WannaCry is a ransomware cryptoworm that initially appeared on May 17, 2017. Also known as WannaCrypt, WannaDecryptOr 2.0 and WanaDecryptOr 2.0, it specifically targets computers running any version of the Microsoft operating system.
Cybercriminals trick users or use social engineering to download the virus and gain entry to computers and networks. It encrypts or “kidnaps” essential files, applications and programs from many computer networks. Cybercriminals then use this WannaCry ransomware attack to demand payment (or ransom) to restore the encrypted files to the user.
Ransomware can cost your company up to $2 million per incident. Creating a dynamic backup system is one of the best ways to prevent your network from being held ransom. Veeam can help your company by offering secure backup that protects your most important data if you're the victim of a ransomware attack. In most cases, you can be back up and running quickly.
How It Works
WannaCry uses a vulnerability in the Microsoft operating system’s Server Message Block (SBMv1). When WannaCry infects a computer or a computer network, a screen appears on the user’s computer saying that files have been encrypted and that the user needs to pay a ransom of $300 in bitcoin within three days or $600 within seven days.
Perhaps most interesting, and a warning to all businesses to update software regularly, Microsoft discovered the vulnerability on its own and released a patch for all supported systems two months before WannaCry appeared. It later released a patch for older versions of Microsoft. Unfortunately, this fix didn't prevent the usage of WannaCry.
How WannaCry Spreads
WannaCry concentrates on an older version of the SMBv1. It downloads itself to computers as a self-contained program that extracts the components needed to encrypt the user’s data. It spreads quickly on any network using older Microsoft machines, including those no longer serviced, such as Windows XP and Windows 7.
WannaCry is also a network worm that can transport itself. Once it initially tricks a user into downloading the virus, it can automatically spread using transport code. WannaCry seeks out other machines that could be infected, and then uses a hack initially developed by the United States National Security Agency (NSA) to access computers. It then gains access to computer networks through DoublePulsar, a "backdoor" software that was developed by the NSA, stolen by a group of hackers known as the Shadow Brokers (a name inspired by a character from the video game Mass Effect), and then released to the public in April 2017. Researchers said DoublePulsar infected several hundred thousand machines after only a few days and was growing rapidly.
WannaCry Kill Switch
Once launched, WannaCry attempts to access a hard-coded URL called a kill switch. It encrypts essential data on the computer if it can’t reach that URL. If the software connects to that URL, the computer shuts down and no further damage is done.
Computer experts who studied WannaCry are unsure why it was used. WannaCry uses a nonsensical URL (e.g., iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea(dot)com) as a kill switch. Marcus Hutchins, a British security researcher, started studying the WannaCry virus almost immediately. He noticed that it tried to contact this URL, concluding that the software behaved this way to throw researchers off the scent and make analyzing the code more complicated.
However, Hutchins did more than study the virus. He paid to register this URL and built a webpage, effectively preventing many versions of WannaCry from encrypting files on other computers worldwide. As cybercriminals continued to use different nonsensical URLs on newer versions, other computer researchers duplicated Hutchins’ actions by registering the URLs, creating websites and rendering WannaCry ineffective. Within a few days of the initial attack, the WannaCry ransomware attack had slowed to a trickle. Newer versions of WannaCry avoid using the kill switch.
The History of WannaCry
The NSA discovered the SMBv1 vulnerability several months before the WannaCry attacks. It then developed a hack to exploit the system known as EternalBlue, but didn't tell Microsoft it had found this vulnerability. The Shadow Brokers then hacked the NSA in April 2017, stole the code to EternalBlue and released it to the public. While there were versions of WannaCry floating around on the internet for months before the May 2017 attacks, cybercriminals used EternalBlue to make it much more dangerous.
Who Created WannaCry?
No group ever publicly claimed ownership of WannaCry. However, researchers at cybersecurity companies discovered that the code used in WannaCry had similarities with code previously used by the Lazarus Group (who have also called themselves the Guardians of Peace). This group is believed to be connected to the North Korean government and was responsible for the 2014 cyberattack on Sony Pictures in response to a Sony movie that showed North Korean dictator Kim Jong-un being killed.
After several months of investigation, the United States government formally accused North Korea of being responsible for WannaCry. North Korea denied all accusations. New Zealand, Japan and Canada joined the U.S. in blaming North Korea. Later, the United Kingdom said that the U.S. was correct in its assessment.
Many computer research experts and foreign governments have also criticized the NSA for not notifying Microsoft beforehand that it had found the SBMv1 vulnerability. Many feel that the NSA could have quietly told Microsoft about the problem without making it public. Russian President Vladimir Putin directly blamed American intelligence services for the WannaCry virus because it created EternalBlue.
