When you hear someone mention the words “WannaCry,” you would think it’s some kind of prank. But for those that deal with anything cybersecurity-related, that’s far from the truth.
WannaCry ransomware is a designation for malicious code that exploits vulnerabilities in the Windows operating system and locks out folders of any computer it infects. It made its first appearance in 2017 by infecting computers all around the globe.
One of the first victims of the attack was Britain’s National Health Service, which still utilizes the Windows XP operating system.
Let’s take a closer look at WannaCry, how it works, and why you should be wary of it…
WannaCry Ransomware Explained
The inception of the WannaCry ransomware worldwide prompted a very swift response from the U.S. National Security Agency.
Security forensics specialists suspect that the malware originated from the Lazarus Group, a cybercrime group that is possibly linked with North Korea.
This same group was linked to DDoS attacks on networks controlled by the South Korean government in 2009. Over time they grew bolder, while their attacks have also grown more sophisticated.
The ransomware itself has multiple components tied to it. WannaCry infects computers as a dropper, which is a self-contained program that extracts application components that are embedded within it.
The components include:
- A copy of the Tor program
- Files with encryption keys
- A data decryption program
When active, WannaCry looks for a URL called the kill-switch. If it doesn’t find it, it would proceed to look for and encrypt computer files in any format, including MP3s, WMVs, and Microsoft Office files, essentially disallowing any user access.
It takes advantage of a vulnerability in the Windows iteration of the SMB (Server Message Block) protocol. This protocol enables nodes within a computer network to communicate with each other.
Hackers can also use this protocol to send false communications and prompt computers to execute malicious code to infect a network. Once the files are encrypted, WannaCry would demand ransom payments of $300 in Bitcoin in order for the affected files to be unlocked.
The origin story pertaining to this malware is rather peculiar, where Microsoft first discovered the vulnerability in March of 2017. When the NSA got wind of this vulnerability, it is rumored that they constructed code to exploit it, code-named EternalBlue.
The exploit somehow got out, stolen by a hacker group called the Shadow Brokers, where information on it was passed on a month later in a Medium political post that same year. Microsoft criticized the U.S. government for having known about the exploit beforehand but not acting on that information until it was too late.
Should You Be Worried About WannaCry?
If the computer networks within your office space do not have the latest antivirus definitions in place, along with security updates and applicable firewall solutions, there is a likelihood that WannaCry can still infect systems that have not been updated.
WannaCry also exploits vulnerabilities in older Windows operating systems that Microsoft doesn’t support anymore. Support for Windows XP ended back in 2014, while extended support for Windows 10 ends in 2020. Unfortunately, there are still millions of computers that use the older operating system around the world.
Enterprises will need to be concerned because it only takes one approach vector for a hacker to infiltrate and affect entire networks, regardless of the location of all individual computers that make up the network.
WannaCry has demonstrated that a weaponized program can single-handedly lockout and isolate computer networks with ease. The end result would be revenue losses, loss of network access, and compromised networks that would enable further attacks.
What Can You Do About WannaCry?
As mentioned before, Microsoft already had an update to patch the WannaCry/EternalBlue SMB vulnerability back in March of 2017, identified as MS17-010.
Networks will have to be actively monitored to ensure that there aren’t any files that have been infected from WannaCry. The unfortunate truth about this form of malware is that there is no easy remedy to this, other than utilizing backups to restore a computer back to its factory settings.
The lesson that WannaCry ransomware presented is simple – don’t leave computers unpatched. You’ll need to examine organizational policies along with operational practices of when systems are updated and revise them as necessary.
Prioritize systems that are most vulnerable to the malware and patch them first, then move on from there. Any systems that have been discovered to be infected should be taken off the network and restored with a secure backup.
The Bottom Line on WannaCry Ransomware
After the events of the attack, all organizations would do well to pay heed to the lessons learned from this occurrence. There are still bad guys out there looking to harm your devices and your finances.
Leadership will need to interface with their IT managers and plan for ways ahead on phasing out older systems in favor of new ones (budgets permitting).
In addition, they should deploy security updates and patch systems that are the most vulnerable to prevent hackers from breaching organizational networks.