{"id":736,"date":"2023-04-14T07:07:18","date_gmt":"2023-04-14T07:07:18","guid":{"rendered":"https:\/\/dataprot.net\/?p=736"},"modified":"2023-07-14T07:37:03","modified_gmt":"2023-07-14T07:37:03","slug":"wannacry-ransomware-attack","status":"publish","type":"post","link":"https:\/\/dataprot.net\/guides\/wannacry-ransomware-attack\/","title":{"rendered":"Everything You Need To Know About the WannaCry Ransomware Attack"},"content":{"rendered":"\n
In May 2017, a new ransomware attack began threatening everyone on the internet. This attack, called WannaCry<\/strong>, was particularly destructive because it infected so many computers in such a short time.<\/p>\n\n\n\n In this article, we will explain what ransomware is and how the WannaCry ransomware attack worked. We will also discuss why this particular attack was so damaging, cover its solution, and explore some possible prevention options.<\/p>\n\n\n\n Ransomware is a type of malware that encrypts its victims\u2019 files until they pay the required amount of money in exchange for the decryption key<\/strong>. The WannaCry ransomware attack was perilous – it affected hundreds of thousands of computers in 150 countries within just a few days.<\/p>\n\n\n\n This attack used the EternalBlue exploit<\/strong>, which targets vulnerabilities in the Windows operating system to spread quickly. Specifically, the most vulnerable devices use the legacy version of the Server Message Block protocol. It is believed that the exploit leaked from the National Security Agency (NSA).<\/p>\n\n\n\n The WannaCry threat actors demanded a ransom payment of $300-$600<\/strong> in Bitcoin within three days, in exchange for the decryption key. Unfortunately, even after paying the ransom, very few victims were given a key to decrypt their files.<\/p>\n\n\n\n The US government attributed the WannaCry attacks to North Korea. The attack was declared state-sponsored, and it is thought that the Lazarus Group launched it.<\/p>\n\n\n\n Regarding ransomware types, we have locker ransomware that locks you out from your computer until you pay the ransom and crypto-ransomware that encrypts your files so you cannot read them.<\/p>\n\n\n\n WannaCry is the latter type and it propagates through a worm, meaning it can spread without victim participation. Therefore, WannaCry is considered a cryptoworm or ransomworm<\/strong>. The moment one system was affected, the worm propagated and infected the remaining unpatched devices, with no human interaction.<\/p>\n\n\n\n But how was this made possible?<\/p>\n\n\n\n Two months before the attack, Microsoft released a security patch<\/strong> against the existing vulnerability, but not everyone updated their operating systems<\/strong> on time. This was an opportunity for the threat actor to launch EternalBlue successfully.<\/p>\n\n\n\n At first, it was believed that the spread was made possible through a phishing campaign<\/a>, but soon after the attack took place, it was established that EternalBlue was used to facilitate the spread, with DoublePulsar<\/a> as a \u2018backdoor.\u2019 WannaCry creators planted DoublePulsar on the computers so WannaCry could be executed.<\/p>\n\n\n\n Affected users were told not to pay the ransom, as the hackers didn\u2019t have any way of knowing who paid the ransom, so the victims could only hope that the attackers would send a decryption key once they delivered the funds.<\/p>\n\n\n\n Although the damage that WannaCry ransomware caused was devastating, security researchers were surprised it didn\u2019t wreak further havoc due to its worm functionality. It is estimated that during 2017, the financial loss amounted to $4 billion, with more than 200,000 devices affected<\/strong>. These numbers have risen even higher since, as this form of threat is still active today.<\/p>\n\n\n\n After the attacks, commercial ransomware attacks gained more popularity within the black hat hacker community, constituting 39% of all malware attacks in 2017.<\/p>\n\n\n\n Although the WannaCry hack was a wake-up call and organizations started developing better security measures aimed towards more effective weakness patching in the aftermath, the Protecting Our Ability to Counter Hacking Act that the US Congress proposed never passed.<\/p>\n\n\n\n If it had, all hardware and software owned by the government would have been regularly reviewed by an independent board of experts, and unpatched systems with potential WannaCry exploits would have been fixed quickly.