomware is knowing where it comes from.

One of the most powerful means of defense is to stop attacks at their root until they get a chance to transfer themselves to multiple devices on a network. Thus, employee cybersecurity awareness, as well as having the most appropriate defenses against ransomware in place is crucial.

How Heimdal Security blocked WannaCry ransomware

Heimdal Security is always on the lookout to combat the most sophisticated cyber threats.

Our DNS filtering technology proactively blocked all efforts to exploit the vulnerability that WannaCry used, ensuring that our users were safe even before the outburst emerged.

Heimdal’s advanced DNS solution blocks network communication to mitigate Zero Hour exploits, Ransomware C&C’s, next-gen attacks, and data exfiltration. Using our ground-breaking Threat-to-Process-Correlation technology, we identify attack processes and provide HIPS capabilities.

Heimdal offers protection where traditional cybersecurity products like antiquated Antivirus solutions give up. We provide attack blocking, patching, exploit blocking, dropper protection, and use five layers of protection to stop ransomware attacks at different levels.