What is WannaCry?
The full story behind one of the worst ransomware outbreaks in history
Though more than two years have passed since it first stuck, WannaCry is a name that undoubtedly continues to strike fear into the hearts of many executives after becoming the de facto example of how devastating malware can be.
Back in 2017, the security community was blindsided by the emergence of this particularly nasty and virulent strain of ransomware. Named 'Wana Decrypt0r 2.0', the malware was a new variant of the WannaCry ransomware family and quickly became known simply as 'WannaCry'.
It caused a huge amount of devastation across the world, locking businesses and consumers out of their computers and costing billions in damage and lost productivity. The outbreak, while extremely damaging, was thankfully brief, and was stopped within a few days of its discovery. Nevertheless, WannaCry proved to the world that ransomware can be a highly effective method of attack, with its success no doubt fueling its popularity today.
Who was affected by WannaCry?
WannaCry made headlines after hitting multiple NHS organisations across the country. Systems across 16 NHS sites, including a third of hospital trusts and 5% of GP practices, were crippled by a sudden inability to access core functions, leading to severe delays and the cancellation of some 19,000 appointments.
Contrary to initial rumours, the outbreak was not part of a coordinated attack on the NHS; rather, the NHS had simply been caught in the crossfire of a particularly infectious variety of malware. Within hours of being first detected, WannaCry had spread to at least 11 countries, eventually infecting 150 countries and 200,000 systems within its first day. It claimed high-profile corporate victims including Telefonica, Nissan and FedEx, as well as countless individual users.
WannaCry cost an estimated $4 billion in losses across the globe, while the NHS incurred £92 million in costs as a result of the attack. At the time, the rapid spread of the malware was largely blamed on organisations (including the NHS) running legacy versions of Windows that were no longer supported, however, according to an analysis by Kaspersky Lab, 98% of the infections were found on Windows 7 machines, which were still receiving extended Microsoft support at the time, with Windows XP making up just 0.1% of infections.
Victims were urged not to pay the ransom, and by the time WannaCry had stopped spreading, just 327 payments had been made to the hardcoded bitcoin wallet addresses associated with the malware. The total amount paid was around $140,000 when it was withdrawn from the wallets in August 2017.
What vulnerabilities did WannaCry exploit?
Like all ransomware, WannaCry worked by gaining access to the target's computer, encrypting the contents of its hard drives and then extorting money from the victim in exchange for the decryption key. What made WannaCry unique was the way it spread.
The WannaCry package was comprised of two parts: the ransomware portion, which encrypted the target machine and threw up the ransom instructions, and a component which allowed it to quickly propagate throughout networks. It was this latter element which made it so devastating.
Based on a flaw in the Server Message Block (SMB) protocol of various versions of Windows, it scanned the local network that a machine was connected to, found other devices (including printers and other peripherals as well as PCs) with exposed SMB network ports, and then used specially-crafted packets to initiate a transfer and drop the payload on the new machine, whereupon the process would start all over again.
This process was based on an exploit known as 'EternalBlue', released by the Shadow Brokers hacking group. This mysterious collective of hackers dumped a number of dangerous exploits for vulnerabilities in major systems (widely thought to have been created by the NSA) onto the public web, allowing the authors of WannaCry to incorporate it into their ransomware in order to make it wormable. WannaCry also used DOUBLEPULSAR, a backdoor injection tool that was also included in the Shadow Brokers' leaks, to aid in its spread.
The EternalBlue exploit that facilitated WannaCry's spread had actually been patched by Microsoft some months earlier, but widespread failure to apply the patch in a timely manner meant that victims were left at risk. Shortly following the outbreak, Microsoft also took the unusual step of releasing an emergency patch for affected operating systems that had already reached their end-of-life date.
Who was behind WannaCry?
Attributing cyber attacks to specific individuals, groups or nation-states is always difficult; it's an inexact science at best, and made all the more difficult by malware authors planting false flags to throw investigators off the scent. However, the general consensus among the security and intelligence community is that North Korean hackers were most likely to be behind WannaCry, probably working on behalf of the government.
This assessment is lent credence by the fact that metadata within the ransomware files indicated the author's computer was set to a Korean timezone, while it has been noted by both Symantec and Kaspersky that the code bears strong similarities to code used by the Lazarus Group. This group orchestrated the hack on Sony Pictures in 2014, and has also been linked to the North Korean state.
The US government formally blamed North Korea for the attack in September 2018 - a charge that various G20 allies, including the UK, have since echoed. North Korean authorities have always denied the allegations.
How was WannaCry stopped?
The spread of WannaCry was successfully halted less than a week after its initial emergence, thanks to the combined efforts of security researchers around the world. However, the biggest blow against the malware happened virtually by accident.
A security researcher going by the handle MalwareTech (later revealed to be British citizen Marcus Hutchins) found a URL hardcoded into the malware, which the malware would query prior to releasing its payload and encrypting the target machine.
After registering the domain, he discovered that this URL was effectively acting as a kill-switch; if the malware queried the domain and didn't find anything, it would drop the payload, but if it received a response, then it didn't trigger. Some initially suggested that this was included as a deliberate kill-switch, allowing the malware's creators to pull the plug if they needed to, but Hutchins does not agree.
Some sandbox environments, which researchers use to analyse malware without risk of infecting their machine, will simulate a correct response for any URL lookup. Hutchins believes that the inclusion of a URL check is an attempt to stop it triggering in sandbox environments, making it harder for researchers to analyse and combat. The effect, however, was the same: once the domain had been registered, any new WannaCry infections would not initiate the encryption of the victim, effectively killing off its ability to spread further.
The hackers behind WannaCry attempted to launch new variants with different hard-coded domains, but they were quickly caught and registered. They also tried to knock Hutchins original domain offline via a Mirai-powered DDoS attack, but were ultimately unsuccessful. The domain is currently being maintained by Kryptos Logic, Hutchins' employer.
Preparing for long-term remote working after COVID-19
Learn how to safely and securely enable your remote workforceDownload now
Cloud vs on-premise storage: What’s right for you?
Key considerations driving document storage decisions for businessesDownload now
Staying ahead of the game in the world of data
Create successful marketing campaigns by understanding your customers betterDownload now
Solutions that facilitate work at full speedDownload now