WannaCry ransomware attack

WannaCry
Wana Decrypt0r screenshot.png
Screenshot of the ransom note left on an infected system
Date 12 May 2017 – 15 May 2017
(initial outbreak) [1]
Location Worldwide
Also known as Transformations:
Wanna → Wana
Cryptor → Crypt0r
Cryptor → Decryptor
Cryptor → Crypt → Cry
Addition of "2.0"
Short names:
Wanna → WN → W
Cry → CRY
Type Cyberattack
Theme Ransomware encrypting files with $300 – $600 demand (via bitcoin)
Cause
  • WannaCry worm
Outcome Over 200,000 victims and more than 230,000 computers infected [2] [3]

The WannaCry ransomware attack was a worldwide cyberattack by the WannaCry [a] ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. [8]

The attack started on Friday, 12 May 2017, [9] and within a day was reported to have infected more than 230,000 computers in over 150 countries. [10] [11] Parts of Britain's National Health Service (NHS), Spain's Telefónica, FedEx and Deutsche Bahn were hit, along with many other countries and companies worldwide. [12] [13] [14]

WannaCry spreads across local networks and the Internet [15] to systems that have not been updated with recent security updates, to directly infect any exposed systems. [6] [16] A "critical" patch had been issued by Microsoft on 14 March 2017 to remove the underlying vulnerability for supported systems, nearly two months before the attack, [17] but many organizations had not yet applied it. [18] Those still running older, unsupported versions of Microsoft Windows, such as Windows XP and Windows Server 2003, were initially at particular risk, but Microsoft released an emergency security patch for these platforms as well. [19] Ultimately, researchers found Windows XP was not vulnerable to WannaCry's worm-like spreading mechanism, [20], almost all victims of the cyberattack were running Windows 7, prompting a security researcher to argue that its effects on Windows XP users were "insignificant". [4] [21]

Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) had discovered the vulnerability in the past, but instead of informing Microsoft, had built the EternalBlue exploit for their own offensive work. [22] [23] It was only when the existence of this was revealed by The Shadow Brokers that Microsoft became aware of the issue, and could produce a security update. [24]

Shortly after the attack began, a web security researcher who blogs as "MalwareTech" discovered an effective kill switch by registering a domain name he found in the code of the ransomware. This greatly slowed the spread of the infection, effectively halting the initial outbreak on Monday, 15 May 2017, but new versions have since been detected that lack the kill switch. [25] [26] [27] [28] Researchers have also found ways to recover data from infected machines under some circumstances. [21]

Within four days of the initial outbreak, security experts were saying that most organizations had applied updates, and that new infections had slowed to a trickle. [29]

WannaCry malware

WannaCry [a] is the ransomware computer worm that targets computers running Microsoft Windows. [30] Initially, the worm uses the EternalBlue exploit to enter a computer, taking advantage of a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. It installs DoublePulsar, a backdoor implant tool, which then transfers and runs the WannaCry ransomware package.

Several organizations have released detailed technical writeups of the malware, including Microsoft, [31] Cisco, [15] Malwarebytes, [32] and McAfee. [33]

The "payload" works in the same fashion as most modern ransomware: it finds and encrypts a range of data files, then displays a "ransom note" informing the user and demanding a payment in bitcoin. [34] It is considered a network worm because it also includes a "transport" mechanism to automatically spread itself. This transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access, and the DoublePulsar tool to install and execute a copy of itself. [15]

"Kill switch"

The software contained a URL that, when discovered and registered by a security researcher to track activity from infected machines, was found to act as a " kill switch" that shut down the software before it executed its payload, stopping the spread of the ransomware. The researcher speculated that this had been included in the software as a mechanism to prevent it being run on quarantined machines used by anti-virus researchers; he observed that some sandbox environments will respond to all queries with traffic in order to trick the software into thinking that it is still connected to the internet, so the software attempts to contact an address which did not exist, to detect whether it was running in a sandbox, and do nothing if so. [35] He also noted that it was not an unprecedented technique, having been observed in the Necurs trojan. [35]

On 19 May it was reported that hackers were trying to use a Mirai botnet variant to effect a distributed attack on WannaCry's kill-switch domain with the intention of knocking it offline. [36] On 22 May @MalwareTechBlog protected the domain by switching to a cached version of the site, capable of dealing with much higher traffic loads than the live site. [37]

EternalBlue

The network infection vector, EternalBlue, was released by the hacker group called The Shadow Brokers on 14 April 2017, [24] along with other tools apparently leaked from Equation Group, which is widely believed to be part of the United States National Security Agency. [38] [39]

EternalBlue exploits vulnerability MS17-010 [17] in Microsoft's implementation of the Server Message Block (SMB) protocol. [30] This Windows vulnerability was not a zero-day flaw, but one for which Microsoft had released a "critical" advisory, along with a security patch to fix the vulnerability two months before, on 14 March 2017. [17] The patch was to the Server Message Block (SMB) protocol used by Windows, [40] [41] and fixed several versions of the Microsoft Windows operating system, including Windows Vista onwards (with the exception of Windows 8), as well as server and embedded versions such as Windows Server 2008 onwards and Windows Embedded POSReady 2009 respectively, but not the older unsupported Windows XP and Windows Server 2003. [17] The day after the WannaCry outbreak Microsoft released updates for these too. [4] [19]

Windows 10 did not have the vulnerability. [42]

DoublePulsar

DoublePulsar is a backdoor tool, also released by The Shadow Brokers on 14 April 2017, [24] Starting from 21 April 2017, security researchers reported that computers with the DoublePulsar backdoor installed were in the tens of thousands. [43] By 25 April, reports estimated the number of infected computers to be up to several hundred thousands, with numbers increasing exponentially every day. [44] [45] The WannaCry code can take advantage of any existing DoublePulsar infection, or installs it itself. [15] [46] [47]

Attribution

Cybersecurity companies Kaspersky Lab and Symantec have both said the code has some similarities with that previously used by the Lazarus Group [48] (believed to have carried out the cyberattack on Sony Pictures in 2014 and a Bangladesh bank heist in 2016—and linked to North Korea). [48] However, this could also be either simple re-use of code by another group, [49] or an attempt to shift blame—as in a cyber false flag operation. [48] North Korea itself denies being responsible for the cyberattack. [50] [51]

Linguistic analysis of the ransom notes indicated the authors were likely fluent in Chinese and proficient in English, as the versions of the notes in those languages were probably human-written while the rest seemed to be machine-translated. [52] [53]

Other Languages
български: WannaCry
bosanski: WannaCry
català: WannaCry
čeština: WannaCry
Deutsch: WannaCry
فارسی: واناکرای
français: WannaCry
한국어: 워너크라이
italiano: WannaCry
עברית: WannaCry
lumbaart: WannaCry
magyar: WannaCry
မြန်မာဘာသာ: WannaCry ransomware attack
Nederlands: WannaCry
日本語: WannaCry
polski: WannaCry
português: WannaCry
română: WannaCry
русский: WannaCry
slovenčina: WannaCry
српски / srpski: WannaCry
srpskohrvatski / српскохрватски: WannaCry
svenska: WannaCry
тоҷикӣ: WannaCry
Türkçe: WannaCry
українська: WannaCry
粵語: WannaCry
中文: WannaCry