Four years on, WannaCry, one of the most notorious malware infections responsible for compromising hundreds of thousands of computers and servers, is still actively used by cyber attackers. In 2017, it decimated worldwide networks — from UK healthcare systems and Russian banks to Spanish telecommunications companies. It is lethal, and there have been cases of its re-appearance, according to one estimate, during the pandemic.
WannaCry is a crypto-ransomware worm that attacks Windows PCs. It is a form of malware that can spread from PC to PC across networks, and then once on a computer, it can encrypt critical files. The name, WannaCry, was derived from strings of code detected in some of the first samples of the virus. WannaCry has been called a “study in preventable catastrophes” because two months before it first spread worldwide, Microsoft issued a patch that would have prevented the worm from infecting computers. But, many systems were not updated in time, and an unknown number of such systems remain vulnerable even today.
How does WannaCry spread?
Had it not been for its method of infecting computers, WannaCry would be another ransomware attack. The US National Security Agency discovered and exploited a critical vulnerability of Windows systems. Known as EternalBlue, the exploit was eventually shared online in April 2017 by a cybercriminal hacking group, allowing WannaCry’s creators to trick Windows systems into running its code via the Server Message Block protocol.
The way WannaCry spreads is by using corporate networks to jump to other Windows systems. In contrast to phishing attacks, computer users need not click on links or open infected files. WannaCry looks for vulnerable systems to enter (in some versions, it uses stolen credentials), then copies and executes the program repeatedly. So one vulnerable computer on an enterprise network can put the whole organisation at risk.
WannaCry consists of several components. There is a primary delivery program that contains other programs, such as encryption and decryption software. WannaCry searches for dozens of specific file types on a computer, including Microsoft Office files, pictures, videos, and sounds. It then executes a routine to encrypt the files, which can only be encrypted with an externally delivered digital key.
An infected user can only access WannaCry encrypted files if they have an external backup copy of those files. During the initial WannaCry attack, some victims were only able to pay Bitcoin ransom. According to reports, after the companies paid up, the hackers did not give victims access to their files.
In May 2017, WannaCry spread panic across corporate networks as it infected more than 2,00,000 computers in 150 countries. Among those systems, the UK’s National Health Service was disrupted, Spain’s Telefonica telecom services were threatened, and banks in Russia were compromised. The cost of cleaning up the damage from WannaCry and business disruption topped $8 billion, according to one estimate. While the virus seems to appear all at once — researchers could later trace earlier versions of the North Korean organisation known as the Lazarus Group.
There were multiple clues buried in the code of WannaCry, but no one came forward for creating or spreading the program. One of the researchers could figure out at an early stage of cyberattack that the program initially tried to access a specific web address that turned out to be an unregistered name. For instance, if the program could open the URL, WannaCry could not execute — so it acted as a sort of kill switch. Consequently, British researcher Marcus Hutchins registered the URL and effectively blunted the spread of the WannaCry ransomware. Today’s bigger danger is from WannaCry variants — new malware based on the same EternalBlue code as WannaCry.
In March 2018, Boeing was hit with a suspected WannaCry attack. The company claimed it did minor damage, however, affecting only a few production machines. Boeing was able to stop the attack and bring the affected systems back quickly.
In May 2018, ESET released research that showed detections of EternalBlue-based malware spiking past their highest level in 2017. Immediately after WannaCry, detections of EternalBlue-based attacks dropped to a few hundred a day but steadily rose again until spiking in April.
There have been waves and after-effects of WannaCry resurgence in the years since. Recently, security researchers have seen upgraded WannaCry infections. According to a report, 53 per cent increase in WannaCry ransomware in March 2021 compared to January 2021. In January, another report stated that WannaCry was the top ransomware family used in the Americas with 1240 detections. Also, the latest variants being used by hackers no longer include a kill-switch URL.
Also Read: Can AI Lessen Brand Identity Gap?
How to Protect Your PC Against Ransomware?
Although it had a massive impact four years ago, WannaCry ransomware remains a persistent threat even today. So are organisations any better prepared today? Until organisations can discover their critical system and patch them quickly, businesses will remain vulnerable to another attack. There are vital cybersecurity steps every company can take to prevent a WannaCry ransomware attack:
- The latest Windows Firewall software: The initial global WannaCry infection could have been prevented if companies and individuals had updated their Windows Firewall and other Windows software. Microsoft patched the exploit that allowed WannaCry to propagate two months earlier.
- Perform regular backups: It’s a pretty mundane task but necessary to protect critical data, so companies need to establish a routine of backing up information. Also, backups should be stored externally and disconnected from the enterprise network as a cloud service to protect them from infection.
- Cybersecurity awareness training: Employees need to be periodically reminded of good email habits, especially now that almost everyone is working remotely. They should never open unknown email attachments nor click on any links that look suspicious.
Other attacks remain possible. Not only that, other variants of ransomware that utilise the same Windows vulnerability have been developed, Petya and NotPetya. Meanwhile, Microsoft has also issued a patch that closes the vulnerability. So make sure your system is up to date.