Skip to content Skip to navigation Skip to footer

What is WannaCry Ransomware Attack?

WannaCry is a high-profile ransomware attack that rapidly spread through computer networks around the world in May 2017. The attack targeted a vulnerability in old Windows versions, for which a patch had been released by Windows more than two months before WannaCry spread across the world.

The WannaCry attack was formed of several components, which included:

An Application That Encrypts and Decrypts Data

The initial WannaCry dropper contains an application that enables an attacker to encrypt and decrypt data. The encryption component is known as Wana Decrypt0r 2.0, and within it was a password-protected ZIP file.

Files Containing Encryption Keys

Within that ZIP file were several individual files containing configuration information that helped the hacker launch their attack. It also included encryption keys that enabled them to unlock data.

A Copy of Tor

The ZIP file also contained a copy of the Tor network, which is an open-source web browser that aims to protect and hide users’ data, locations, and online activity through anonymous browsing.

Origin of WannaCry Ransomware Attack

WannaCry, also known as WCry, was a ransomware attack that first emerged in May 2017. The attack was highly effective because it spread across devices by exploiting the Windows Server Message Block (SMB) protocol, which enables Windows machines to communicate with each other on a network.

The attack was spread using EternalBlue, a zero-day vulnerability in devices that use an old version of SMB. It was first discovered by the U.S. National Security Agency (NSA) before being obtained by hacking group Shadow Brokers, which published the exploit within a post on blogging site Medium in April 2017.

How Does the WannaCry Attack Work?

The WannaCry attack works by infecting PCs and spreading between machines by itself without requiring user intervention or social engineering. It uses the EternalBlue exploit to attack any device that was not patched against the vulnerability. 

The WannaCry ransomware attack works by using a dropper known as DoublePulsar, a software program that extracts embedded application components, to attack an infected computer. WannaCry attempts to access a Uniform Resource Locator (URL) that is hard-coded into the attack, and when accessed, shuts WannaCry down, which became known as its "kill switch." WannaCry then searches for important files on the device, which are typically Microsoft Office documents, MPEG Audio Layer 3 (MP3) files, or Matroska Multimedia Container (MKV) files. It encrypts the files, making them unavailable to the user, and displays a ransom demand for the user to pay to decrypt the files.

This method ensures the WannaCry malware is not written to the device’s disk in an unencrypted form, which hides it from traditional antivirus programs. In addition to encrypting the victim’s files, the attack also scans for visible file shares and infects any systems connected to them, which enables it to rapidly spread across networks. 

What Happens if the WannaCry Ransom is Not Paid?

WannaCry attackers typically issued a demand for victims to pay either $300 or $600 in bitcoin within a week of their device being attacked. However, victims were advised not to pay the ransom. In most cases, attackers did not decrypt data, and it was suspected they were not technically capable of doing so. 

What Impact Did the WannaCry Attack Have?

WannaCry had a major impact on organizations across the world, infecting over 230,000 computers and causing billions of dollars worth of damages. It had a particularly devastating effect on healthcare organizations, including the U.K.’s National Health Service (NHS), due to their extensive use of outdated and unpatched Windows devices. The attack resulted in critical equipment and systems becoming inoperable or unavailable, which led to the closure of emergency rooms and lifesaving devices like magnetic resonance imaging (MRI) becoming ineffective.

WannaCry also had a major impact on large manufacturers that used vulnerable versions of Windows. Many suffered production outages that were hugely costly.

How Can WannaCry Be Stopped?

WannaCry could have been stopped by downloading a Microsoft patch released more than two months before the attack began. Microsoft flagged the Microsoft Security Bulletin MS17-010 patch, released in March 2017, as critical, but many systems remained unpatched, leaving them open to WannaCry.

An automatic feature built into Windows 10 systems ensured users were protected against WannaCry. However, the patch was initially only available for supported Windows versions, which did not include the millions of Windows XP systems that were connected to the internet. Microsoft later released a patch for older, nonsupported Windows systems. Unpatched systems that were infected could only be restored by reverting to a safe backup.

