DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.
In May 2017, a new ransomware attack began threatening everyone on the internet. This attack, called WannaCry, was particularly destructive because it infected so many computers in such a short time.
In this article, we will explain what ransomware is and how the WannaCry ransomware attack worked. We will also discuss why this particular attack was so damaging, cover its solution, and explore some possible prevention options.
What Is WannaCry Ransomware?
Ransomware is a type of malware that encrypts its victims’ files until they pay the required amount of money in exchange for the decryption key. The WannaCry ransomware attack was perilous – it affected hundreds of thousands of computers in 150 countries within just a few days.
This attack used the EternalBlue exploit, which targets vulnerabilities in the Windows operating system to spread quickly. Specifically, the most vulnerable devices use the legacy version of the Server Message Block protocol. It is believed that the exploit leaked from the National Security Agency (NSA).
The WannaCry threat actors demanded a ransom payment of $300-$600 in Bitcoin within three days, in exchange for the decryption key. Unfortunately, even after paying the ransom, very few victims were given a key to decrypt their files.
The US government attributed the WannaCry attacks to North Korea. The attack was declared state-sponsored, and it is thought that the Lazarus Group launched it.
How Does WannaCry Ransomware work?
Regarding ransomware types, we have locker ransomware that locks you out from your computer until you pay the ransom and crypto-ransomware that encrypts your files so you cannot read them.
WannaCry is the latter type and it propagates through a worm, meaning it can spread without victim participation. Therefore, WannaCry is considered a cryptoworm or ransomworm. The moment one system was affected, the worm propagated and infected the remaining unpatched devices, with no human interaction.
But how was this made possible?
Two months before the attack, Microsoft released a security patch against the existing vulnerability, but not everyone updated their operating systems on time. This was an opportunity for the threat actor to launch EternalBlue successfully.
At first, it was believed that the spread was made possible through a phishing campaign, but soon after the attack took place, it was established that EternalBlue was used to facilitate the spread, with DoublePulsar as a ‘backdoor.’ WannaCry creators planted DoublePulsar on the computers so WannaCry could be executed.
Affected users were told not to pay the ransom, as the hackers didn’t have any way of knowing who paid the ransom, so the victims could only hope that the attackers would send a decryption key once they delivered the funds.
The Consequences of the WannaCry Attack
Although the damage that WannaCry ransomware caused was devastating, security researchers were surprised it didn’t wreak further havoc due to its worm functionality. It is estimated that during 2017, the financial loss amounted to $4 billion, with more than 200,000 devices affected. These numbers have risen even higher since, as this form of threat is still active today.
After the attacks, commercial ransomware attacks gained more popularity within the black hat hacker community, constituting 39% of all malware attacks in 2017.
Although the WannaCry hack was a wake-up call and organizations started developing better security measures aimed towards more effective weakness patching in the aftermath, the Protecting Our Ability to Counter Hacking Act that the US Congress proposed never passed.
If it had, all hardware and software owned by the government would have been regularly reviewed by an independent board of experts, and unpatched systems with potential WannaCry exploits would have been fixed quickly.
Overall, the ransomware’s impact was extremely far-reaching, as it affected phone companies and even healthcare institutions such as the British National Health Service, which lost £92 million due to 19,000 appointments getting canceled.
A Groundbreaking Kill Switch
While trying to examine the WannaCry ransomware and reverse engineer the samples, Marcus Hutchins, also known as MalwareTech, came across a web URL that was an unregistered gibberish name.
He found that, if the program could open the URL, the ransomware couldn’t work, so it served as a form of a kill switch. When he registered the URL, it shut down the WannaCry ransomware. This accidental discovery helped stop the spread of this worm.
Is WannaCry Still a Threat?
The answer is yes. Due to changes in the broader attack surface and attack vectors, this threat is still alive and well. Moreover, although Microsoft offers patches that prevent vulnerabilities, many organizations still fail to update their operating systems regularly. Data from the first quarter of 2021 shows a 53% increase in successful WannaCry attacks.
Encouraged by this successful attack, more and more variants of cryptoworm and ransomworm spread across the world, and many networks keep getting immobilized due to their insufficient cyber protection measures. This ransomware spreads quickly and needs only one entry point to spread throughout the entire network.
How to Safeguard Against WannaCry Ransomware
The first thing to do when defending against WannaCry should be to disable SMBv1. Then, update to the latest version of that software.
After that, take a closer look at your network traffic and system. Any suspicious file creation, especially with the WannaCry document extension, could be a clue this malicious software is trying to worm its way into your files.
Also, outbound traffic for SMBv1 ports TCP 445 and 139, and DNS queries for the kill-switch domain are another warning sign, as are connections to ports 9001 and 9003 on the Tor network.
Although WannaCry will not be activated if it can contact the “kill switch” URL, it can stay in your system even when it’s not encrypting anything. Therefore, if your Windows devices are unpatched, fix that immediately so you can head off the threat before it has a chance to start encrypting your files.
How To Protect Yourself From Ransomware
Now that we’ve established what the WannaCry attack is and how it works, let’s see what steps you can take to protect your devices from ransomware in general.
Never Click On Suspicious Links
If you get an email with a link or an attachment, or you’re browsing the web, and the link seems off, don’t click on it. This could easily be ransomware that can be downloaded to your device with a single interaction.
Don’t Use Unknown USBs
Even though many users don’t think twice about using a USB that doesn’t belong to them, experts advise against inserting unknown USBs into your computer, as it might be infected with ransomware that can be planted on your device.
Keep Your Operating System and Software Up To Date
WannaCry was one of the largest ransomware attacks that affected computers mainly because their systems were not up to date. However, it is definitely not the only such threat active today.
Your computer can fall victim to various ransomware attacks just because it is not updated with the latest security patches. Even when a patch is available, if you haven’t updated your software and operating system, you might be vulnerable to ransomware.
Invest in Cybersecurity Training for Your Employees
Many data breaches and security threats that affect corporations were made possible by the lack of employee knowledge of cybersecurity. Investing in cybersecurity training for your staff is essential because this can minimize the risk of a data breach and prevent financial and operational losses.
Never Download from Websites You Don’t Trust
The only way of knowing that the files you download are safe from ransomware and other forms of malware is to only download files from trusted sources. Otherwise, you might end up downloading ransomware or other dangerous files.
Back Up Your Data
Even if your files got encrypted by WannaCry malware, you would have fewer things to worry about if you had all your data backed up. However, bear in mind that it’s essential to disconnect your external storage devices from your computer once you’ve done backing your files up.
Install and Keep Your Anti-Malware Solution Up To Date
A reliable anti-malware service is essential for keeping your devices secure on the internet, and while it’s imperative to choose the right one, you must also keep it up to date, so you are sure that it will work against all threats.
WannaCry ransomware is a severe cryptoworm that can have devastating consequences, and it’s important to know how to protect your devices from it. Although this threat remains active today, we know what steps can be taken to avoid falling prey to it and suffering incredible financial losses.
Apart from using an antimalware solution and avoiding risky internet behavior, keeping our software and systems up to date is paramount. This is also good advice for defending against all forms of malware.