WannaCry: The Most Preventable Ransomware is Still at Large

The WannaCry attack of 2017 is the perfect example of why you should always install security updates as soon as they’re released. This was, probably, the most avoidable ransomware incident. And, at the same time, one of the most damaging and rapidly spreading malware outbreaks.

This is the story of the WannaCry ransomware: a story involving North Korean hackers, unpatched Windows PCs and, oddly enough, American spies. Well, sort of.

What is WannaCry ransomware?

WannaCry and this is a mouthful, is a network cryptoworm ransomware.

Unlike most ransomware that spread through malicious email attachments, WannaCry has a worm component that exploits a Server Message Block (SMB) protocol implementation in older versions of Windows. 

SMB is a protocol that essentially allows multiple nodes to talk to each other over a network. Because of its flawed design, hackers were able to execute arbitrary code and the malware could self-propagate, spreading at incredible speeds. Once it infected one machine, its transmission rate grew almost exponentially. 

Unlike most worms that don’t have ransomware functionality, WannaCry, has a module that encrypts files. After corrupting the data it directs victims to a website which explains how to make a bitcoin payment to restore the lost information.

Some people paid and still didn’t get data back, though, which is a reminder that it’s never a good idea to give in to the demands of cybercriminals.

In the case of WannaCry, the ransom amount was $300, but delaying the payment increased it to $600. This is a surprisingly small demand for cyber gangs that focus on extortion.

Most ransomware hacks are highly targeted, take a lot of preparation and attempt to score big. The Sobikonibi gang is a perfect example: they chose targets carefully, hit hard, and then demanded tens of millions of dollars. 

But WannaCry striked wide instead, banking on the sheer number of infections. And indeed, the infection rate of the initial attack in 2017 was astronomical.

In fact, it would have been even greater if not for a shortsighted implementation of an anti-evasion technique: before executing, WannCry would query a hardcoded domain, which did not exist: 

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

Day after the attack Marcus Hutchins, a security researcher, discovered this function and registered that domain. This killswitch didn’t stop the attack completely, but greatly blunted the rate at which it was spreading.

The timeline of 2017 WannaCry ransomware attack

The WannaCry outbreak played out incredibly quickly. And although it was swiftly stopped, it still delivered insane damage. Here’s how it all unfolded:

May 12, 2017
The first signs of WannaCry appeared in Asia at about 07:00 UTC. The initial infection, which used an exposed SMB port, began spreading like wildfire. Within a day over 200,000 computers in 150 countries were wrecked by the ransomware.

May 13, 2017
Microsoft re-released an out-of-band security update for Windows XP, Windows 8 and Windows Server 2003. At the same time, Researcher Marcus Hutchins reverse-engineered the ransomware and registered a killswitch domain. 

May 14, 2017
The second variant of WannaCry was released into the wild, querying a different domain. A researcher named Matt Suiche registered the new kill-switch, promptly stopping its transmission.

May 19, 2017
Hackers attempted to DDoS the killswitch domains using a Mirai botnet variant. When that failed, they began working on a new version of WannaCry without a killswitch. 

May 22  2017
Hutchins improved the DDoS resistance of his killswitch website. Independently, researchers from  University College London and Boston University shared that they had a way to recover the encryption keys. 

Shortly after that, the decryption on Windows PCs was automated with a tool called WannaKey. This was pretty much the last nail in the WannaCry’s coffin. All combined together, these measures had cut off the flow of infections. But when the dust settled, the damages were still measured in billions. 

What made the WannaCry ransomware attack possible?

This is where the story really takes a surreal turn. Although this is not proved definitively, the EternalBlue exploit behind the WannaCry outbreak was allegedly discovered by the NSA, the US National Security Agency. 

But instead of reporting the vulnerability to Microsoft, the NSA went on to develop it for their own offensive use. (The NSA’s involvement in global surveillance is, obviously, a myth.) 

The NSA itself was then hacked by a group called The Shadow Brokers, who leaked the exploit into the wild. After that, it was picked up by North Korean hackers who developed WannaCry. Some say the attack was ordered by the North Korean government, but other researchers blame a private gang called the Lazarus Group.

However, the whole story could have been avoided altogether. Microsoft discovered the flaw in their SMB implementation independently, and on March 14, 2017 released updates for all operating systems that were supported at the time. These warnings were issued a month before the attack, and the security update was flagged as critical.

But despite Microsoft’s alarm, many organizations were slow to install the patch. Among them were such big names as Honda, Renault, Boeing and FedEx, who all fell victim to WannaCry.

Is WannaCry ransomware still a threat?

Unfortunately, yes. Researchers from CheckPoint warned in 2021 that WannaCry-related incidents were inexplicably on the rise. The information came some four years after Hutchins released the first killwith. Because the ransomware exploits a vulnerability in older versions of Windows, this may indicate that many organizations have not yet installed a patch. The risk of infection is highest in hospitals, where some models of medical equipment rely on older Windows operating systems with no way to update them.

But while some businesses are stuck with legacy software out of necessity, others put off updating because it is costly and inconvenient.

Installing a patch can be a laborious process that causes a long outage. In some cases, systems even need to be rebuilt from scratch when moving to a new generation of OS. This is why, while there is a remedy for WannaCry, it will take a long time before it is completely eradicated.

Checking for ransomware with ANY.RUN

With ANY.RUN online malware sandbox organizations and independent researchers can find ransomware in suspicious files or links. 

Interact with Wannacry ransom note and so called “decryptor” inside VMs. This ransomware is detected by different behavior activities, such as command line and dropped binary file. All processes and commands you may check in process tree or process graph. For example, this ransomware drops file @[email protected] and typically deletes shadow copies by vssadmin using the command vssadmin  delete shadows /all /quiet.

MITRE map gives you a good illustration of the tactics and techniques this malware uses:

WannaCry sample for your analysis:
https://app.any.run/tasks/b28a4f68-c06b-40dc-8d8a-8b0df1ab75a3

Conclusion

While the original version of WannCry is inactive, thanks to the killswitch discovered by Marcus Hutchins, the variants that are at large today still use the EternalBlue exploit. The worm is, in fact, present in over 100 countries. 

What’s more, if your organization uses or used to use computers running older windows versions, chances are they are infected right now. Perhaps, with an older version of WannaCry that persists dormantly after establishing contact with one of the killswitch domains.

Don’t let yourself fall prey to ransomware. Update your systems frequently.

If you want to read more about malicious history? Check out ILOVEYOU malware created back in May 2000. Or read about the Sobig history, which activity was first recorded in January 2003. 

And, as always, stay vigilant online and check your files with ANY.RUN.