WannaCry — how does it work, and is it still alive?

What is the WannaCry ransomware attack?

WannaCry is a ransomware cryptoworm used to initiate the notorious WannaCry cyberattacks. Hackers targeted Windows computers and demanded payments in Bitcoins for encrypted data. They used the EternalBlue exploit developed by the NSA.

The attack began on May 17, 2017, and affected over 300,000 devices in over 150 countries. While the ransom demand was relatively low (300-600 dollars), the overall damage of WannaCry ranges from millions to billions of dollars.

WannaCry significantly affected the UK’s National Health Service by corrupting thousands of pieces of equipment. It also targeted other notable companies like Renault, FedEx, and Deutsche Bahn. Amongst the most affected countries were Russia, Ukraine, India, and Taiwan.

Back in 2017, Marcus Hitchins, a UK hacker, famously managed to stop the attack for a few hours after discovering the kill switch that prevented the infected devices from spreading the attack further.

Who created WannaCry?

While there is no officially identified culprit, the US, Canada, New Zealand, Japan, and a few other governments agree that North Korea is the originator of the attack. The government experts based their conclusions on code similarities with Lazarus Group, a notorious North Korean cybercriminal organization, and Korean timestamps in ransomware metadata.

How does WannaCry ransomware work?

WannaCry encrypts your data and demands a ransom in exchange for a decryption key. Victims then get a ransom note on their screens with instructions. If they don’t pay the ransom, criminals delete the data.

As noted above, WannaCry exploited the previously known EternalBlue vulnerability developed by the NSA and later leaked by The ShadowBrokers group. EternalBlue exploited the implementation of the Windows server message block (SMB) protocol that helps various network nodes to communicate. Hackers discovered that they could use this protocol to inject crafted packets with arbitrary codes. Even though Microsoft released the patch to deal with the exploit, the spread of this malware occurred because many organizations didn’t apply it on time.

Criminals also inject WannaCry using the DoublePulsar backdoor installed on the targeted devices. When WannaCry arrives on a victim’s computer, it extracts malicious application components such as the app encrypting and decrypting your data, files with encryption keys, and a copy of Tor.

When inside, WannaCry first checks the kill switch domain name used to stop malware. If it doesn’t find it, it starts to encrypt the most important file formats such as doc, mp3, and mkvs. Finally, by using the EternalBlue vulnerability, it tries to spread itself further to random computers on the internet and your network.

Is WannaCry ransomware still a threat?

Despite the available patches and information, WannaCry is still an active threat. Again, it usually benefits from unpatched systems. As we continue to witness WannaCry cases even today, it’s clear that patching is not yet a universal practice.

How should we protect ourselves from attacks like WannaCry?

Here are a few pieces of advice on how to protect yourself from the WannaCry ransomware attack:

• Constantly update your software and implement the latest patches. WannaCry could have been less damaging if users had implemented the relevant patches and updates on time.
• Always use the most up-to-date cybersecurity software to hunt down malware. The NordVPN’s Threat Protection feature is also extremely useful as it neutralizes cyber threats before they can do any real damage to your device. It can also identify malicious websites and files, block ads and trackers.
• Don’t, by any means, open suspicious links, banners, or attachments. Also, don’t download software from dodgy websites because it can contain unwanted surprises.
• Avoid sticking USBs in your devices that you don’t 100% trust.
• Use a VPN when you connect to public Wi-Fi so that no cybercriminal could intercept your traffic.
• Back up your data because it can make a ransomware attack less damaging.