The WannaCry virus, also known as WannaCryptor or Wanna Decryptor, is a form of ransomware that affects computers running Microsoft Windows. It is considered one of the most damaging cyberattacks in history due to its rapid spread across organizations globally in May 2017.
What is ransomware?
Ransomware is a type of malicious software or malware designed to deny access to a computer system or data until a ransom is paid. It works by encrypting files on a victim’s computer and demanding payment in cryptocurrency, such as Bitcoin, in order to decrypt them. Failure to pay could result in permanent data loss.
How did the WannaCry attack happen?
The WannaCry ransomware attack exploited a vulnerability in older Microsoft Windows systems that had not applied a critical security patch from March 2017. This vulnerability allowed it to spread rapidly across networks and infect over 200,000 systems globally within just a few days. Major impacts were felt in the UK healthcare system, corporations like Nissan, government agencies and critical infrastructure.
Technical Details
Exploited Vulnerabilities
WannaCry specifically targeted computers running outdated and unsupported versions of the Microsoft Windows operating system by exploiting vulnerabilities in a Windows implementation of the Server Message Block (SMB) protocol.
The primary vulnerability exploited is denoted as CVE-2017-0144 which allowed remote code execution via SMBv1 servers. This was made public when it was leaked as part of a ShadowBrokers NSA cyber weapon dump in April 2017. Microsoft had already released a security patch to address the vulnerability one month prior to the leak.
Infection and Encryption Process
Once executed on the victim’s computer, WannaCry first checks the victim’s system language and kills various processes and services to impair antivirus defenses. It then maps the victim’s local drives and network drives and starts encrypting files with extensions ranging from Microsoft Office files, databases, archives, media files, source code and other important data.
The ransomware uses AES and RSA encryption ciphers to encrypt the computer’s files and an embedded Tor client to mask communications with the command and control servers.
A ransom note is displayed with demands for $300-$600 in Bitcoin to free the encrypted files. If the ransom is not paid in 3 days, the ransom amount doubles. After 7 days, the encrypted files are threatened to be deleted.
Worldwide Outbreak
The WannaCry ransomware campaign was unprecedented in scale with over 200,000 systems affected across 150 countries. Organizations around the world were impacted including:
- National Health Service (NHS) hospitals in the United Kingdom
- Nissan Motor Manufacturing in the United Kingdom
- State railway systems in Germany
- PetroChina gas stations in China
- Universities and organizations in China
- Critical infrastructure organizations in Spain
The ransomware spread rapidly by scanning for vulnerable public SMB ports and exploiting vulnerable machines. Its worm-like capabilities allowed it to move laterally once inside a network.
Who Created WannaCry?
Lazarus Group
The WannaCry ransomware attack has been attributed to the Lazarus Group, a cybercrime group with links to North Korea. The Lazarus Group gained notoriety after hacking Sony Pictures in 2014 and has been active since at least 2009. They have primarily targeted corporations, organizations and agencies using tactics like phishing campaigns, zero-day exploits, and backdoors.
Evidence linking Lazarus Group to WannaCry consists of similarities in code, encryption, ransom demands, and the group’s previous history of leveraging leaked hacking tools. However, North Korea has denied any involvement.
Possible Nation-State Motivations
As a nation-state backed cyber threat group, the Lazarus Group’s motivations are speculated to be politically driven rather than purely financial. Some analysts believe WannaCry was meant to cause turmoil more than gather ransom.
Possible goals include:
- Undermining trust in Western organizations and businesses
- Demonstrating capability to cause global impact and damage
- Gaining hard currency like Bitcoin to bypass sanctions given North Korea’s heavily restricted international finances
How to Protect Against WannaCry
Here are key measures organizations and individuals can take to prevent WannaCry and similar ransomware attacks:
Keep Systems Up-to-Date
WannaCry spread largely by exploiting unpatched versions of Windows. System users and administrators should ensure they are running the latest software versions and applying security patches promptly. Enable automatic Windows updates when possible.
Perform Regular Backups
Maintain regular backups of your important data either to a separate device or system. Stored backups can prevent having to consider paying ransom demands in the event encrypted files cannot be recovered. Test backups regularly for availability and integrity.
Exercise Caution with Emails and Links
Ransomware often spreads through phishing emails and fake URLs. Users should avoid opening attachments or links from unverified or unknown sources. Carefully inspect the sender address for accuracy.
Install Antivirus and Security Software
Endpoint protection platforms with advanced malware prevention can potentially detect ransomware infections before encryption starts. Antivirus software can scan systems and flag malicious programs. However, keep software updated as new threats emerge.
Isolate Critical Systems
For businesses, important servers and systems should be isolated from general networked devices. This can prevent lateral ransomware spread in the event of an infection. Air-gapped backups are also an option.
Educate Employees
Human error is one of the biggest cybersecurity risks. Regular employee training can teach staff to identify warning signs of ransomware and exercise caution. Phishing simulation exercises can also improve awareness.
Control Access and Privileges
Limit users to only those systems and permissions necessary for their roles. This helps prevent malware from rapidly infecting entire networks if user credentials are compromised.
Conclusion
The WannaCry ransomware attack was an unprecedented cyberattack affecting hundreds of thousands of systems globally. It leveraged leaked NSA exploits to spread rapidly through networks by targeting a Microsoft SMB protocol vulnerability. While attributed to the North Korean Lazarus Group, the motivations are suspected to be politically driven rather than purely financial. Organizations can take measures like keeping systems updated, performing backups, and using antivirus software to improve ransomware defenses. However, user education is also critical for identifying warning signs of phishing attempts and exercising caution online. The WannaCry outbreak demonstrates the extensive damage cyberattacks can inflict on unprepared organizations.