WannaCry is a ransomware cryptoworm used to initiate the notorious WannaCry cyberattacks. Hackers targeted Windows computers and demanded payments in Bitcoins for encrypted data. They used the EternalBlue exploit developed by the NSA.
The attack began on May 17, 2017, and affected over 300,000 devices in over 150 countries. While the ransom demand was relatively low (300-600 dollars), the overall damage of WannaCry ranges from millions to billions of dollars.
WannaCry significantly affected the UK's National Health Service by corrupting thousands of pieces of equipment. It also targeted other notable companies like Renault, FedEx, and Deutsche Bahn. Amongst the most affected countries were Russia, Ukraine, India, and Taiwan.
Back in 2017, Marcus Hitchins, a UK hacker, famously managed to stop the attack for a few hours after discovering the kill switch that prevented the infected devices from spreading the attack further.
While there is no officially identified culprit, the US, Canada, New Zealand, Japan, and a few other governments agree that North Korea is the originator of the attack. The government experts based their conclusions on code similarities with Lazarus Group, a notorious North Korean cybercriminal organization, and Korean timestamps in ransomware metadata.
WannaCry encrypts your data and demands a ransom in exchange for a decryption key. Victims then get a ransom note on their screens with instructions. If they don't pay the ransom, criminals delete the data.
As noted above, WannaCry exploited the previously known EternalBlue vulnerability developed by the NSA and later leaked by The ShadowBrokers group. EternalBlue exploited the implementation of the Windows server message block (SMB) protocol that helps various network nodes to communicate. Hackers discovered that they could use this protocol to inject crafted packets with arbitrary codes. Even though Microsoft released the patch to deal with the exploit, the spread of this malware occurred because many organizations didn't apply it on time.
Criminals also inject WannaCry using the DoublePulsar backdoor installed on the targeted devices. When WannaCry arrives on a victim's computer, it extracts malicious application components such as the app encrypting and decrypting your data, files with encryption keys, and a copy of Tor.
When inside, WannaCry first checks the kill switch domain name used to stop malware. If it doesn't find it, it starts to encrypt the most important file formats such as doc, mp3, and mkvs. Finally, by using the EternalBlue vulnerability, it tries to spread itself further to random computers on the internet and your network.
Despite the available patches and information, WannaCry is still an active threat. Again, it usually benefits from unpatched systems. As we continue to witness WannaCry cases even today, it’s clear that patching is not yet a universal practice.
Here are a few pieces of advice on how to protect yourself from the WannaCry ransomware attack:
Want to read more like this?
Get the latest news and tips from NordVPN