WannaCry ransomware attack

WannaCry
Wana Decrypt0r screenshot.png
Screenshot of the ransom note left on an infected system
Date 12 May 2017 – 15 May 2017
(initial outbreak) [1]
Duration 4 days
Location Worldwide
Also known as Transformations:
Wanna → Wana
Cryptor → Crypt0r
Cryptor → Decryptor
Cryptor → Crypt → Cry
Addition of "2.0"
Short names:
Wanna → WN → W
Cry → CRY
Type Cyberattack
Theme Ransomware encrypting files with $300 – $600 demand (via bitcoin)
Cause
  • WannaCry worm
Outcome Over 200,000 victims and more than 300,000 computers infected [2] [3] [4]

The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated through EternalBlue, an exploit in older Windows systems released by The Shadow Brokers a few months prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. WannaCry also took advantage of installing backdoors onto infected systems.

The attack was stopped within a few days of its discovery due to emergency patches released by Microsoft, and the discovery of a kill switch that prevented infected computers from spreading WannaCry further. The attack was estimated to have affected more than 300,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. Security experts believed from preliminary evaluation of the worm that the attack originated from North Korea or agencies working for the country.

In December 2017, the United States, United Kingdom and Australia formally asserted that North Korea was behind the attack. [5]

Description

WannaCry is a ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. [a] It is considered a network worm because it also includes a "transport" mechanism to automatically spread itself. This transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access, and the DoublePulsar tool to install and execute a copy of itself. [11]

EternalBlue is an exploit of Windows' Server Message Block (SMB) protocol released by The Shadow Brokers. Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) had already discovered the vulnerability, but used it to create an exploit for its own offensive work, rather than report it to Microsoft. [12] [13] Microsoft eventually discovered the vulnerability, and on Tuesday, March 14, 2017, they issued security bulletin MS17-010, which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016, in addition to Windows Vista (which had recently ended support). [14]

DoublePulsar is a backdoor tool, also released by The Shadow Brokers on 14 April 2017. Starting from 21 April 2017, security researchers reported that computers with the DoublePulsar backdoor installed were in the tens of thousands. [15] By 25 April, reports estimated the number of infected computers to be up to several hundred thousands, with numbers increasing exponentially every day. [16] [17] The WannaCry code can take advantage of any existing DoublePulsar infection, or installs it itself. [11] [18] [19]

When executed, the WannaCry malware first checks the " kill switch" domain name; [b] if it is not found, then the ransomware encrypts the computer's data, [20] [21] [22] then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet, [23] and "laterally" to computers on the same network. [24] As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of around $300 in bitcoin within three days, or $600 within seven days. [21] [25] Three hardcoded bitcoin addresses, or "wallets", are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the cryptocurrency wallet owners remain unknown. [26]

Several organizations released detailed technical writeups of the malware, including Microsoft, [27] Cisco, [11] Malwarebytes, [23] Symantec and McAfee. [24]

Other Languages
български: WannaCry
bosanski: WannaCry
català: WannaCry
čeština: WannaCry
Deutsch: WannaCry
eesti: WannaCry
Ελληνικά: WannaCry
فارسی: واناکرای
français: WannaCry
한국어: 워너크라이
Հայերեն: WannaCry
italiano: WannaCry
עברית: WannaCry
lietuvių: WannaCry
lumbaart: WannaCry
magyar: WannaCry
မြန်မာဘာသာ: WannaCry ransomware attack
Nederlands: WannaCry
日本語: WannaCry
polski: WannaCry
português: WannaCry
română: WannaCry
русский: WannaCry
slovenčina: WannaCry
српски / srpski: WannaCry
srpskohrvatski / српскохрватски: WannaCry
suomi: WannaCry
svenska: WannaCry
тоҷикӣ: WannaCry
Türkçe: WannaCry
українська: WannaCry
粵語: WannaCry
中文: WannaCry