WannaCry is indeed an example of ransomware. Ransomware is a type of malicious software that encrypts data on a victim’s computer and demands payment in order to decrypt the data. WannaCry was a massive ransomware attack that started on May 12, 2017 and went on to affect over 200,000 computers across 150 countries.
What is Ransomware?
Ransomware is a form of malware that encrypts files on a victim’s computer and renders them inaccessible. The attackers then demand ransom payment in cryptocurrency, such as Bitcoin, in exchange for the decryption key. If the ransom is not paid, the attackers threaten to delete the encrypted files. The motive behind ransomware attacks is nearly always monetary.
Some key characteristics of ransomware include:
- Encrypts files so they cannot be accessed
- Displays a ransom payment demand
- Threatens to delete files if ransom not paid
- Demands payment, usually in cryptocurrency like Bitcoin
- Is delivered through various vectors like phishing emails or drive-by downloads
Ransomware attacks have been rapidly growing since around 2005. Some major ransomware variants include CryptoLocker, Locky, SamSam and Ryuk. More recent ransomware strains are becoming increasingly sophisticated using advanced evasion techniques.
Overview of the WannaCry Ransomware Attack
The WannaCry ransomware attack was unprecedented in scale and impact. It proliferated through the EternalBlue exploit in Microsoft’s implementation of the Server Message Block (SMB) protocol. EternalBlue was developed by the U.S. National Security Agency (NSA) and leaked online by a group called The Shadow Brokers in April 2017, just a month prior to WannaCry’s release.
On May 12, WannaCry began affecting computers worldwide. It leveraged EternalBlue to spread itself across networks and encrypt files on infected machines. It demanded ransom payments of $300-$600 in Bitcoin to release the files. Major organizations around the world were paralyzed by the attack including the UK’s National Health Service (NHS), logistics company FedEx and car manufacturers Renault and Nissan.
Within the first day, over 230,000 computers were hit across at least 150 countries. Estimates of the total damage have run as high as $4 billion. Security researchers eventually found a kill switch domain that slowed the spread of WannaCry. However, new variants without the kill switch have since emerged.
How WannaCry Spread
WannaCry leveraged an exploit called EternalBlue that targeted a vulnerability in Microsoft’s SMB protocol implementation (MS17-010). EternalBlue allowed it to infect computers and quickly spread across networks using a worm-like behavior.
In addition, WannaCry had a second propagation method through the Windows DoublePulsar backdoor. DoublePulsar was also leaked by The Shadow Brokers from NSA tools. With both EternalBlue and DoublePulsar, WannaCry was extremely adept at lateral movement.
Once on a system, WannaCry first checks the victim’s language setting. If the language is Russian, Ukrainian or Belarusian, it exits without taking further action. It then uses EternalBlue to spread to other vulnerable machines on the connected network.
For standalone systems, WannaCry also spreads itself via email and drive-by downloads by extracting email addresses from files and sending infected zip files to the recipients. These techniques allowed it to transmit itself both locally and globally quite rapidly.
Encrypting Files and Ransom Demands
After propagating, WannaCry encrypts files on the infected computer. It targets hundreds of different file extensions for encryption, including Office documents, photos, videos, audio files, archives, programming source code and database files. WannaCry uses AES and RSA encryption algorithms to encrypt the files.
Once files are encrypted, WannaCry displays a ransom note. The note informs the victim that files have been encrypted and will be deleted unless a payment is made. It then demands a ransom of $300-$600 in Bitcoin that increases over time. A countdown timer is also displayed showing how long the victim has left to pay before files are deleted.
If the ransom is paid, WannaCry is supposed to provide the decryption key. However, in many cases files were not properly restored even after victims paid. There are also concerns about funding criminal organizations by paying ransoms.
Is WannaCry Ransomware?
Based on its characteristics and behavior, WannaCry is clearly ransomware:
- Encrypts files: WannaCry encrypts hundreds of different file types on infected computers using RSA and AES encryption so they cannot be accessed.
- Ransom payment demand: After encrypting files, WannaCry displays a ransom note demanding payment of $300-$600 in Bitcoin in order to decrypt the files.
- Threatens data destruction: The ransom note threatens to delete all the encrypted files if payment is not received in time.
- Seeks payment in cryptocurrency: WannaCry specifically demands ransom payment in the form of Bitcoin, a popular cryptocurrency.
- Spreads through multiple vectors: WannaCry leverages EternalBlue and DoublePulsar exploits to spread quickly across networks. It also uses phishing-like tactics to spread through email and downloads.
WannaCry matches the definitive characteristics of ransomware. It encrypts files, demands untraceable ransom payment, threatens permanent data loss, and uses advanced mechanisms to spread itself. There is very little doubt that it belongs to the ransomware class of malware.