Why WannaCry Works
WannaCry works because it relies on several key factors:
Many businesses use older, non-supported Windows operating systems
Many businesses worldwide, particularly in developing nations, cannot afford to buy new software whenever a new Microsoft operating system is available. They also cannot afford to buy newer computers that use newer Microsoft operating systems. So many computer networks globally are still using Microsoft operating systems with the SBMv1 vulnerability. As a result, it's easy for WannaCry to infect computers on a global scale.
Even with newer operating systems, many users and companies fail to regularly update their systems whenever Microsoft releases new patches to fix vulnerabilities
This is true even in companies that have large internet security operations. Many cite business concerns, such as network downtime or worries that newer patches will render other software unusable, for not downloading patches.
Many businesses do not want to take the time or spend money to create secure backups of their most important documents
Perhaps the best way to defeat ransomware like WannaCry is to have a secure backup system for your most important documents. Unfortunately, many of the businesses affected by WannaCry had not done this. They had to shut down essential components of their businesses, including entire plants in some cases, or pause production altogether for several days.
WannaCry’s impact is worldwide and quite large. Estimates by different research groups place the number of computers infected between 200,000 and 250,000 in 150 countries. The virus affects Taiwan, India, Ukraine and Russia, mostly because of their use of older Microsoft operating systems. Due to defensive measures, such as Marcus Hutchins’ discovery of the kill switch, North American countries are less affected.
Perhaps the largest agency affected by the WannaCry virus was the National Health Service in England and Scotland. WannaCry didn’t only affect computers — it also impacted blood storage refrigerators, equipment in operating rooms and MRI scanners. The virus forced the NHS to cancel thousands of non-emergency hospital visits, which cost it millions of pounds.
Other organizations hit by WannaCry included police stations in India; universities in Greece, Canada and Indonesia; automobile makers in Russia, Romania and Japan; FedEx; hospitals in Slovakia and Indonesia; Portugal’s and Saudi Arabia’s telecom networks; the Russian railroad; and even courts in Brazil. These are just a few of hundreds of companies and organizations affected by WannaCry. While WannaCry only demands a simple ransom of $300 to $600 in payment, the overall cost to companies was estimated to be $4 billion in production losses.
No doubt stung by the exploitation of earlier versions of its operating system, Microsoft built anti-ransomware tools into Windows 10 and Windows 11. Known as Controlled Folder Access, this tool only allows vetted applications to download to computers.
Also within days of the initial WannaCry attacks, Microsoft released patches to fix this vulnerability in its older, non-supported operating systems. While this was an unusual step for Microsoft, the company felt it was necessary to protect users against WannaCry.
Many people did not pay the ransom. Researchers discovered that the WannaCry virus had been released before it was completely ready. As a result, cybercriminals could not determine who had paid the ransom fee and could not restore access to encrypted files. Also, governmental and law enforcement agencies realized that paying cybercriminals only encouraged them to make more ransomware without guaranteeing you would get your data back even if you did pay.
Is WannaCry Still a Threat?
Unfortunately, WannaCry is still affecting computers in 2023. Many security experts feel that despite WannaCry’s devastating effects, long-lasting improvements to cybersecurity were not produced. Many businesses still use older Microsoft operating systems and have failed to update the software with needed patches to prevent WannaCry. Businesses have not trained employees to recognize phishing emails or social engineered attacks. Many companies have still not installed secure backup systems, falsely believing it will never happen to them.
One of the best ways to protect against ransomware attacks is to have a workforce trained to recognize the signs. Employees should be trained to spot phishing emails containing dangerous attachments. One computer expert remarked, “Given the choice between dancing penguins and computer security, people will always choose dancing penguins.” Not every ransomware is a network worm; most ransomware depends upon users downloading the harmful application.
Employees should also learn to spot social engineering, which uses official-sounding emails from supposed government or law enforcement organizations to encourage users to download these attachments.
There are several ways to prevent WannaCry from infecting your computer or network:
Update your system so that it includes the most recent patches
Install dedicated software that blocks ransomware
Block Port 445 for extra security. WannaCry uses Port 445 for many of its communications, which helps it start encrypting files
Use secure backup systems to protect your most important data
How to Detect WannaCry
Perhaps the best way to detect if WannaCry is on your network is to check your computer logs and network traffic. First, you should deactivate SMBv1 if it still operates on your computers. SolarWinds offers a primer on how to use your server logs to detect WannaCry. Watch for file creation and outbound traffic on Port 445 (one of the reasons that you should block this port).
How to Remove WannaCry Malware
Microsoft now offers a Malicious Software Removal Tool. The software review site Geek's Advice also has a guide on removing the software manually. However, it can be difficult and should not be done by anyone unfamiliar with computer systems.
How Veeam Can Help
While several ways exist to prevent the WannaCry virus and other ransomware from infecting your networks, your last and best defense is a secure backup system. Veeam Ransom Protection is secure by design. Having a reliable backup can be the difference between being quickly operational after an attack and not paying cybercriminals a penny, or being down for a long time and paying a hefty ransom.