Is WannaCry a virus? - Darwin's Data

WannaCry is a form of ransomware that spread rapidly around the world in May 2017, infecting hundreds of thousands of computers by exploiting a vulnerability in older versions of Microsoft Windows. So is WannaCry a virus? The short answer is yes, WannaCry is considered a virus due to how it infects and spreads between computers.

Table of Contents

What is WannaCry?

WannaCry is a type of malware known as ransomware. Ransomware is a form of malicious software that encrypts files on a victim’s computer and demands payment in order to decrypt them. WannaCry specifically targets computers running Microsoft Windows by exploiting a vulnerability in the Windows implementation of the Server Message Block (SMB) protocol. This vulnerability, known as EternalBlue, was originally discovered by the United States National Security Agency (NSA) and leaked online in 2017 by a group called the Shadow Brokers.

Once WannaCry has infected a computer through the EternalBlue exploit, it encrypts many file types on the machine and any connected network shares that the user account has access to. It then displays a ransom note demanding $300 in Bitcoin to decrypt the files. If the ransom is not paid within three days, the ransom amount doubles. After seven days, the encrypted files are threatened to be deleted forever.

One key trait that allowed WannaCry to spread so rapidly was that it included worm-like functionality that allowed it to self-propagate across networks by exploiting the SMB vulnerability on other unpatched Windows computers. Thus, WannaCry acted like a computer worm, spreading itself automatically without requiring any human interaction after the initial infection.

How does WannaCry infect computers?

WannaCry leverages an exploit called EternalBlue to spread itself. EternalBlue specifically targets a vulnerability in Microsoft’s implementation of the SMB protocol in versions of Windows prior to Windows 10. SMB is a network file sharing protocol that allows Windows computers to share files and other resources on a network.

The EternalBlue exploit allowed WannaCry to remotely execute malicious code on vulnerable Windows computers by sending specially crafted packets over the SMB port (port 445). No interaction is required from a user on the target computer for the initial infection.

Once executed via EternalBlue, the WannaCry code implants a backdoor and infects the system. It uses a separate exploit called DoublePulsar to install and run itself on compromised computers. WannaCry then uses the backdoor to spread itself further across the network by scanning for other computers that have the SMB vulnerability and then exploiting eternal blue to infect them as well.

Does WannaCry self-replicate?

Yes, WannaCry has self-replicating capabilities that allow it to spread automatically like a computer worm. As discussed above, it leverages vulnerabilities in Windows SMB to spread itself across networks without requiring any action from users. This sets it apart from other forms of malware like viruses and trojans that usually require some type of human interaction (e.g. opening attachments, clicking links) to replicate.

WannaCry scans for vulnerable computers across the network by checking for systems with TCP port 445 open. It then uses the EternalBlue exploit to gain access and execute its code remotely. Once running on a system, it quickly attempts to infect other computers on the same network or other connected networks. This allows it to rapidly propagate, potentially infecting an entire network in just minutes if proper security patches are not in place.

So in summary, WannaCry absolutely acts like a self-replicating worm thanks to the worm-like functionality baked into its code. This is a key trait that allowed it to spread globally so rapidly during the 2017 outbreak.

Does WannaCry need a host program to replicate?

No, WannaCry does not require a host program or file to help replicate itself across vulnerable systems. Traditional computer viruses and trojan horses typically require a host file that the victim executes to activate the malicious code. WannaCry, however, can exploit and replicate itself without any interaction from the victim due to the SMB remote code execution vulnerability.

As soon as WannaCry detects a vulnerable computer through SMB port scanning, it can exploit the EternalBlue vulnerability to forcibly push its code onto the remote system and execute it. The code then sets up a backdoor and immediately starts scanning the network for other potential victims to infect autonomously. So WannaCry is entirely self-reliant when it comes to replication.

Of course, WannaCry did originally require some type of initial human action to get into the wild, such as an employee opening a malicious email attachment containing the malware. But after that initial infection, WannaCry can spread by technical exploitation alone and does not rely on any human interaction or host programs to facilitate replication between vulnerable computers.

Does WannaCry alter computer programs?

Yes, WannaCry directly alters programs and processes on infected Windows computers as part of its malicious functionality.

