The WannaCry ransomware is a worm that spreads by exploiting vulnerabilities in the Windows operating system. Specifically, WannaCry spread by using Eternal Blue, an exploit leaked from the National Security Agency (NSA) Windows that used a zero-day vulnerability to target Windows computers using legacy version of the Server Message Block (SMB) protocol. WannaCry first began spreading across computer networks on May 12, 2017.
WannaCry ransomware is particularly dangerous because it is propagated through a worm, meaning it can spread automatically without victim participation as with ransomware that is spread through phishing or other social engineering methods.
WannaCry ransomware infects Windows computers, encrypting files on the hard drives of PCs so users couldn't access them and then demanded a ransom payment of between $300 to $600 in bitcoin within three days to decrypt the files; however, even after paying, only a handful of victims were given decryption keys. Microsoft released a patch to mitigate the vulnerability, taking the highly unusual step of releasing patches for end-of-life versions of Windows including Windows XP and Windows Vista.
The WannaCry ransomware affected hundreds of thousands of computers in as many as 150 countries, including many systems in the National Health Services of England and Scotland. In those countries, WannaCry locked doctors out of patient records and forced emergency rooms to turn away ambulances.
What is known about WannaCry
After WannaCry began to spread across computer networks in May 2017, some experts suggested that the worm carrying the ransomware may have been released prematurely due to the lack of a functional system for decrypting victim systems after paying the ransom.
WannaCry used an exploit developed by the National Security Agency (NSA) against a Windows vulnerability in legacy versions of SMB. The exploit, codenamed EternalBlue, was leaked on April 14, 2017. The exploit used a vulnerability in SMB version 1; any Windows system that accepted SMBv1 requests could be at risk for the exploit. Only systems that had SMBv1 support still enabled, or that blocked SMBv1 packets from public networks, would resist infection by WannaCry.
Microsoft patched the vulnerability, tracked as CVE-2017-0144, in the Windows MS17-010 patch, first released in March 2017.
The Shadow Brokers is a hacker group that first surfaced in 2016 when it began releasing exploit code that appeared to have been taken from the NSA. The exploit code appeared to have been created in 2013 after disclosures of classified data from the NSA by Edward Snowden. The Shadow Brokers released EternalBlue to the public as part of its fifth leak of classified code in April 2017. The Shadow Brokers claimed they had stolen EternalBlue as well as other exploits and cyberweapons from the NSA-linked Equation Group.
Although Microsoft had issued a patch for the vulnerability a month before it was disclosed, many organizations failed to update their Windows systems and therefore were left exposed to the WannaCry ransomware worm. Some organizations delay patch installation because they use legacy systems that may be negatively affected by new patches.
Security researchers at Symantec Corporation and elsewhere tentatively linked the WannaCry worm to the Lazarus Group, a nation-state APT group with ties to the North Korean government. In December 2017, the White House officially attributed the WannaCry attacks to North Korea.
British activist Lauri Love explains how MalwareTech stopped WannaCry.
Due to early reports indicating the threat actors behind the WannaCry ransomware were not providing decryption keys to victims who paid the ransom, most victims chose not to pay. A day after the attack surfaced, security researcher Marcus Hutchins, then better known as "MalwareTech," discovered a kill switch that stopped WannaCry from spreading.
WannaCry caused significant financial consequences, as well as extreme inconvenience for critical businesses across the globe. Estimates of the total financial impact of the WannaCry ransomware were generally in the hundreds of millions of dollars, though the cyber risk modeling company Cyence estimated the total costs associated with the attack could be as high as $4 billion. However, what surprised experts about this attack was how little damage it did compared with the damage it could have done given its worm functionality.
How does WannaCry work?
WannaCry exploits a vulnerability in Microsoft's SMBv1 network resource sharing protocol that enables an attacker to transmit crafted packets to any system that accepts data from the public internet on port 445 -- the port reserved for SMB. SMBv1 has been deprecated as a network protocol, and it is recommended that transmissions from the internet to that port be disabled.
WannaCry uses the EternalBlue worm exploit to spread. The first step is to search the target network for devices accepting traffic on TCP port 445, which indicates the system is configured to run SMB. The next step is to initiate an SMBv1 connection to the device; after the connection is made a buffer overflow is used to take control over the targeted system and install the ransomware component of the attack.
