How Does WannaCry Ransomware Work?

Posted in Cybersecurity Shorts
Tagged ransomware

Author

Volodymyr Bachynsky (CyberDef)

Cybersecurity Expert | Security Researcher | Ethical Hacker | Top 1% THM

We can consider the WannaCry ransomware attack the largest cyberattack we ever had against a large number of organizations around the world. This attack covered 99 different countries (including the US, UK, China and others).

WannaCry ransomware: what is it and why is it so bad?

However, how does the WannaCry work? Hackers in this case use a vulnerability (known as Eternal Blue or CVE-2017-0144) in Microsoft Windows.

What is Eternal Blue?

This kind of vulnerability is exploited when the Server Message Block v1 (SMB) protocol is implemented. The hacker generates and sends a special packet to the remote host to gain remote access to the system. The attacker then runs arbitrary code on that system. Microsoft has confirmed that this vulnerability is dangerous for all versions of Windows, from Windows XP to Windows Server 2016. This means that Eternal Blue have been affecting computers for as long as 16 years. However, in a series of updates, IT specialists fix MS17-010 Eternal Blue.

Why is WannaCry dangerous?

So, back to WannaCry. When this ransomware is installed on a computer, it blocks all files. As a result, user access to the system is also blocked. If you try to log in, you will see a message on the screen stating that it is not possible. Also, the hackers will offer you to pay $300 in bitcoins to unlock your access to files. What happens if you don’t agree? Every three days, the amount for unlocking the system will double. However, if you do not agree to pay within a week, the ransomware will completely delete all your files. The fact that the scammers managed to swindle almost $70,000 suggests that users would rather pay than risk their files.

How did WannaCry become a global threat?

Indeed, we are now seeing the WannaCry ransomware become a global threat. But how did it happen? The key to hacker success is phishing emails. It was they who contained the WannaCry ransomware. So the threat spread all over the world. And it all happened simply because naive users, not experienced in cybersecurity, opened phishing emails. After that, your computer downloaded  the malware. WannaCry not only infected one device but could spread to other vulnerable systems on the network to infect them too.

This ransomware affected a lot of countries and many sectors of the economy: banks, ministries of health, ministries of the interior, railway companies and mobile operators. that is, it was a global attack on a lot of commercial enterprises as well. The WannaCry attack was especially dangerous to the medical and healthcare industry. As a result of the attack, surgery departments and treatment rooms were damaged. This presented a direct danger to patients who needed emergency care. Thus, people’s lives were put at risk. However, at the same time, it was still possible to keep the confidential information of patients intact.

Are there ways to fight WannaCry?

It is worth noting that large companies like Microsoft did not stand aside. They immediately responded to the threat. So, Microsoft released an update to fix the Windows Update vulnerability, because WannaCry used this system. However, for a computer with old Windows systems, there was still a danger (for example, devices with Windows XP, 8 and Server 2003 were still at risk). Microsoft said that updates for users of older Windows systems will also appear soon.

However, there was also good news. So, British cybersecurity researchers accidentally discovered a “switch” that helped contain WannaCry. How did this “switch” work? The researchers noticed: WannaCry is looking for a specific web address, which, however, was unregistered. Then scientists tried to register such a web address, as a result of which the virus stopped spreading. However, such a “switch” is not a panacea for WannaCry. It offers only temporary protection. However, Windows users should still install this patch to protect their devices from WannaCry.

However, how did it happen that WannaCry ransomware became such a global threat, and acquired such a huge scale? All this happened because of a tool created by the American intelligence services. It was this tool that hackers used to break into systems. But why? The fact is that this tool could collect data, which then appeared in the public domain using WikiLeaks. Thus, anyone could eventually access this data. This is what the hackers who created WannaCry did. Microsoft has criticized the government intelligence services because they have been reluctant to disclose information about these vulnerabilities for a long time.

What are the consequences of WannaCry ransomware?

WannaCry is very costly for the businesses and economies of the affected countries. It is a fact. Damage can range from several hundred million to four billion dollars. At the same time, WannaCry is not the only ransomware that poses such a global threat. There are certain similarities to the code that the North Korean hackers created. The name of code is Lazarus. All this makes one think that North Korea may be involved in WannaCry. However, now it is impossible to directly accuse North Korea of ​​this since there is not enough evidence.

Since many users around the world are still using older versions of Windows, it is too early to say that there is no threat from WannaCry. Periodically, new risks associated with this ransomware emerge. The key to fixing device vulnerabilities that make WannaCry work is to update Windows, and fix problems and system flaws. Let’s conclude how you can protect yourself from WannaCry. Here are the key steps that improve the security of our data:

🔎 Windows updates;
🔎 protection against phishing emails that are also distributed by WannaCry and other ransomware;
🔎 creating backup copies of files on external media or in cloud systems.

 

Summary: WannaCry is a type of ransomware that infects a computer and encrypts the user’s data, making it inaccessible until a ransom is paid to the attackers. The ransomware typically spreads through phishing emails or by exploiting vulnerabilities in unpatched systems. Once it has infected a system, WannaCry displays a ransom message on the user’s screen demanding payment in exchange for the decryption key. If the ransom is not paid within a certain time frame, the amount increases or the data may be permanently deleted. To protect against WannaCry and other types of ransomware, it is important to regularly update software and security patches, use antivirus software, and educate users about the risks of clicking on links or downloading attachments from unknown sources.

#сybersecurity #ransomware #WannaCry

Related posts

Trojan Horse: How To Deal With This Virus?
How To Get Protected From Botnet Infection?