WannaCry ransomware, a cyber attack that targeted Windows operating systems, quickly became a global threat in May 2017. Cybercriminals took advantage of vulnerabilities in the Windows system to hold organizations’ data hostage and demand ransom in the form of cryptocurrency. This attack spread rapidly using the EternalBlue exploit, which was leaked from the National Security Agency (NSA). EternalBlue allowed attackers to gain access to systems through a zero-day vulnerability in the legacy version of the Server Message Block (SMB) protocol.
The WannaCry attack was groundbreaking as one of the first instances of a worldwide ransomware assault. It began on May 12, 2017, affecting hundreds of thousands of computers in approximately 150 countries. What made WannaCry particularly dangerous was its ability to propagate through a worm, meaning it could spread automatically without requiring victim participation as is the case with other ransomware variants that rely on phishing or social engineering methods.
The origins of WannaCry can be traced back to a hacker group known as The Shadow Brokers, which emerged in 2016. This group started releasing exploit code from the NSA, including the EternalBlue exploit, which it claimed to have stolen from the NSA-linked Equation Group. While Microsoft had already issued a patch for the vulnerability in March 2017, many organizations failed to update their systems, leaving them vulnerable to the WannaCry ransomware.
Experts tentatively linked WannaCry to the Lazarus Group, a nation-state advanced persistent threat group associated with the North Korean government. In December 2017, the White House officially attributed the WannaCry attacks to North Korea. However, there were reports that the ransomware developers didn’t provide decryption keys to victims who paid the ransom, leading many to choose not to pay. Fortunately, security researcher Marcus Hutchins, also known as MalwareTech, discovered a kill switch that halted the spread of WannaCry.
WannaCry works by encrypting files on Windows devices, rendering them inaccessible to users. The ransomware demanded a payment of $300 to $600 in bitcoin within three days to decrypt the files. However, even those who paid the ransom often didn’t receive decryption keys. The exploit takes advantage of a vulnerability in Microsoft’s SMBv1 protocol, transmitting crafted packets to systems that accept data from the public internet on port 445. Once infected, WannaCry propagates itself and infects other unpatched devices without any human interaction.
The impact of WannaCry was significant, both financially and operationally, affecting over 230,000 devices during the initial attack. It spread to more than 150 countries, impacting various industries, including healthcare, security, and telecom sectors. Estimates of the total financial impact ranged from hundreds of millions of dollars to $4 billion. Although the damage caused by WannaCry was notable, it served as a wake-up call for the cybersecurity community, leading to increased efforts to implement better security measures and prioritize patching.
In response to the attack, Microsoft released a security update and advised organizations to patch their systems. Additionally, a kill switch was discovered by Marcus Hutchins, which halted the spread of WannaCry when he registered a specific web domain. However, Hutchins faced legal troubles as he was arrested by the FBI, accused of creating and spreading another malware called the Kronos banking Trojan.
While Microsoft issued security updates to address the vulnerabilities exploited by WannaCry, the threat of ransomware is ongoing. In 2022, ransomware attacks accounted for 24% of all breaches, and system intrusion was involved in 94% of those cases. It is essential for organizations to remain vigilant and prioritize cybersecurity measures to protect against future threats like WannaCry.