What is WannaCry ransomware, how does it infect, and who was responsible?
WannaCry, a ransomware virus that infected a variety of computers networks, spread quickly in May 2017. After infecting Windows computers, WannaCry encrypts files on the hard drive of the computer, making it impossible to access. The ransom demand is in bitcoin for decryption.
Many factors made WannaCry’s initial spread notable. It struck several important systems, including the British National Health Service. It exploited a Windows vulnerability first identified by the United States National Security Agency. Symantec and other security researchers tentatively linked it to the Lazarus Group. This cybercrime group may have been connected to the North Korean government.
The WannaCry ransomware consists of multiple components. It is delivered to the infected computer as a Dropper. This program extracts all other components from the computer. These components include:
- A program that encrypts or decrypts data
- Files containing encryption keys
- Tor: A copy
Security professionals were able to easily analyze the program code, which isn’t obscured. WannaCry launches once it has been launched. It attempts to access a hard-coded URL (the kill switch); it then searches for and encrypts files in a variety of important formats. These include Microsoft Office files, MP3s, and MKVs. This makes them inaccessible. The ransom note demands $300 in Bitcoin to unlock the files.
WannaCry is a virus that infects PCs.
WannaCry’s attack vector is even more intriguing than ransomware. The vulnerability WannaCry exploits are in Windows’ implementation of the Server Message Block protocol. The SMB protocol helps various nodes on a network communicate, and Microsoft’s implementation could be tricked by specially crafted packets into executing arbitrary code.
The vulnerability was discovered by the U.S. National Security Agency. However, instead of reporting it to the infosec community. Shadow Brokers stole the code and published it in an obscure Medium post. Microsoft had already released a patch for the vulnerability one month before WannaCry began to spread rapidly. WannaCry used EternalBlue as a method of infecting computers. In the wake of the outbreak, Microsoft slammed the U.S. government for not having shared its knowledge of the vulnerability sooner.
WannaCry will not encrypt files even if the PC is infected. That’s because, as noted above, it first tries to access a very long, gibberish URL before going to work. WannaCry closes down if it can access the domain. This functionality’s purpose is not clear. Researchers believed that this functionality was meant to allow malware creators to stop the attack. However, Marcus Hutchins, the British security researcher who discovered that WannaCry was attempting to contact this URL, believes it was meant to make an analysis of the code more difficult. Many researchers will run malware in a “sandbox” environment, from within which any URL or IP address will appear reachable; by hard-coding into WannaCry an attempt to contact a nonsense URL that wasn’t actually expected to exist, its creators hoped to ensure that the malware wouldn’t go through its paces for researchers to watch.
Hutchins discovered the URL and paid $10.96 for the domain registration. This helped to stop the spread of malware. Shortly after being hailed as a hero for this, Hutchins was arrested for supposedly developing different malware in 2014. He has declared his innocence.
Ironically, the patch needed to prevent WannaCry infections was actually available before the attack began: Microsoft Security Bulletin MS17-010, released on March 14, 2017, updated the Windows implementation of the SMB protocol to prevent infection via EternalBlue. Although Microsoft had identified the patch as critical, many systems still needed to be patched as WannaCry spread rapidly.
There is no way to fix infected systems that are not patched. You can only restore files from a safe backup. This is why you must always back up your files. While those monitoring the bitcoin wallets identified in the extortion message say that some people are paying the ransom, there’s little evidence that they’re regaining access to their files.
WannaCry and Windows 10
Microsoft released a patch to fix the SMB vulnerability WannaCry exploited two months before the attack. While unpatched Windows 10 systems were vulnerable, the automatic update feature built into the OS meant that almost all Windows 10 systems were protected by May of 2017.
Microsoft SMB patches were initially available only for Windows XP and other supported Windows versions. There are still millions of internet-connected Windows XP systems out there — including at Britain’s National Health Service, where many WannaCry attacks were reported — and Microsoft eventually made the SMB patch available for older versions of the OS as well. However, a later analysis found that the vast majority of WannaCry infections struck machines running Windows 7, an operating system Microsoft does still support.