Allegedly developed by the North Korean Lazarus Group, WannaCry combined exploit code stolen from the US government with custom code to create a ransomware worm. The worm was deployed in May 2017 in a global attack that infected an estimated 200,000 computers within a period of three days. By exploiting a vulnerability in Windows systems, the malware could infect new victims on its own, enabling it to spread exponentially over the Internet.
The widespread of the malware, and the damage it caused, meant that the three-day attack carried an estimated global cost in the billions.
However, the damage caused by Wannacry was not evenly spread across different businesses and industries. Organizations like the UK’s National Health Service (NHS), which was running a large number of vulnerable machines, were especially hard hit. The cost of Wannacry to the NHS alone is estimated to be US$100 million.
The 2017 outbreak was only stopped by the discovery of a “kill switch” within the WannaCry code, which, when triggered, stopped the malware from spreading further or encrypting the data stored on any additional machines. Since the 2017 outbreak, additional attacks by modified versions of WannaCry have occurred. However, none of them have achieved the same footprint, cost, or recognition as the original outbreak.
As a type of ransomware, it will follow a largely standardized series of steps, moving from the initial infection through data encryption to the final ransom demand.
Unlike many other ransomware variants, WannaCry spreads on its own rather than being carried by malicious emails or installed via malware droppers.
WannaCry’s worm functionality comes from its use of the EternalBlue exploit, which takes advantage of a vulnerability in Windows’ Server Message Block (SMB) protocol. The vulnerability was first discovered by the National Security Agency (NSA) and publicly leaked by the Shadow Brokers.
After EternalBlue was leaked, Microsoft released an updated version of SMB that corrected the issue in April 2017. While this was a month before the main WannaCry outbreak, many organizations had not yet installed the patch, making them vulnerable to WannaCry.
Machines infected with WannaCry scan the Internet for other machines running a vulnerable version of SMB. If one is found, the infected computer uses EternalBlue to send and run a copy of WannaCry on the targeted computer. At this point, the malware could begin encryption of the computer’s files. However, first it checks for the existence of a particular website. If the website exists, then the malware does nothing. The presence of this “kill switch” is theorized to be either a way to stop the spread of WannaCry (which spreads independently once launched) or as a means of making forensic analysis more difficult (since most cybersecurity lab environments will pretend that any website that the malware requests exists). If the requested domain is not found, WannaCry proceeds to the encryption stage.
As a ransomware variant, WannaCry is designed to deny a user access to their files on a computer unless a ransom is paid. This is accomplished through the use of encryption, where the malware transforms the data in a way that is only reversible with knowledge of the secret key. Since WannaCry’s secret key is only known to the ransomware operator, this forces a victim to pay the ransom to retrieve their data.
WannaCry is designed to search for and encrypt a set list of file extension types on a computer. This is done to minimize the malware’s impact on a system’s stability. A computer may not be able to run if the wrong files are encrypted, making it impossible for the victim to pay a ransom or retrieve their files.
The WannaCry malware demanded a ransom of US$300 from its victims. However, the ransom demand was to pay in Bitcoin, not fiat money. As a cryptocurrency, Bitcoin is less traceable than traditional types of currency, which is helpful for ransomware operators since it allows them to embed a payment address (similar to a bank account number) in a ransom message without it immediately alerting the authorities to their identity.
If a victim of a WannaCry attack pays the ransom, they should be provided with a decryption key for their computer. This enables a decryption program provided by the cybercriminals to reverse the transformation performed on the user’s files and return access to the original data.
The WannaCry ransomware is heavily dependent upon the EternalBlue exploit to function. The original malware’s authors used this vulnerability to turn WannaCry into a worm, able to spread by itself. As this is the case, the simplest way to protect against WannaCry is to disable SMB or install the patch provided by Microsoft that fixes the vulnerability.
However, this is a solution to a very specific problem. It will not protect an organization against other ransomware variants or WannaCry spread by different means. To learn how to protect the organization against a wide variety of ransomware threats, check out Check Point’s anti-ransomware solution.