<\/p>\n\n\n\n Overall, the ransomware\u2019s impact was extremely far-reaching, as it affected phone companies and even healthcare institutions such as the British National Health Service, which lost \u00a392 million<\/strong> due to 19,000 appointments getting canceled.<\/p>\n\n\n\n While trying to examine the WannaCry ransomware and reverse engineer the samples, Marcus Hutchins, also known as MalwareTech<\/strong>, came across a web URL that was an unregistered gibberish name.<\/p>\n\n\n\n He found that, if the program could open the URL, the ransomware couldn\u2019t work, so it served as a form of a kill switch. When he registered the URL, it shut down the WannaCry ransomware. This accidental discovery helped stop the spread of this worm.<\/p>\n\n\n\n The answer is yes. Due to changes in the broader attack surface and attack vectors, this threat is still alive and well. Moreover, although Microsoft offers patches that prevent vulnerabilities, many organizations still fail to update their operating systems regularly. Data from the first quarter of 2021 shows a 53% increase in successful WannaCry attacks<\/strong>.<\/p>\n\n\n\n Encouraged by this successful attack, more and more variants of cryptoworm and ransomworm spread across the world, and many networks keep getting immobilized due to their insufficient cyber protection measures. This ransomware spreads quickly and needs only one entry point to spread throughout the entire network.<\/p>\n\n\n\n The first thing to do when defending against WannaCry should be to disable SMBv1. Then, update to the latest version of that software. <\/p>\n\n\n\n After that, take a closer look at your network traffic and system. Any suspicious file creation, especially with the WannaCry document extension, could be a clue this malicious software is trying to worm its way into your files.<\/p>\n\n\n\n Also, outbound traffic for SMBv1 ports TCP 445 and 139, and DNS queries for the kill-switch domain are another warning sign, as are connections to ports 9001 and 9003 on the Tor network.<\/p>\n\n\n\n Although WannaCry will not be activated if it can contact the \u201ckill switch<\/strong>\u201d URL, it can stay in your system even when it\u2019s not encrypting anything. Therefore, if your Windows devices are unpatched, fix that immediately so you can head off the threat before it has a chance to start encrypting your files.<\/p>\n\n\n\n Now that we\u2019ve established what the WannaCry attack is and how it works, let\u2019s see what steps you can take to protect your devices from ransomware in general.<\/p>\n\n\n\n If you get an email with a link or an attachment, or you\u2019re browsing the web, and the link seems off, don\u2019t click on it. This could easily be ransomware that can be downloaded to your device with a single interaction.<\/p>\n\n\n\n Even though many users don\u2019t think twice about using a USB that doesn\u2019t belong to them, experts advise against inserting unknown USBs into your computer, as it might be infected with ransomware that can be planted on your device.<\/p>\n\n\n\n WannaCry was one of the largest ransomware attacks that affected computers mainly because their systems were not up to date. However, it is definitely not the only such threat active today.<\/p>\n\n\n\n Your computer can fall victim to various ransomware attacks just because it is not updated with the latest security patches. Even when a patch is available, if you haven\u2019t updated your software and operating system, you might be vulnerable to ransomware.<\/p>\n\n\n\n Many data breaches and security threats that affect corporations were made possible by the lack of employee knowledge of cybersecurity. Investing in cybersecurity training for your staff is essential because this can minimize the risk of a data breach and prevent financial and operational losses.<\/p>\n\n\n\nWhat Is WannaCry Ransomware?<\/h2>\n\n\n\n
How Does WannaCry Ransomware work?<\/h2>\n\n\n\n
The Consequences of the WannaCry Attack<\/h2>\n\n\n\n
A Groundbreaking Kill Switch<\/h2>\n\n\n\n
Is WannaCry Still a Threat?<\/h2>\n\n\n\n
How to Safeguard Against WannaCry Ransomware<\/h2>\n\n\n\n
How To Protect Yourself From Ransomware<\/h2>\n\n\n\n
Never Click On Suspicious Links <\/h3>\n\n\n\n
Don\u2019t Use Unknown USBs<\/h3>\n\n\n\n
Keep Your Operating System and Software Up To Date<\/h3>\n\n\n\n
Invest in Cybersecurity Training for Your Employees<\/h3>\n\n\n\n