What is WannaCry?
The full story behind one of the worst ransomware outbreaks in history
‘WannaCry’ is a term that’s likely to instil fear into IT departments across the country, even several years after the devastating effects of this devilish cyber threat. Although it’s been almost four years since the ransomware first hit organisations in this country, we still look to WannaCry as an example of a real-life worst-case scenario.
The ransomware strain first rose to prominence in May 2017 when it began spreading between devices globally - seizing control of servers and files and demanding the payment of Bitcoin in exchange for their return.
This crypto-ransomware exploited a vulnerability in the Windows operating system using a tool called EternalBlue, supposedly developed by the US National Security Agency (NSA). While Microsoft had already launched a fix two months previously, many organisations that ran legacy versions of Windows, including Windows XP and Windows 7, were still vulnerable.
Arguably, WannaCry’s largest victim was the National Health Service (NHS), with the ransomware strain disrupting the operations of roughly a third of Trusts. The attack resulted in roughly 19,000 cancelled appointments, and a bill for approximately £92 million.
Although the WannaCry outbreak was devastating, it didn’t last too long and was ended only a few days after it was found to have disrupted computer systems. Regardless, WannaCry represented a successful test case for the viability of ransomware as an effective method of cyber attack, with strings of cyber gangs pivoting towards it.
Who was affected by WannaCry?
WannaCry made headlines after hitting multiple NHS organisations across the country in May 2017. Systems across 16 NHS sites, including a third of hospital trusts and 5% of GP practices, were crippled by a sudden inability to access core functions, leading to severe delays and the cancellation of some 19,000 appointments.
Despite initial reports, the ransomware infections were not part of a larger coordinated attack against the NHS, as had been feared. In fact, it's believed that the NHS was simply caught in the crossfire of a particularly virulent strain of malware that targetted older systems.
Within hours of the first detection, there were reports of WannaCry infections in at least 11 countries. The malware would ultimately infect more than 200,000 systems across 150 countries, all within 24 hours. Some of the more high profile victims included Telefonica, FedEx, Deutsche Bahn.
It was believed at the time that the worst hit organisations were those that relied on older versions of the Windows operating system, namely Windows XP. However, post-event analysis by Kaspersky revealed that the vast majority of infections (98%) were found on machines running Windows 7, an operating system that was still receiving extended security support from Microsoft at the time, with Windows XP infections making up just 0.1%.
Victims were urged not to pay the ransom demanded, and by the time WannaCry had stopped spreading, just 327 payments had been made to the hardcoded bitcoin wallet addresses associated with the malware. The total amount paid was around $140,000 when it was withdrawn from the wallets in August 2017.
It's believed that WannaCry had the potential to cause catastrophic damage had it been deliberately targetted against critical infrastructure, such as utility companies or the National Grid.
What vulnerabilities did WannaCry exploit?
Like all ransomware, WannaCry worked by gaining access to the target's computer, encrypting the contents of its hard drives and then extorting money from the victim in exchange for the decryption key. What made WannaCry unique was the way it spread.
The business guide to ransomware
Everything you need to know to keep your company afloatDownload now
The WannaCry package was comprised of two parts: the ransomware portion, which encrypted the target machine and threw up the ransom instructions, and a component which allowed it to quickly propagate throughout networks. It was this latter element which made it so devastating.
Based on a flaw in the Server Message Block (SMB) protocol of various versions of Windows, it scanned the local network that a machine was connected to, found other devices (including printers and other peripherals as well as PCs) with exposed SMB network ports, and then used specially-crafted packets to initiate a transfer and drop the payload on the new machine, whereupon the process would start all over again.
This process was based on an exploit known as 'EternalBlue', released by the Shadow Brokers hacking group. This mysterious collective of hackers dumped a number of dangerous exploits for vulnerabilities in major systems (widely thought to have been created by the NSA) onto the public web, allowing the authors of WannaCry to incorporate it into their ransomware in order to make it wormable. WannaCry also used DOUBLEPULSAR, a backdoor injection tool that was also included in the Shadow Brokers' leaks, to aid in its spread.
The EternalBlue exploit that facilitated WannaCry's spread had actually been patched by Microsoft some months earlier, but widespread failure to apply the patch in a timely manner meant that victims were left at risk. Shortly following the outbreak, Microsoft also took the unusual step of releasing an emergency patch for affected operating systems that had already reached their end-of-life date.
Who was behind WannaCry?
Attributing cyber attacks to specific individuals, groups or nation-states is always difficult; it's an inexact science at best, and made all the more difficult by malware authors planting false flags to throw investigators off the scent. However, the general consensus among the security and intelligence community is that North Korean hackers were most likely to be behind WannaCry, probably working on behalf of the government.
This assessment is lent credence by the fact that metadata within the ransomware files indicated the author's computer was set to a Korean timezone, while it has been noted by both Symantec and Kaspersky that the code bears strong similarities to code used by the Lazarus Group. This group orchestrated the hack on Sony Pictures in 2014, and has also been linked to the North Korean state.
The US government formally blamed North Korea for the attack in September 2018 - a charge that various G20 allies, including the UK, have since echoed. North Korean authorities have always denied the allegations.
How was WannaCry stopped?
The spread of WannaCry was successfully halted less than a week after its initial emergence, thanks to the combined efforts of security researchers around the world. However, the biggest blow against the malware happened virtually by accident.
A security researcher going by the handle MalwareTech (later revealed to be British citizen Marcus Hutchins) found a URL hardcoded into the malware, which the malware would query prior to releasing its payload and encrypting the target machine.
After registering the domain, he discovered that this URL was effectively acting as a kill-switch; if the malware queried the domain and didn't find anything, it would drop the payload, but if it received a response, then it didn't trigger. Some initially suggested that this was included as a deliberate kill-switch, allowing the malware's creators to pull the plug if they needed to, but Hutchins does not agree.
Some sandbox environments, which researchers use to analyse malware without risk of infecting their machine, will simulate a correct response for any URL lookup. Hutchins believes that the inclusion of a URL check is an attempt to stop it triggering in sandbox environments, making it harder for researchers to analyse and combat. The effect, however, was the same: once the domain had been registered, any new WannaCry infections would not initiate the encryption of the victim, effectively killing off its ability to spread further.
The hackers behind WannaCry attempted to launch new variants with different hard-coded domains, but they were quickly caught and registered. They also tried to knock Hutchins original domain offline via a Mirai-powered DDoS attack, but were ultimately unsuccessful. The domain is currently being maintained by Kryptos Logic, Hutchins' employer.