WannaCry is a ransomware infection that has affected over 100,000 organizations in at least 150 countries around the globe for the purpose of obtaining money. The WannaCry ransomware, also dubbed WannaCrypt0r or WCry, is considered to be the biggest online extortion attacked because of the damage caused. Ransomware encrypts files and typically pops up a ransom warning demanding a considerable amount of money for freedom. The WannaCry ransomware encrypts all the data and leaves the computer with two files, which are the file containing instructions and the malicious program itself.
The WannaCry ransomware was launched after a group of hackers leaked information about a flaw in Microsoft's software detected by the National Security Agency. The exploit employed by the attackers is called Eternal Blue. The vulnerability was patched in March, but statistics show that people do not hurry to update their operating systems. Consequently, the vulnerability remains open for long enabling hackers to take over non-patched systems. Researchers have revealed that the WannaCry ransomware is capable of locking-down all Windows operating systems except for Windows 10, but that does not mean that no new strains of the infection cannot be developed to cause greater havoc.
The obnoxious malware was temporarily stopped by self-taught 22-year-old British researcher Marcus Hutchins who experimentally found a "kill switch". The young man discovered that the infection encrypts files only after trying to connect to a remote web address. If the threat find that address unreachable, it starts encoding files; otherwise, it terminates itself for good. The researcher purchased an unregistered website for less than £10 and was able to redirect 5,000 connections per second to a harmless server.
The WannaCry ransomware was spread via corporate networks, or rather through file-sharing systems. The cyber attack was targeted at international services, including companies, banks, schools, telephone companies, schools, and hospitals. That is so because the ransomware is spread through Microsoft Windows Server Message Block, or simply SMB, used by institutions.
Hospitals in England have been found to be the most affected. For example, the wave of the WannaCry attack has affected 47 NHS trusts in the UK, resulting in cancellation of operations and appointments. The affected NHS trusts were criticized for not updating their systems even though they had been warned that they were running a risk of getting compromised by malware. Nevertheless, patient data has not been compromised, but patients are warned about possible inconvenience and kindly asked to seek medical advice in case of emergencies.
Other services suffering from the damage include FedEx, Spain's Telefonica, Nissan, and Renault. Geographically, the ransomware has had the biggest effect in Russia, Taiwan, India, and Ukraine. Russian's president Vladimir Putin has blamed the US for the attack and disputed any statements that Russia is related to the global attack.
After successful download and file encryption, the WanaCry ransomware demands payment in the cryptocurrency named Bitcoin for data recovery. The ransom fee varies from $300 to $600. The FBI and many other security firms strongly advise against paying the ransom since by doing so victims may encourage the attackers to continue their illegal acts or ask for bigger sums. Usually cyber criminal do not bother to respond to victims' payment submission by sending them a decryption key. Paying up the fee demanded does not solve the issue. Instead, it is advisable to remove the WannaCry ransomware and restore the lost data from a back-up storage device.
Malware researchers have found that the WannaCry attack is linked to Lazarus, which is the group responsible for the attacks on Sony Pictures and the Bangladesh central bank. The massive WannaCry outbreak was recorded on May 12, 2017, but some earlier versions of the ransomware are known to have been used in February, March, and April. Data analysis has revealed that there are some shared characteristics among the Lazarus attacks and the variants of WannaCry, leading to the conclusion that the Lazarus group may be behind the aggressive global attack of May 2017. However, these findings have not been conclusively proved.
Even though WannaCry is seemingly disabled, cyber criminals are known to have created another variant called Uiwix which is exploiting the same vulnerability SMBv1 and SMBv2 as the WannaCry ransomware did. The new variant operates in the same way, adding the .uiwix extension to all the files encrypted. Moreover, it drops a file called "_DECODE_FILES.txt" containing more information about decryption and payment submission. The only way to prevent it is to install a Windows patch to the affected system.
Experts strongly advise to take preventative measures to avoid being attacked WannaCry on any other type of ransomware. First, it is crucial to make a copy of valuable information and store it separately so that it does not get reached by cyber criminals. In case of encryption, the infection could be removed and the lost data restored from a storage device. Second, it is highly advisable to avoid questionable websites and emails. Usually, hackers send deceptive scam emails containing a malicious link, which, when clicked on, downloads malware. When an email from a known person arouses suspicion, it is worth reaching out to the sender to make sure that the link in the email is legitimate. Third, it is crucial to keep the system protected by running reliable security programs. Lastly, it is vital to install the update released by Microsoft to close vulnerabilities in SMBv1 and SMBv2.
The affected operating systems are listed as follows:
- Microsoft Windows Vista SP2
- Microsoft Windows Server 2008 SP2 and R2 SP1
- Microsoft Windows 7
- Microsoft Windows 10
- Microsoft Windows 8.1
- Microsoft Windows RT 8.1
- Microsoft Windows Server 2012 și R2
- Microsoft Windows Server 2016
- Microsoft Windows XP
- Microsoft Windows Server 2003
To ease the detection of the missing update, the Microsoft Baseline Security Analizer 2.3 was released. The tool lists the updates that should be installed and provides details on their severity and potential impact. On March 14, 2017, Microsoft released its Security Bulleting MS17-010 containing a table with affected operating systems and links to their updates. Install the missing updates and be aware of the potential danger of the WannyCry ransomware and its new versions.