What is WannaCry Ransomware and How Does It Work?
The 2017 WannaCry ransomware attack was one of the most widespread computer infections: here's what to know about WannaCry ransomware and how to protect your data.
- The WannaCry ransomware epidemic of 2017 disrupted hospitals, banks and communications companies worldwide.
- Four years later, cybercriminals renewed efforts to deploy WannaCry ransomware during the COVID-19 pandemic.
- Companies can take steps to prevent infection, with software updates being most important.
Responsible for one of the most notorious worldwide malware infections ever, WannaCry ransomware is still actively used by cyberattackers today. Four years ago this month, it decimated networks around the globe, from entire healthcare systems to banks and national telecommunications companies.
It's still lethal enough to be used now, and there's been an uptick in reports of its appearance during the pandemic. Here's everything you need to know about WannaCry ransomware today — including how to protect your organization from it.
What Is WannaCry Ransomware?
WannaCry ransomware is a crypto ransomware worm that attacks Windows PCs. It’s a form of malware that can spread from PC to PC across networks (hence the "worm" component) and then once on a computer it can encrypt critical files (the "crypto" part). The perpetrators then demand ransom payments to unlock those files. The name was derived from strings of code detected in some of the first samples of the virus.
WannaCry has been called a "study in preventable catastrophes" because two months before it first spread around the world in 2017, Microsoft issued a patch that would have prevented the worm from infecting computers. Unfortunately, hundreds of thousands of systems were not updated in time, and an unknown number of such systems remain vulnerable today.
How Does WannaCry Infect Systems?
WannaCry would just be another also-ran among ransomware attacks if it weren't for its method of infecting computers. A critical vulnerability of Windows systems was discovered and reportedly first exploited by the U.S. National Security Agency. Dubbed EternalBlue, the exploit was eventually shared by a cybercriminal hacking group online in April 2017, and it allowed WannaCry's creators to trick Windows systems into running its code using the Server Message Block protocol.
The way WannaCry spreads is by using corporate networks to jump to other Windows systems. Unlike phishing attacks, computer users don't have to click on a link or open an infected file. WannaCry just looks for other vulnerable systems to enter (in some versions it uses stolen credentials), then copies and executes the program, again, and again, and again. So a single vulnerable computer on an enterprise network can put an entire organization at risk.
How Does a WannaCry Attack Work?
The WannaCry program has several components. There's a primary delivery program that contains other programs, including encryption and decryption software. Once WannaCry is on a computer system, it searches for dozens of specific file types, including Microsoft Office files and picture, video and sound files. Then it executes a routine to encrypt the files, which can only be decrypted using an externally delivered digital key.
So the only way for an infected user to access WannaCry encrypted files is if they have an external backup copy of those files. During the initial WannaCry attack, the only recourse some victims had was to pay the Bitcoin ransoms. Unfortunately, reports indicated that after the companies paid up, the hackers did not give victims access to their files.
Where Did WannaCry Originate, and Is It Still Active?
In May 2017, WannaCry spread panic across corporate networks worldwide as it quickly infected more than 200,000 computers in 150 countries. Among those systems, the National Health Service of the U.K. was disrupted, Spain's Telefónica telecom service was threatened and banks in Russia were compromised. While the virus seemed to appear all at once, researchers later traced earlier versions to a North Korean organization known as the Lazarus Group.
There were many clues buried in the code of WannaCry but no one ever claimed responsibility for creating or spreading the program. One researcher discovered early in the cyberattack that the program initially tried to access a specific web address that turned out to be an unregistered nonsense name. If the program was able to open the URL, WannaCry would not execute, so it acted as a sort of kill switch. Consequently, British researcher Marcus Hutchins registered the URL and effectively blunted the spread of the WannaCry ransomware.
Nevertheless, there have been waves of WannaCry resurgence in the years since. One high-profile case occurred in 2018 at Boeing. Ultimately, it caused more panic than actual damage, but productivity at the aircraft maker took a hit.
Recently, security researchers have seen renewed WannaCry infections. One report noted a 53% increase in WannaCry ransomware in March 2021 compared to January of this year, while another stated that WannaCry was the top ransomware family used in the Americas in January with 1,240 detections. More noteworthy: the latest variants being used by hackers no longer include a kill-switch URL.
Protecting Against WannaCry Ransomware
Fortunately, there are cybersecurity steps every company can take to prevent a WannaCry ransomware attack:
- Install the latest software: If the three most important words in real estate are location, location, location, the three most important words in cybersecurity are update, update, update. The original global WannaCry infection could have been prevented if companies and individuals had updated their Windows software. The exploit that allowed WannaCry to propagate had been patched by Microsoft two months earlier.
- Perform Backups: It's a mundane task but a necessary one to protect critical data, so companies need to establish a routine of backing up information. In addition, backups should be stored externally and disconnected from the enterprise network, as in a cloud service, to protect them from infection.
- Cybersecurity awareness training: Employees need to be periodically reminded of good email habits, especially now that more workers are working remotely. They should never open unknown email attachments, and they should never click on any links that are at all suspicious.
Should I Pay the WannaCry Ransom? What Happens If the WannaCry Ransom is Not Paid?
Many leading experts suggest it is unwise to pay WannaCry ransomware, as many of those who did pay were reportedly unable to recover their files from the cyberattackers. There are also instances where ransomware attacks like WannaCry ransomware were defeated by security researchers due to the criminals’ faulty code. Of course, cyberattackers are constantly developing newer, more powerful versions of malware, making it unwise to rely on faulty code in the event of future attacks.
What are best practices for protecting against ransomware?
Some of the best practices for protecting against ransomware include:
- Security awareness training for employees.
- Ensuring strong passwords are used throughout the organization.
- Storing data (and backup data) in secure locations that are difficult for cyberattackers to access.
The Bottom Line About WannaCry Ransomware
Although it had a massive impact four years ago, WannaCry ransomware remains a persistent threat today — more evidence that those who don't learn from history are destined to repeat it. Fortunately, your organization won't have to if you're diligent about updating your software and systems.
 “WannaCry Ransomware Attacks Up 53% Since January 2021,” NetSec.news
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!