ransomware as a service (RaaS) The history and evolution of ransomware

WannaCry ransomware

What is WannaCry ransomware?

The WannaCry ransomware is a worm that spreads by exploiting vulnerabilities in the Windows operating system (OS).

WannaCry, also known as WannaCrypt, WannaCryptor and Wanna Decryptor, spreads using EternalBlue, an exploit leaked from the National Security Agency (NSA). EternalBlue enables attackers to use a zero-day vulnerability to gain access to a system. It targets Windows computers that use a legacy version of the Server Message Block (SMB) protocol.

WannaCry is one of the first examples of a worldwide ransomware attack. It began with a cyber attack on May 12, 2017, that affected hundreds of thousands of computers in as many as 150 countries, including systems in the National Health Services of England and Scotland, FedEx, University of Montreal and Honda.

WannaCry ransomware is particularly dangerous because it propagates through a worm. This means it can spread automatically without victim participation, which is necessary with ransomware variants that spread through phishing or other social engineering methods. Because it encrypts systems, WannaCry is referred to as a cryptoworm or ransomworm.

WannaCry encrypts files on the hard drives of Windows devices so users can't access them. In May 2017, the cryptoworm demanded a ransom payment of between $300 to $600 in bitcoin within three days to decrypt the files. However, even after paying, only a handful of victims received decryption keys.

Microsoft had released a patch (MS17-010) to mitigate the vulnerability in March 2017. Shortly after the initial WannaCry attack on May 12, 2017, Microsoft took the highly unusual step of releasing patches for end-of-life versions of Windows, including Windows XP and Windows Vista.

What is known about WannaCry?

After WannaCry began to spread across computer networks in May 2017, some experts suggested the worm carrying the ransomware may have been released prematurely due to the lack of a functional system for decrypting victim systems after paying the ransom.

The NSA EternalBlue exploit, tracked as Common Vulnerabilities and Exposures 2017-0144, was leaked on April 14, 2017, by the Shadow Brokers. It uses a vulnerability only in SMB version 1, which was deprecated in 2013. Any Windows system that accepts SMBv1 requests is at risk for the exploit. Only systems that have later versions of SMB enabled or that block SMBv1 packets from public networks resist infection by WannaCry.

The Shadow Brokers is a hacker group that surfaced in 2016 when it began releasing exploit code purportedly from the NSA. The leaked exploit code appeared to have been created in 2013 after disclosures of classified data from the NSA by Edward Snowden. The Shadow Brokers released EternalBlue to the public as part of its fifth leak of classified code in April 2017. The Shadow Brokers claimed it stole EternalBlue and other exploits and cyberweapons from the NSA-linked Equation Group.

Although Microsoft had issued a patch for the vulnerability in March 2017 -- a month before it was disclosed by the Shadow Brokers -- many organizations failed to update their Windows systems and, therefore, were exposed to the WannaCry cryptoworm.

Security researchers tentatively linked the WannaCry worm to the Lazarus Group, a nation-state advanced persistent threat (APT) group with ties to the North Korean government. In December 2017, the White House officially attributed the WannaCry attacks to North Korea.

Due to early reports indicating the threat actors behind the WannaCry ransomware were not providing decryption keys to victims who paid the ransom, many victims chose not to pay. A day after the attack surfaced, security researcher Marcus Hutchins, then better known as MalwareTech, discovered a kill switch that stopped WannaCry from spreading.

How does WannaCry work?

WannaCry exploits a vulnerability in Microsoft's SMBv1 network resource sharing protocol. The exploit enables an attacker to transmit crafted packets to any system that accepts data from the public internet on port 445 -- the port reserved for SMB. SMBv1 is a deprecated network protocol.

WannaCry uses the EternalBlue exploit to spread. The first step attackers take is to search the target network for devices accepting traffic on TCP port 445, which indicates the system is configured to run SMB. This is generally done by conducting a port scan. The next step is to initiate an SMBv1 connection to the device. After the connection is made, a buffer overflow is used to take control of the targeted system and install the ransomware component of the attack.

Once a system is affected, the WannaCry worm propagates itself and infects other unpatched devices -- all without any human interaction.

Even after victims paid the ransom, the ransomware didn't automatically release their computers and decrypt their files, according to security researchers. Rather, victims had to wait and hope that WannaCry's developers would deliver decryption keys for the hostage computers remotely over the internet -- a completely manual process that contained a significant flaw: The hackers didn't have any way to prove who paid the ransom. Since there was only a slight chance the victims would get their files decrypted, the wiser choice was to save their money and rebuild the affected systems, according to security experts.

Graphic displaying how the WannaCry ransomware spreads
The WannaCry ransomware infiltrates, exploits and spreads through a system to encrypt the victim's files.

What was the impact of WannaCry?

WannaCry caused significant financial consequences, as well as extreme inconvenience for businesses across the globe.

The initial May 2017 attack is estimated to have hit more than 200,000 devices. Innumerable devices have fallen victim since -- and still are.

