It’s hard to ignore ransomware attacks nowadays. According to the FBI’s Internet Crime Report, local complaints about such threats rose by 20 percent in 2020. Globally, attacks escalated by over 60% between 2019 and 2020. Not only are ransomware attacks increasing, but they’re also becoming more prominent.
From oil pipelines and hospitals to schools, banks, and charities, it seems like no organization is immune to ransomware attacks. It’s not just large companies that suffer from these cybersecurity breaches. Small businesses are also targets of ransomware and can find it harder to survive as they usually have fewer resources than larger companies to recover.
While the global WannaCry attack occured in 2017, many other types of ransomware have emerged in the years since. Let's take a look at WannaCry and why it was such a significant cyber incident.
What was the WannaCry ransomware attack?
"Ooops, your files have been encrypted!"
In May 2017, WannaCry ransomware spread globally through computers running Windows. Nearly two months prior, Microsoft had released a security patch for EternalBlue, the exploit the attackers used to propagate WannaCry ransomware. However, many Windows users around the world had not updated their software or were using out-of-date versions of Windows, and so were vulnerable to the large-scale attack.
The WannaCry attackers encrypted Windows computers around the world and demanded a ransom of initially $300 worth of Bitcoin, later $600 worth. It infected an estimated 230,000 computers across 150 countries in just hours. After initially spreading rapidly throughout the globe, security researcher Marcus Hutchins discovered a kill switch that significantly slowed the spread of the attack.
WannaCry Ransomware Infection Heat Map
Why was WannaCry so successful?
Ransomware like WannaCry typically works by encrypting your files or locking your system. It then demands payment in the shape of a cryptocurrency like Bitcoin because such currencies are more complex to trace than electronic money transfers, checks, or cold hard cash. However, WannaCry has some characteristics that make it different from a typical ransomware attack that you read about today.
Cybergangs usually use pure ransomware strains for targeted attacks. Think of it like a bow and arrow instead of a catapult. The former is best for hitting one target at a time, while the latter is better for striking multiple targets. For example, the malware and the criminal gang behind the Colonial Pipeline ransomware attack seemingly focused on only one target. To plant the DarkSide ransomware, the gang apparently took advantage of a known password for a legacy Virtual Private Network (VPN) account.
On the other hand, WannaCry was more of a catapult. It lived up to its name by infecting hundreds of thousands of computers in over 150 countries in just a few hours. It took no prisoners, rapidly hitting all types of systems through business networks. So, why was the spread of the WannaCry ransomworm so widespread and successful?
1. Worm Component
A worm is a type of malware that can delete files, consume bandwidth, and spread rapidly without needing a host file. It self-propagates, meaning that, unlike a virus, it doesn't need human activation to start its malicious activity. In addition, worms can drop malware like ransomware. WannaCry hit Windows PCs like wildfire thanks to its worm component.
An exploit is an unpatched system vulnerability that a cybercriminal can take advantage of for malicious activity. The flaw WannaCry exploits is in how Windows manages SMB (Server Message Block) protocol. In a nutshell, the SMB protocol allows network nodes to communicate. Although Microsoft patched the vulnerabilities in 2017, threat actors are using SMB vulnerabilities even today for Trojan and ransomware attacks because many Windows users don’t download updates.
What sectors were hardest hit by WannaCry?
The WannaCry attack spread so rapidly and infected so many computers worldwide that many industries were affected. These include:
How many computers did WannaCry infect?
WannaCry hit an estimated 230,000 computers. The malware affected the operations of hospitals, emergency services, petrol stations, and even factories. Some estimates put the financial cost of the attack in the billions.
Who created WannaCry?
The United States officially blames North Korea for the WannaCry attack, and it even indicted three North Koreans for the malware and the 2014 Sony Pictures Entertainment hack. Interestingly, the NSA (National Security Agency) may have also played a role in the WannaCry attack, albeit inadvertently.
Allegedly, the NSA uncovered the SMB vulnerability that WannaCry exploits. Later, this so-called EternalBlue exploitation tool was allegedly stolen from the intelligence organization and leaked by The Shadow Brokers (TSB), a hacker group.
Is WannaCry still a threat?
WannaCry is less of a threat in large part, thanks to the heroics of Marcus Hutchins. The British computer security researcher developed a kill switch using reverse engineering and honeypots that prevented WannaCry from executing further. In addition, a team of French researchers found a way to decrypt some affected computers without paying a ransom.
However, WannaCry is still active. Be sure to update your Windows operating system regularly to ensure you have the latest security patches. You can also rely on Malwarebytes’s intelligent anti-malware technology to detect and remove Ransom.WannaCrypt proactively.
What does WannaCry do if not paid?
WannaCry demands $300 in Bitcoin after locking a system. Later, it doubles the extortion fee. It also threatens to delete your data permanently within three days. Here at Malwarebytes, we recommend you don’t pay ransomware gangs, partially because it’s encouraging more ransomware gangs looking for a quick way to get rich. Additionally, there’s no guarantee that you’ll unlock your files or your computer. For example, not every victim of WannaCry got their files back after paying the fee, possibly due to a flaw in the ransomware itself.
What are some good ransomware mitigation strategies?
For the devices you use at home, use antivirus/anti-malware software that defends against all kinds of malicious software, including ransomware protection. For businesses, strategies to mitigate ransomware include:
- Use cybersecurity software that can detect and block ransomware threats.
- Back up your data frequently, and air gap your critical backups.
- Segment your network.
- Plug exploits by regularly checking for security updates.
- Be wary of ransomware threat vectors such as phishing emails.
- Set complex passwords and change them periodically.
- Protect your system and essential accounts with two-factor authentication.
WannaCry articles from Malwarebytes Labs
- Microsoft pushes patch to prevent ‘WannaCry level’ vulnerability
- The Advanced Persistent Threat files: Lazarus Group
- How threat actors are using SMB vulnerabilities
- All this EternalPetya stuff makes me WannaCry
- Mobile Menace Monday: Fake WannaCry Scanner
- WannaDecrypt your files? The WannaCry solution, for some
- How did the WannaCry ransomworm spread?
- Wanna Cry some more? Ransomware roundup special edition
- The worm that spreads WanaCrypt0r