Once a Windows system on a Windows network is affected, the WannaCry worm propagates itself and infects other unpatched machines -- all without any human interaction.
Even after victims paid the ransom, the ransomware didn't automatically release their computers and decrypt their files, according to security researchers. Rather, victims had to wait and hope that WannaCry's developers would deliver decryption keys for the hostage computers remotely over the internet – a completely manual process that contained a significant flaw: the hackers didn't have any way to prove who had paid the ransom. Since there was only a slight chance the victims would get their files decrypted, the wiser choice was to save their money and rebuild the computers that had been affected, according to security experts.
Stopping the spread of WannaCry
WannaCry used a technique called a kill switch to determine whether or not the malware should carry out encryption on a targeted system. Hardcoded into the malware was a web domain that the WannaCry checks for presence of a live web page when it first runs. If attempting to access the kill switch domain does not result in a live web page, the malware encrypts the system.
UK-based security researcher Marcus Hutchins discovered that he could activate the kill switch if he registered the web domain and posted a page on it. Originally, Hutchins wanted to track the spread of the ransomware through the domain it was contacting but he soon found that registering the domain stopped the spread of the infection.
Other security researchers reported the same findings as Hutchins and said new ransomware infections appeared to have slowed since the kill switch was activated.
In August 2017, after a two-year investigation and just months after he stopped the spread of WannaCry and was publicly identified, Hutchins was arrested by the FBI in Las Vegas after the DEF CON 2017 conference. He was accused of helping to create and spread the Kronos banking Trojan, malware that recorded and exfiltrated user credentials and personally identifying information from protected computers.
Is WannaCry still a threat?
Even though Microsoft issued updates that fixed the SMB vulnerability on March 14, 2017 -- one month before the WannaCry malware was first detected -- the exploit that enabled the rapid spread of the ransomware is still threatening unpatched and unprotected systems.
Exploits of Microsoft's SMB protocol have been extremely successful for malware writers, with EternalBlue being a key component of destructive global NotPetya attacks in June 2017, according to security researchers.
The exploit was also used by the Russian-linked Fancy Bear cyberespionage group, also known as Sednit, APT28 or Sofacy, to attack Wi-Fi networks in European hotels. The exploit has also been identified as one of the spreading mechanisms for malicious cryptominers.
WannaCry is still a threat, in part, because of a radical change in attack vectors. With WannaCry came the concept of the ransomworm -- code that spreads via remote office services, cloud networks and network endpoints alike. A ransomworm only needs one entry point to infect an entire network. In addition, since the initial WannaCry attack in May 2017, more sophisticated variations of the ransomworm have emerged.
These new variants are moving away from traditional ransomware attacks that must have constant communication back to their controllers and replacing them with automated, self-learning methods.
How to defend against WannaCry
Since WannaCry and its variants are ransomware, organizations can defend against them with the same defenses against them as against ordinary ransomware, including:
- Patching all Windows systems and blocking all traffic from the public internet on port 445;
- setting up secure backup procedures that can be used even if the network is disabled;
- educating users on the dangers of phishing, watering hole attacks and the use of unsafe/unvetted software;
- considering using anti-ransomware software solutions; and
- keeping antivirus and firewall software up to date.
WannaCry can be removed manually, though the process may be challenging for less skillful users:
- Restart the computer in Safe Mode.
- Remove any suspicious programs from the startup. Hold Windows and R and then type msconfig in the field that appears.
- Fake or infected items listed there will have "unknown" as the manufacturer. Find and remove these entries. Then hit OK when finished.
- Hold Windows and R. Type in %temp% and hit OK. A folder will pop up showing all the temporary files in the system. Select them all using and then press Shift + Delete to delete them all.
- Remove files infected with the virus. Hold Windows and R, and type %appdata% into the field and hit OK. Then find and delete the recent files that are associated with the WannaCry ransomware.
- Clear the registry entries. Hold Windows and R and type in regedit. Navigate to this directory:
If there are keys associated with the ransomware, right click and delete them. Repeat this in the directory:
Alternatively, there are a number of tools that will remove WannaCry automatically, including Microsoft's Windows Malicious Software Removal Tool as well as tools from antivirus software vendors.