Estimates of the total financial impact of the initial WannaCry attack were generally in the hundreds of millions of dollars, though Symantec/Broadcom estimated the total costs at $4 billion. However, what surprised experts about this attack was how little damage it did compared with the damage it could have done given its worm functionality.

In the wake of the WannaCry attack, the U.S. Congress introduced the Protecting Our Ability to Counter Hacking Act in May 2017. The act proposed having any software or hardware vulnerabilities in the government's possession reviewed by an independent board. The act never passed.

WannaCry did prove to be a wakeup call for the enterprise cybersecurity world to implement better security programs and renew its focus on the importance of patching. Many security teams have better educated themselves and IT departments to better protect their organizations against ransomware. The chief information security officer role has also seen an upsurge in prominence, according to Security Intelligence.

The WannaCry attacks also ignited the popularity of commercial ransomware attacks among the hacker community. Ransomware constituted 39% of all malware incidents with data loss in 2017, according to the 2018 Data Breach Investigations Report.

Stopping the spread of WannaCry

WannaCry uses a technique called a kill switch to determine whether the malware should encrypt a targeted system. Hardcoded into the malware is a web domain that WannaCry checks for presence of a live webpage when it first runs. If attempting to access the kill switch domain does not result in a live webpage, the malware encrypts the system.

U.K.-based security researcher Marcus Hutchins, aka MalwareTech, discovered he could activate the kill switch if he registered the web domain and posted a page on it. Originally, Hutchins wanted to track the spread of the ransomware through the domain it was contacting, but he soon found that registering the domain stopped the spread of the infection.

Other security researchers reported the same findings as Hutchins and said new ransomware infections appeared to have slowed since the kill switch was activated.

In August 2017, after a two-year investigation and just months after he stopped the spread of WannaCry and was publicly identified, Hutchins was arrested by the Federal Bureau of Investigation in Las Vegas after the DEF CON 2017 conference. He was accused of helping create and spread the Kronos banking Trojan, malware that recorded and exfiltrated user credentials and personally identifying information from protected computers. In 2019, Hutchins pled guilty to two of the 10 charges he faced.

Is WannaCry still a threat?

Even though Microsoft issued updates that fixed the SMBv1 vulnerability on March 14, 2017 -- two months before the WannaCry malware was first detected -- the exploit that enabled the rapid spread WannaCry ransomware still threatens unpatched and unprotected systems.

Exploits of Microsoft's SMB protocol have been extremely successful for malware writers, with EternalBlue also being a key component of the destructive June 2017 NotPetya ransomware attacks.

The exploit was also used by the Russian-linked Fancy Bear cyberespionage group, also known as Sednit, APT28 or Sofacy, to attack Wi-Fi networks in European hotels in 2017. The exploit has also been identified as one of the spreading mechanisms for malicious cryptominers.

WannaCry is still a threat, in part, because of a radical change in attack vectors and an expanding attack surface. It is also a threat because many companies fail to patch their systems. Check Point Research documented a 53% increase in companies affected by WannaCry attacks in the first quarter of 2021, in congruence with a 57% increase in ransomware attacks in Q4 2020 and Q1 2021.

With WannaCry also came the concept of the ransomworm and cryptoworm -- code that spreads via remote office services, cloud networks and network endpoints. A ransomworm only needs one entry point to infect an entire network. It then self-propagates to spread to other devices and systems.

Since the initial WannaCry attack, more sophisticated variations of the ransomworm have emerged. These new variants are moving away from traditional ransomware attacks that must have constant communication back to their controllers and replacing them with automated, self-learning methods.

How to defend against WannaCry

The first step to preventing WannaCry is to disable SMBv1 and update to the latest software. Version 3.1.1 was released in 2020. Keep all Windows systems patched and up to date. If possible, block traffic on port 445.

Beyond that, organizations can defend against WannaCry and other ransomware variants by doing the following:

WannaCry can be removed manually, though the process is not recommended for less skillful users:

  1. Restart the computer in Safe Mode.
  2. Remove any suspicious programs from the startup. Press Windows+R, and then type msconfig in the field that appears.
  3. Fake or infected items listed there will have unknown as the manufacturer. Find and remove these entries. Then, hit OK when finished.
  4. Press Windows+R. Type in %temp%, and hit OK. A folder will pop up showing all the temporary files in the system. Select them all, and then press Shift+Delete to delete them all.
  5. Remove files infected with the virus. Press Windows+R, type %appdata% into the field and hit OK. Then, find and delete the recent files that are associated with the WannaCry ransomware.
  6. Clear the registry entries. Press Windows+R, and type in regedit. Navigate to this directory: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tasks\{41D55966-1192-454F-9C86-D0EB950D9984.
  7. If there are keys associated with the ransomware, right-click and delete them. Repeat this in the directory: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tree\Fd3KZfCq.

Users can also employ a number of tools to remove WannaCry. For example, Microsoft's Windows Malicious Software Removal Tool and most other antimalware software will remove the threat.

This was last updated in September 2021

Continue Reading About WannaCry ransomware

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing