How does the WannaCry malware work?

CryptographySystem SecurityEthical Hacking

Ransomware has grown in popularity as one of the most serious cyber threats to enterprises, providing a danger of financial loss, corporate instability, and reputational harm. This sort of malware employs sophisticated encryption algorithms that encrypt all files on a computer and prevent them from being accessed until a decryption key is provided. A ransom message is displayed on the device's screen, requesting that the victim pay a particular amount of money (typically in Bitcoin cryptocurrency) in exchange for the passkey (with no certainty of the malicious hackers keeping their promise). WannaCry ransomware was one of the most catastrophic cyber-attacks ever seen in 2017.

In just one day, it swept the globe, shutting up critical systems all across the world and infecting over 230,000 machines in over 150 nations. We will be discussing the attack and how it works below.

What is WannaCry?

WannaCry is a ransomware attack that first surfaced in the spring of 2017 and propelled the concept of ransomware into the public. Many systems were disabled due to the global attack, including public-service networks that support hospitals and law enforcement offices. WannaCry has been identified as a cryptoworm by experts. The security community replied with a "kill switch" and fixes that effectively halted WannaCry from infecting machines.

Hackers utilized EternalBlue that the US National Security Agency previously employed in the WannaCry attack. EternalBlue caused WannaCry to spread by exploiting Microsoft's server message block protocol flaw.

Although a software fix was made available, computers that did not install it were still exposed to the WannaCry ransomware assault. Months after the WannaCry attack was effectively ended, countries like the United States and the United Kingdom suggested that North Korea sponsored the WannaCry hackers.

WannaCry quickly became a textbook example of a ransomware assault, which encrypts file data and demands ransom payments in bitcoin or untraceable money. WannaCry's rapid and widespread spread demonstrated how dangerous ransomware could be, with the attack affecting more than 200,000 machines worldwide and incurring billions of dollars in damage.

Working of WannaCry

WannaCry uses a flaw in Microsoft's SMBv1 network resource sharing protocol to spread its malware. An attacker can use the exploit to transmit specially crafted packets to any system on port 445, reserved for SMB, that accepts data from the public Internet. SMBv1 is a network protocol that has been phased out.

WannaCry spreads by exploiting the EternalBlue vulnerability. The attackers begin by scanning the target network for devices that accept traffic on TCP port 445, indicating that the system is set up to run SMB. A port scan is commonly used to accomplish this. The next step is to use SMBv1 to connect to the device.

A buffer overflow is utilized to gain control of the targeted system and install the ransomware component of the attack when the connection is established. Once a machine is infected, the WannaCry worm spreads to other unpatched devices without the need for human intervention. According to security analysts, even after victims paid the ransom, the ransomware did not instantly unlock their computers or decode their contents. Instead, victims had to hope that WannaCry's makers would send decryption keys for the hostage PCs over the Internet, which was a wholly manual process with a significant flaw: the hackers had no means of knowing who paid the ransom. According to security experts, saving money and rebuilding the compromised systems was the wiser choice because there was only a tiny possibility the victims' files would be decrypted.

How does it spread?

WannaCry spread thanks to a Windows vulnerability known as MS17-010, which was exploited by hackers using the EternalBlue attack. Instead of notifying Microsoft, the NSA found this software flaw and built programs to exploit it. This code was then hacked and made public by a mysterious hacker outfit known as The Shadow Brokers. Microsoft was made aware of EternalBlue and issued a patch (a software update to fix the vulnerability). Those who did not apply the patch (which included most of the population) were still exposed to EternalBlue.

WannaCry attacks networks via SMBv1, a file-sharing protocol that allows PCs to communicate with printers and other networked devices. WannaCry is a worm-like computer virus that can spread across networks. WannaCry can scan a network for more vulnerable devices once installed on one machine. It infiltrates via the EternalBlue attack and then installs and executes using the DoublePulsar backdoor program. As a result, it may self-produce without requiring human contact or a host file or program, qualifying it as a worm rather than a virus.

How was WannaCry stopped?

WannaCry would attempt to access a particular URL after landing on a machine, according to cybersecurity researcher Marcus Hutchins. If the URL could not be discovered, the ransomware would infect the computer and encrypt the contents. Hutchins registered a domain name and used it to construct a DNS sinkhole that effectively killed WannaCry. He endured an anxious few days when hackers exploited a Mirai botnet variation to target his URL (attempting a DDoS attack to bring down the URL and kill the switch).