Ransomware Protection

Businesses can protect themselves from ransomware attacks like WannaCry by ensuring they only operate the latest software versions and following security best practices.

Update Your Software and Operating System Regularly

Updating software is crucial to avoiding the threat of ransomware attacks like WannaCry. Organizations and individual users must ensure automatic updates are turned on and any new updates or patches to the software are downloaded immediately.

Do Not Click on Suspicious Links

Ransomware attacks are typically spread through phishing methods that encourage victims to click on links within an email. These links either lead to spoofed websites that attackers use to harvest sensitive personal information or trigger the download of malicious software that infects their computer. It is therefore best practice not to click on any link within any email.

Never Open Untrusted Email Attachments

Similar to the spread of ransomware through malicious links, phishing emails also spread malware through email attachments. These attachments can result in malicious code or software being installed, which gives the attacker control of the user’s device or enables them to encrypt files on it.

Do Not Download from Untrusted Websites

It is also important to only download applications or software from trusted providers. Suspicious websites that claim to offer free versions of trusted software are likely to include malicious code or programs that can infect a user’s device.

Avoid Unknown USBs

Universal Serial Bus (USB) devices are commonly used by attackers to spread malware or malicious code. Avoid using any unknown USBs, even if it is a device found around the office, because it could be infected with malware.

Use a VPN When Using Public Wi-Fi

A virtual private network (VPN) helps users access the internet securely on any network. Public Wi-Fi networks should be avoided, but doing so through a VPN can ensure that the user’s device, location, and browsing activity remain private and cannot be intercepted by a hacker.

Install Internet Security Software

Internet security software is crucial to keeping organizations and individuals safe from existing and new security threats. Security software ensures that users’ devices and data are protected at all times from serious cyberattacks and prevents hackers from infiltrating their systems.

Update Your Internet Security Software

In addition to installing internet security software, it is also vital to keep the software updated at all times. Enabling automatic updates and ensuring all new patches are installed immediately will keep the software up to date and keep users protected from the latest security threats.

Back-up Your Data

Backing up data is crucial should an organization fall victim to a ransomware attack. Threats like WannaCry encrypt data, which makes it unavailable to users. Often, the only way to retrieve the data is to revert to a previous backup.

Is WannaCry Still a Threat?

The WannaCry attack and new variants of it remain a threat to computers that have not patched for the SMB vulnerability. For example, in March 2018, aircraft maker Boeing suffered a suspected WannaCry attack but was able to quickly stop it and minimize the damage caused to its systems.

How Fortinet Can Successfully Block WannaCry Attacks

Fortinet security solutions provide a five-pronged approach to help customers avoid and block a WannaCry attack. The FortiGate intrusion prevention system (IPS) plugs the exploit, and FortiSandbox provides sandbox environments that detect malicious behavior. 

The Fortinet antivirus engine detects the WannaCry malware and its variants. Its web filter identifies targeted sites, then blocks or allows them, while the FortiGate internal segmentation firewall (ISFW) stops the malware’s spread. For organizations that have been infected by the attack, the Fortinet Security Fabric can help them track down the malware and understand where and how it infected them.

FAQs

What is the WannaCry ransomware attack?

WannaCry is a ransomware attack that targets unpatched vulnerabilities in the Windows Server Message Block (SMB) protocol.

What is the impact of the WannaCry attack?

WannaCry had a major impact on organizations all over the world that had not patched for the vulnerability. It resulted in systems being locked and files being encrypted, which meant they were lost forever if they had not been backed up. It infected more than 230,000 computers worldwide and caused billions of dollars worth of damages.

What happened if the WannaCry ransom was not paid?

WannaCry attackers encrypted files and demanded a ransom for the files to be decrypted. However, there was no evidence that the attackers had the capability to decrypt the data, so security experts advised people never to pay the ransom demand.

How was WannaCry stopped?

WannaCry can be stopped by downloading a Microsoft patch for the SMB vulnerability, which was made available two months before the attack began.

Is WannaCry still a threat?

Yes, WannaCry is still a threat for old Windows devices that have not patched to prevent the vulnerability from being exploited.