Some examples of how WannaCry alters programs and processes include:

Injecting malicious code into the lsass.exe process to gain elevated privileges on the system.
Opening a backdoor by patching the Windows DLL svchost.dll.
Disabling security services like the Windows Firewall and Windows Defender Antivirus using taskkill commands.

Closing any database processes associated with SQL Server, MySQL, and PostgreSQL to encrypt their files.
Stopping processes associated with email, database, backup and document editing software to encrypt related files.
Deleting volume shadow copies to prevent file recovery.

These types of malicious modifications to programs and system processes are how WannaCry achieves its nefarious goals like disabling security tools, spreading to other systems, and encrypting files for ransom. So it absolutely tampers with and alters existing software on the machines it infects as part of its worm-like functionality.

Does WannaCry make copies of itself?

Yes, WannaCry has the capability to make copies of itself as it spreads to new vulnerable systems. The ability to self-replicate and proliferate copies of itself is a key characteristic of WannaCry that enabled its widespread and rapid infection around the world.

When WannaCry exploits a system through the EternalBlue SMB vulnerability, it delivers a copy of its malicious code payload that includes the ransomware encryption functions as well as the self-propagation logic. It does this by sending the code over the network and executing it directly on the remote machine.

WannaCry will often first copy itself into the Windows Temp folder on a newly compromised computer. It then executes itself from there, installing any necessary components and immediately seeking to replicate further across the network. WannaCry has been observed saving copies of itself using file names like tasksche.exe, m.exe, f.exe, and t.exe.

So in summary, yes – WannaCry definitely makes copies of its executable file as part of spreading to each new vulnerable host it can find. It doesn’t merely try to spread an infection – it pushes actual copies of its code to each target.

Does WannaCry damage or modify computer systems?

Absolutely. WannaCry causes significant damage to and modification of infected computer systems in multiple ways:

File encryption – WannaCry encrypts hundreds of different file types on local, shared and networked drives, rendering them inaccessible without the decryption key.
Ransom demands – It displays ransom notes demanding payment to decrypt files, essentially holding the computer system hostage.
Security tool disabling – It forcefully disables security services like Windows Firewall and Defender to make infection easier.

Process termination – It terminates processes associated with email, databases, backups, etc. to aid encryption.
Network propagation – It exploits vulnerabilities to self-propagate across networks, increasing load and potentially crashing systems.
Permanent deletion – After a period, it threatens permanent deletion of encrypted files if ransom isn’t paid.

In essence, WannaCry causes mass destruction and modification of files, settings, and the typical functioning of infected systems until the ransom is paid. Its changes pave the way for encryption, disable protection, and potentially result in permanent data loss. The damage can be severe, especially for businesses without proper backups.

Does WannaCry steal or transmit private data?

No, WannaCry does not explicitly steal or transmit any private data from infected systems. Its sole purpose is to encrypt files and demand ransom payment in order to decrypt them again.

Some key points about WannaCry and data theft/transmission:

It does not secretly collect sensitive documents, emails, passwords or other personal/corporate data from systems.
It does not covertly send any data from infected computers back to its creators.
WannaCry only generates a pair of encryption keys locally on each affected computer, it does not transmit them.

There are no backdoors that allow the malware creators to access encrypted content.

That said, by encrypting files and holding systems ransom WannaCry does prevent the rightful users of a system from accessing their own data. And if systems are not properly backed up, the data loss after encryption could be permanent if the ransom is not paid.

So in summary, while it does not steal or transmit data, WannaCry essentially holds user data hostage for profit. But it does not explicitly collect or redistribute any information to external parties.

Conclusion

Based on its observed capabilities and behaviors, WannaCry fits the definition of a computer virus:

It can self-replicate across vulnerable Windows systems without user interaction.
It modifies programs and processes like disabling security services and encrypting files.

It carries a harmful payload in the form of ransom demands and potential permanent data loss.
It makes copies of itself as it spreads to new systems.
It exploits software vulnerabilities to spread, cause damage, and evade detection.

WannaCry spreads and functions very much like a virulent computer virus, even incorporating worm-like self-propagation methods. While some may argue it technically fits better under a broad definition of malware, there is no doubt that WannaCry exhibits all the major attributes of a computer virus.

By leveraging cybersecurity vulnerabilities and using extremely effective self-replication tactics, the WannaCry virus caused widespread disruption globally and cemented itself as one of the most damaging cyber incidents in recent history.