Hutchins secured the domain by employing a cached version of the site that could withstand increased traffic levels, and the kill switch remained in place. It's unclear whether the kill switch was included in WannaCry's code by accident or because the hackers intended to stop the attack. Should I pay the ransom or try to recover the encrypted files?

Presently, decryption of encrypted files is not possible, although Symantec researchers are looking into it. For further information, see this article. You may be able to recover impacted files if you have backup copies. Symantec advises against paying the ransom.

Without backups, files can sometimes be retrieved. The original copies of files saved on the Desktop, My Documents, or a portable drive are deleted and encrypted with no way to get them back. Files on a computer's hard drive are encrypted, and their original versions are wiped. This suggests that an undelete tool could be used to recover them.

What is the procedure for paying a ransom?

WannaCry's perpetrators want that the ransom to be paid in Bitcoins. WannacCy produces a unique Bitcoin wallet address for each infected computer, but this code does not execute successfully owing to a race condition problem. WannaCry then uses three hardcoded Bitcoin addresses as its default payment method. Because the attackers cannot determine which victims paid using the hardcoded addresses, victims' files are unlikely to be encrypted.

WannaCry's attackers replied by releasing a fresh version of the program that addressed the flaw, but it was not as successful as the original.

Later, a new message appeared on compromised PCs, warning victims that their files would be decrypted if the ransom were paid.

Is the WannaCry ransomware still a threat?

Even though Microsoft patched the SMBv1 vulnerability on March 14, 2017, two months before WannaCry was discovered, the exploit that allowed the ransomware to spread quickly still poses a threat to unpatched and unprotected computers.

Malware writers have had a lot of success exploiting Microsoft's SMB protocol, with EternalBlue being a crucial component of the devastating NotPetya ransomware outbreaks in June 2017. In 2017, the Russian-linked Fancy Bear cyber espionage gang, also known as Sednit, APT28, or Sofacy, utilized the exploit to attack Wi-Fi networks in European hotels. The attack has also been identified as one of the methods used by malicious crypto miners to disseminate their code. Because of a fundamental shift in attack routes and a growing attack surface, WannaCry remains a threat. It's also a danger because many businesses don't fix their systems. In the first quarter of 2021, Check Point Research recorded a 53 percent increase in organizations hit by WannaCry attacks, compared to a 57 percent increase in ransomware attacks in Q4 2020 and Q1 2021. WannaCry introduced the ransomware and cryptoworm concepts, which are pieces of code that spread through remote office services, cloud networks, and network endpoints. To infect an entire network, ransomware only needs one access point. It then spreads to other devices and systems by self-propagation. More sophisticated variants of ransomware have evolved since the initial WannaCry attack. Traditional ransomware assaults, which require regular connection with their controllers, are being replaced by automated, self-learning tactics in these new varieties.

WannaCry and other ransomware strains: How to Protect Yourself?

  • Make sure your software is up to date: Despite Microsoft releasing a patch for the EternalBlue vulnerability, millions of individuals failed to install it. WannaCry might not have been able to infect them if they had upgraded. As a result, it's critical to maintain all of your software up to date. It's also crucial to keep your security software up to date.

  • Open emails from unknown senders with caution: There are a lot of scams out there, and the most popular way for cybercriminals to distribute them is by email. Emails from unknown senders should be avoided at all costs, and you should especially avoid clicking on any links or downloading any files unless you're confident they're real.

  • Any Microsoft Office email attachment that instructs you to activate macros to read its content should be avoided at all costs. Do not activate macros unless you are confident that this is an actual email from a reputable source. Instead, delete the email immediately.

  • The most effective strategy to combat ransomware attacks is to back up crucial data. By encrypting valuable files and making them inaccessible, attackers control their victims. If the victim has backup copies of their files, they can restore them after removing the virus. Organizations should, however, ensure that backups are appropriately safeguarded or stored off-line to prevent intruders from deleting them.

  • Because many cloud services keep prior versions of information, you may be able to restore your files to their unencrypted state if you use them.

Updated on 15-Mar-2022 10:38:17