Impact of the WannaCry Attack
The WannaCry attack was unprecedented in scale and damage caused. Within the first day, it had infected over 230,000 computers in 150 countries. Some major organizations affected included:
- UK’s National Health Service (NHS): WannaCry severely disrupted medical services and forced hospitals to turn away patients and cancel appointments.
- Telefonica: The Spanish telecom company was hit hard with over 85% of its computers affected.
- FedEx: The logistics company reported major outages at facilities in Europe.
- French carmaker Renault: Operations were halted at Renault factories in France and Slovenia.
- German railway company Deutsche Bahn: Signaling and display systems were infected at several railway stations.
- São Paulo court system: The court system in São Paulo, Brazil was forced to disconnect computers and cancel public hearings.
The total worldwide damage from WannaCry is estimated to be anywhere from hundreds of millions to $4 billion. This does not including unaccounted costs like business disruption, lost revenues, recovery efforts, and reputational damage.
Ransom Payments
Despite the large number of infections, only about $140,000 in ransom payments were reported to have been paid to the WannaCry attackers. This is a surprisingly low amount considering the scale of the attack. There are a few factors that may have contributed to the low payment rate:
- Many victims were unable to pay the ransom since Bitcoin was still not widely adopted.
- Organizations were wary of funding criminal organizations and possibly running afoul of anti-money laundering regulations.
- Systems infected using EternalBlue did not have data properly encrypted, allowing files to be restored from backups.
- Decryption tools were quickly developed and distributed by cybersecurity researchers.
While the amount of money extorted was relatively low, the damage done by disruption to services, recovery costs and lost productivity was extensive.
Who Created WannaCry?
The exact perpetrators behind the WannaCry attack have not been definitively identified. However, evidence points towards the Lazarus Group, a cybercrime outfit linked to the North Korean government. Possible links include:
- Code similarities between WannaCry and previous malware attributed to Lazarus.
- Shared code servers and signatures linked to previous North Korean cyberattacks.
- North Korea’s history of funding its regime through cybercrime.
However, some analysts are hesitant to make a direct attribution given that the evidence is circumstantial. Others like security firm Flashpoint suspect disgruntled insiders rather than state-sponsored actors. The exact perpetrators remain shrouded in mystery for now, though cybersecurity researchers continue to investigate.
Table 1: Timeline of the WannaCry Attack
Date | Event |
---|---|
April 2017 | The Shadow Brokers leak exploits from NSA tools including EternalBlue. |
May 12, 2017 | Initial reports emerge of a massive ransomware infection spreading around the world, later identified as WannaCry. |
May 12-15, 2017 | WannaCry spreads quickly, impacting over 230,000 computers across 150 countries. |
May 13, 2017 | Researchers register a domain that acts as a kill switch, slowing WannaCry’s spread. |
May 14-17, 2017 | Major organizations like the NHS, Renault and Telefonica report widespread disruptions from WannaCry. |
May 19, 2017 | Researchers observe new WannaCry variants emerging without the kill switch. |
February 2021 | The US DOJ formally charges three North Korean military hackers for creating WannaCry. |
Defending Against Ransomware
The WannaCry attack demonstrates the extreme damage ransomware can cause to businesses, organizations and infrastructure. Here are some key measures that can be taken to reduce the risk and impact of ransomware attacks:
- Keep all systems patched and updated to eliminate security holes like EternalBlue.
- Install and properly configure endpoint detection and response (EDR) tools to block exploits.
- Enable strong spam filters to stop phishing emails from delivering ransomware.
- Train employees to identify social engineering techniques and suspicious emails.
- Regularly back up critical data and store backups offline to enable restoration.
- Segment networks to prevent lateral ransomware movement between systems.
- Deploy DMARC, SPF and DKIM to prevent email spoofing.
- Monitor logs from security solutions to quickly detect attacks.
With strong technical controls and user training, organizations can develop resilience against ransomware attacks. But it requires constant vigilance given how aggressively ransomware tactics evolve over time.
Conclusion
The WannaCry ransomware attack was an extremely damaging cyberattack enabled by leaked NSA exploits. Within 24 hours, it had impacted over 200,000 systems across 150 countries by encrypting data and demanding Bitcoin ransom payments. WannaCry crippled hospitals, businesses and infrastructure worldwide. While the perpetrators remain unconfirmed, evidence points toward the North Korean Lazarus Group.
WannaCry clearly fits the definition of ransomware. It leveraged worm-like behavior to spread rapidly, encrypted files on infected systems, demanded ransom and threatened data destruction. By locking organizations out of their own systems, it caused worldwide damage upwards of $4 billion.
Defending against ransomware requires keeping systems fully updated, training employees, deploying advanced security tools, performing regular backups and following cybersecurity best practices. The WannaCry attack demonstrates the potential of ransomware to wreak havoc on infrastructure and the importance of ransomware prevention for organizations.