Back to blog

Everything You ‘Wanna’ Know About WannaCry (Part 1)

Jun 9, 2017 by Kitty Lai

What is WannaCry?

On Friday 12th May, the world was hit by ‘the worst ransomware outbreak in history’: the WannaCry ransomware cryptoworm. The worm targeted vulnerable Windows computers at astonishing speed, and by May 14th, it had infected over 200,000 computers in 150 countries.It quickly became apparent that the infection wasn’t limited to personal computers; many systems in government, finance, and healthcare institutions were hit.

This is the intimidating view that took over infected devices:

WannaCry acted like all ransomware: it encrypted the files on infected computers, and then demanded a ransom (in this case $300 worth of bitcoins, an untraceable cryptocurrency) in exchange for a “decryption service”. If the ransom wasn’t paid within a week, the files would be lost forever.

WannaCry was also classified as a worm, meaning that it didn’t need to be installed on a computer to gain control. In most situations, a virus is opened via a fraudulent email and is accidentally installed, then run by the user themselves. In contrast, a worm simply scans the network from an infected computer, searches for a computer with the same exploit and then remotely executes itself onto that computer. Meanwhile that computer is infected, begins to encrypt files, and the same scanning process begins again…

Interestingly, despite the severity of the attack, and the scale, the hackers didn’t amass the kind of huge profits you might imagine; they earnt about $100,000, a small amount compared to the size of infection.

Who was affected and how severely?

The NHS saw a wave of cancelled appointments, hospitals were shut down, some GP’s were unable to access patient data, doctors resorted to pen and paper to work, and at least one hospital cancelled non–urgent surgeries. While operations were impacted by the attack, it has been stated that no patient data was compromised. Other than the NHS, some of Spain’s largest companies including Telefónica were hit, as well as computers in Russia’s Interior Ministry. The French car manufacturer Renault was forced to shut down several factories for a short period (it’s partner company, Nissan, was also affected).

Where did it come from?

The origin of WannaCry is especially worrying; it is believed by security experts that the spread of ransomware was due to a Windows software exploit created by the American intelligence agency, the NSA (National Security Agency). Prior to the attack, no one outside of the NSA knew of its existence.

While it’s clear the NSA had no intention of holding anyone ransom, and intended to use it for surveillance purposes, the tool was nevertheless created to take advantage of a security weakness in Microsoft’s software.  The tool, ‘EternalBlue’, exploits a vulnerability in the Server Message Block (SMB Protocol), a system for sharing file access across a network. Normally the SMB Protocol is perfectly safe, but the NSA discovered that with some versions of Windows, the protocol can be tricked into accepting packets of data from remote attackers.

Despite all this, the WannaCry attack may never have happened if not for a leak in April, where the self-styled hacker group ‘the Shadow brokers’ leaked a collection of NSA hacking tools and exploits online – and as you may have guessed, ‘EternalBlue’ was one of them.

Why were systems vulnerable and how was it solved?

Microsoft immediately released Windows updates to correct the exploit, with patches for Windows systems that are currently supported, like Windows 7, 8, 8.1 and 10. Ideally, this should have stopped any potential problems, and rendered ‘EternalBlue’ useless, but it’s not that straightforward. Microsoft must release patches in waves, and there’s no guarantee that every infected user can or will update their computer regularly. With some computers running on scheduled installs, others without network connection, or running on metered connections with updates at intervals, this leaves many computers around the world without up-to-date protection.

In the case of the NHS, as recently as last year, 90% of NHS computers still ran at least one Windows XP device! In fact, more than 5% of Windows computers are still running XP, even though the OS is no longer supported by Microsoft, and they stopped releasing security updates in April 2014. While it’s easy to criticize the NHS for using an old legacy system (16 years old, in fact), it’s not as simple as updating your personal home computer. Hospitals use computer programs every day, from microscopes to MRI scans, and it’s often difficult to get them working properly with newer operating systems. Not to mention the fact that upgrading everything would be a huge investment in IT, which, arguably, may not seem like the biggest priority for the NHS.

The vulnerabilities and risks of legacy systems can be very significant, especially when compared to cloud computing, which has automatic software updates. This means that users don’t have to worry about purchasing, installing, downloading or updating software; the services and suppliers take care of this.

While the cloud can provide additional security benefits, unfortunately, it’s not a quick fix, or a fail-safe approach (ransomware happens in the cloud too). Many organizations require a lot of work to become ‘cloud-ready’, for example, Office 365 doesn’t work particularly well with Windows XP, so the NHS would have a long way to go before they could benefit from a cloud-based IT environment. Thankfully, the NHS had data backups that ensured things were up and running again within a day of the attack. Microsoft also took an exception for Windows XP, and released a patch for older Windows systems, albeit too late for already infected devices.

The Kill Switch

Amidst the panic of the attack, one British malware analysis expert ‘Malware Tech’ began examining the WannaCry strain and accidentally found a kill switch. As it turns out, the ransomware contained an unregistered domain name, and Malware Tech bought it for $10.69 without realizing that he had triggered the kill switch. As only a single domain name was contained within the malware, it meant that registering the domain managed to shut down WannaCry worldwide. In short, the brains behind WannaCry were a bit short-sighted, and a little lazy, but Malware Tech wasn’t.

In the next blog in this ‘mini’ series we’ll be exploring how best to protect your system from getting hit by ransomware, including some handy prevention tips, so make sure you don’t miss it.