What Is WannaCry Ransomware?

As one of the first global ransomware attacks to ever be reported, WannaCry surfaced in May 2017. WannaCry spread so quickly that it infected more than 230,000 computers in one day across 150 countries, including the U.S., England, India, Taiwan, Russia, and Ukraine, causing billions of dollars of estimated damages.

WannaCry is unique among highly visible ransomware attacks in that it propagated as a worm, rather than through phishing emails or social engineering. The attack is believed to have been launched by North Korea or by the Lazarus Group , a North Korean group of cybercriminals. The WannaCry ransomware attack was neutralized within one day when the malware researcher Marcus Hutchins discovered a kill switch within the code, preventing affected computers from spreading the malware further.

As a form of ransomware, WannaCry encrypts files on a victim’s computer or server, blocking access or usage until a ransom is paid. The original WannaCry ransom was $300 in bitcoin, which increased to $600 if not paid within a certain period of time. By blocking access to files and data, WannaCry was able to easily cripple IT systems in businesses affected by the attack.

WannaCry is unique among ransomware in that it spreads as a worm, a kind of malware that can spread rapidly without needing a host file or human intervention. It appeared on an infected computer as a dropper, or self-contained program that delivers and installs malware. Files within the WannaCry dropper included an application for encrypting and decrypting data, files with encryption keys, and a copy of Tor, which the ransomware operators used for command and control (C2) communications. Once the malware established itself on one device, it propagated and affected other unpatched devices that communicated with the infected computer.

WannaCry exploited a vulnerability called “EternalBlue” that was developed by the United States National Security Agency (NSA) and was stolen by a group called the Shadow Brokers in an attack on the NSA itself. The EternalBlue exploit was only effective on older versions of Microsoft Windows that had not received a certain security patch, but in 2017, many machines remained unpatched, which enabled the rapid spread of the malware.

WannaCry took advantage of a vulnerability in how Windows managed the Server Message Block (SMB) protocol, which allows network nodes to communicate. A security flaw enabled SMB to be tricked into executing arbitrary code by specially crafted packets known as EternalBlue. Microsoft had issued a patch for this vulnerability several months earlier, but many thousands of computers around the world remained unpatched and unprotected.

Many large organizations around the world were adversely impacted, including the Spanish mobile company Telefónica and the United Kingdom’s National Health Service (NHS), which had to reroute ambulances from the one-third of its hospitals that were affected.

When examining the WannaCry source code, the security blogger and researcher Marcus Hutchins discovered that, before executing, the malware would query a nonexistent domain — iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. After receiving no response from this fake domain, WannaCry began to execute encryption processes on the affected machine. After Hutchins registered the domain, the malware continued to spread, but because the query of the domain returned a real result, it stopped encrypting files, which essentially neutralized the threat.

An automatic update feature built into the Windows operating system meant that all Windows 10 computers with the latest patches were protected from WannaCry by May 2017. Microsoft eventually made the SMB patch available for Windows XP systems and older versions of the operating system as well.

The WannaCry ransomware worm continues to be a threat. In a newer version of WannaCry, the kill switch domain is removed from the code. These variants still exploit the EternalBlue SMB vulnerability, and can infect unpatched systems and Windows computers.

Preventing attacks like WannaCry requires that organizations adopt a comprehensive and multilayered approach to cybersecurity.

• Updates and patches. In addition to neutralizing WannaCry ransomware, applying the latest security updates and patches in a timely manner can help to prevent a broad range of other attacks that exploit vulnerabilities in hardware and software.

• Zero Trust security. The Zero Trust approach prevents many attacks and limits lateral movement by trusting nothing. Zero Trust requires every user, device, and application to be reauthenticated and validated on each request for access to IT assets. A principle of least privilege means that access is granted only on an as-needed basis and only for a limited period of time.

• Centralized policy management. When IT administrators can manage security from a single location, they can set company-wide policies that help to avoid security gaps and take advantage of the latest threat intelligence.

• Antivirus and anti-malware technology. By continuously monitoring network traffic, antivirus and anti-malware solutions can filter out potentially harmful traffic, email, and attachments that may be tied to ransomware attacks.

• Employee education. Because human error plays such a significant role in enabling many attacks, IT teams must constantly educate employees on the latest cybercriminal tactics as well as best practices that employees must use to prevent attacks.

• Encryption. Encrypting files helps to prevent sensitive data from being leaked in the event of a data breach or a ransomware attack where confidential information is exfiltrated.

• Identity and access control. Security elements like strong passwords and multi-factor authentication can help to prevent attackers from gaining unauthorized access to accounts and IT environments.

• Backups. Performing frequent backups can protect against ransomware by ensuring that there is a copy of each file stored off-site, where ransomware cannot infect it.

• Continuous monitoring. By constantly monitoring the tech environment to search for potential threats, IT teams can gain an earlier indication of potential attacks.

• Network segmentation. Segmenting the network into smaller subnets prevents a successful attack in one part of the network from infecting files in other parts. Software-defined microsegmentation provides even greater security, isolating individual workloads to prevent hackers from moving laterally through a system and accessing sensitive data.

• Security certifications. IT teams must maintain security certifications and monitor adherence to regulatory frameworks to ensure that their organization, and any vendors they work with, are conforming to best practices for preventing ransomware and other cyberattacks. For example, healthcare organizations and emergency responders can ensure the security of data and patient records by complying with the standards set by the Defense Information Systems Agency (DISA) for configuring security controls.