WannaCry is a ransomware cryptoworm cyber attack that targets computers running the Microsoft Windows operating system. It was initially released on 12 May 2017. The ransomware encrypted data and demanded ransom of $300 to $600, paid in the cryptocurrency Bitcoin. WannaCry is also known as WannaCrypt, WCry, Wana Decrypt0r 2.0, WanaCrypt0r 2.0 and Wanna Decryptor.
Once installed, WannaCry installed a backdoor in infected systems.
WannaCry exploited a known vulnerability in older Windows systems called EternalBlue, which was found by the United States National Security Agency (NSA).
EternalBlue was stolen and leaked by a group called The Shadow Brokers a few months prior to the attack. While EternalBlue was quickly patched, much of WannaCry's success was due to organizations not patching or using older Windows systems.
Quick patching and the discovery of kill switch domains prevented infected computers from spreading WannaCry. That said, estimates from Europol peg the number of computers infected at more than 200,000 across 150 countries with damages ranging from hundreds of millions to billions of dollars.
Security experts, the United States, United Kingdom, Canada, Japan, New Zealand and Australia formally asserted that North Korea was behind the attack.
In August 2018, a new variant of WannaCry forced Taiwan Semiconductor, a chip-fabrication company, to shut down several of its plants when the virus spread to 10,000 machines across its most advanced facilities.
How did WannaCry spread?
The spread of WannaCry was enabled by EternalBlue, a zero-day exploit in legacy versions of Windows computers that used an outdated version of the Server Message Block (SMB) protocol.
WannaCry is a network worm with a transport mechanism designed to automatically spread itself. The transport code scans for systems vulnerable to the EternalBlue exploit and then installs DoublePulsar and executes a copy of itself.
WannaCry can also take advantage of existing DoublePulsar infections instead of install it itself. DoublePulsar is a backdoor tool released by The Shadow Brokers on 14 April 2017. By 21 April 2017, security researchers reported that tens of thousands of computers had DoublePulsar installed. By 25 April 2017, estimates pegged the number of infected computers in the hundreds of thousands.
How does WannaCry work?
When executed, WannaCry checks to see if the kill switch domain is available. If it is unavailable the ransomware encrypts computer data and then attempts to exploit EternalBlue to spread to more computers on the Internet and on the same network.
An infected computer will search the target network for devices accepting traffic on TCP ports 135-139 or 445 indicating the system is configured to run SMB.
It will then initiate an SMBv1 connection to the device and use buffer overflow to take control of the system and install the ransomware component of the attack.
As with other ransomware, the malware displays a message informing the user their files have been encrypted and demands a ransom payment of $300 in Bitcoin within three days or $600 within seven days.
Three hardcoded Bitcoin addresses are used to receive payments from victims. As with all Bitcoin wallets, transactions and balances are publicly accessible but the owners remain unknown.
Security experts advise affected users against paying the ransom because payment often does not result in data recovery.
When was WannaCry patched?
The day following the initial attack, Microsoft released security updates for Windows XP, Windows Server 2003 and Windows 8. These patches were created in February following a tip off about the vulnerability in January 2017.
On 14 March 2017, Microsoft released MS17-010 which detailed the flaw and patched the EternalBlue exploit for Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2016.
In addition to the patch, Marcus Hutchins of MalwareTech discovered the kill switch domain hardcoded in WannaCry. He then registered the domain to stop the attack spreading as the worm would only encrypt computer files if it was unable to connect to the domain. This did nothing to help infected systems but severely slowed the spread of the worm and gave time for defensive measures to be deployed.
On 14 May 2017, a new variant of WannaCry appeared with a new and second kill switch which was registered by Matt Suiche the same day. The next day another variant with the third and final kill switch was registered by Check Point threat analysts.
In the following days, another version of WannaCry was detected that lacked a kill switch altogether.
On 19 May 2017, hackers were trying to use a botnet to perform a distributed denial of service (DDoS) attack on WannaCry's kill switch domain to take it offline. On 22 May 2017, the domain was protected by switching to a cached version of the site that is capable of dealing with much larger traffic loads than live sites.
Separately, researchers from the University College London and Boston University reported that their PayBreak system could defeat WannaCry and other ransomware attacks by recovering the keys used to encrypt user data, allowing for decryption without payment.
Who was behind the WannaCry cyber attack?
Linguistic analysis of the ransom notes indicated the authors were fluent in Chinese and proficient in English as versions of the notes in those languages seemed human-written while other languages seemed to be machine-translated.
The FBI's Cyber Behavioral Analysis Center said the computer that created the ransomware language files had Hangul language fonts installed due to the presence of the "\fcharset129" Rich Text Format tag. Metadata in the languages files also indicated the computers were set to UTC+09:00 used in Korea.
Researchers from Google, Microsoft, Kaspersky Lab and Symantec all said the code had similarities to malware used by the North Korean Lazarus Group which has been tied to the cyber attack on Sony Pictures in 2014 and a Bangladesh bank heist in 2016.
A leaked NSA memo and the UK's National Cyber Security Centre also reached the same conclusion.
On 18 December 2017, the United States Government formally announced its belief that North Korea was behind the WannaCry attack. Canada, New Zealand, Australia, the United Kingdom and Japan all stood behind the United States' assertion.
North Korea, however, denied being responsible for the cyber attack.
Who was affected by WannaCry?
The scale was WannaCry was unprecedented with estimates of around 200,000 computers infected across 150 countries, with Russia, Ukraine, India and Taiwan the most affected according to Kaspersky Lab.
One of the largest agencies impacted was the National Health Service, the publicly funded national healthcare system for England and one of the four National Health Services for each constituent country of the United Kingdom. It is the largest single-payer healthcare system in the world.
Up to 70,000 devices including computers, MRI scanners, blood-storage refrigerators and theatre equipment may have been affected. This led to some NHS services turning away non-critical emergencies and ambulances being diverted.
Alongside NHS, Telefónica, one of the largest telephone operators and mobile network providers in the world, was one of the first major organisations to report problems caused by WannaCry. FedEx, Nissan, the Russian interior ministry, police in Andhra Pradesh India, universities in China, Hitachi, Chinese police and Renault were also affected.
What was the reaction to WannaCry?
Much of the media attention around WannaCry was due to the fact that the National Security Agency (NSA) had discovered the vulnerability and used it to create an exploit for its own offensive work, rather than report it to Microsoft. Edward Snowden said if the NSA had "privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, the attack may not have happened."
On 17 May 2017, in response to criticism about the lack of disclosure, United States lawmakers introduced the PATCH Act which aims to "balance the need disclose vulnerabilities with other national security interests while increasing transparency and accountability to main public trust in the process".
The WannaCry ransomware attack is one of the worst cyber attacks in recent memory. Despite the scale, the attack relies on the same mechanism of many successful attacks: finding exposed ports on the Internet and exploiting known vulnerabilities.
When you think about it like that, WannaCry loses a lot of its mystique.
How to prevent cyber attacks like WannaCry
The best way to prevent attack like WannaCry is basic IT security and security configurations, such as patching all systems. EternalBlue connects to exposed SMB ports, which should never be open to the Internet anyway.
This is security 101 for anyone running a Microsoft data center. Ports 135-139 and 445 are not safe to publicly expose and have not been for a decade.
It shows how poor cyber resilience is worldwide, preventable misconfigurations and known vulnerabilities can wreck global havoc and caused hundreds of millions to billions of dollars of lost productivity. What it comes down to is not flaws in software, code or firewalls (although those help) but processes and priorities.
Two basic axioms of security are to keep your systems patched and use software that isn't at end-of-life. If these two ideas were followed across the globe, it's likely WannaCry would have had much less impact.
What's really worrying is how vulnerable we must be to truly advanced cyber threats and hacking tools.
The other things we must consider are information security and information risk management. There should never be a situation where important data, sensitive data or personally identifiable information (PII) isn't stored elsewhere. Nor should a critical business function have no adequate process in place to restore the system to a working state.
Here’s how to prevent attacks like WannaCry and minimize their impact if they do occur:
- No single point of failure: Whether it's ransomware, hardware failure, database error, or something else. If your data is important, then it should be backed up, at least one other secure location.
- Automate provisioning process: If an asset is taken down by ransomware or anything else, you should be able to return it to a working state as soon as possible.
- Patch everything: Keep your systems up-to-date to avoid known exploits.
These tactics reduce the cybersecurity risk of ransomware, turning it from a disaster to a minor nuisance. This is why cybersecurity is important, it's not enough to install an antivirus and hope for the best. You need real-time cybersecurity monitoring of you and your third-party vendors to reduce third-party risk and fourth-party risk. You need to formulate a cybersecurity risk assessment process, third-party risk management framework and vendor risk management program.
How UpGuard can help protect your organization from ransomware attacks like WannaCry
Our platform shows where you and your vendors are susceptible to vulnerabilities like EternalBlue. UpGuard BreachSight can help combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
We can also help you continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and fourth-party risk and improve your security posture, as well as automatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure. Helping you scale your vendor risk management, third-party risk management and cyber security risk assessment processes.
Cybersecurity is becoming more important than ever before.