The WannaCry ransomware attack was a global cyberattack in May 2017 that affected more than 150 countries in less than 24 hours and cost billions of dollars. The United Kingdom's National Health Service was one of the biggest organizations to be hit.

The WannaCry ransomware spread through computers with Microsoft Windows as their operating system, encrypting data and demanding ransom payments worth either $300 or $600 in bitcoin.

The WannaCry ransomware has multiple components. It contains a dropper, which is a self-contained software program that extracts the other embedded components from itself. These other components are:

  • An application to encrypt and decrypt files and information.
  • A copy of Tor, which is open source software that facilitates anonymous communication.
  • Files that have encryption keys to decrypt the data once the payment has been made.

WannaCry spread using EternalBlue, an exploit that was discovered by the National Security Agency (NSA) and further stolen and publicly leaked by a group of hackers called the Shadow Brokers. EternalBlue took advantage of a vulnerability in Windows’ Server Message Block (SMB) protocol. SMBv1is a network communications protocol developed in 1983. This protocol allows one Windows computer to communicate with another and share files and printers in a local network. However, SMBv1 had a critical vulnerability that allowed a remote code execution (RCE) where an attacker could execute any code on a victim's computer.

The WannaCry attackers installed the NSA’s backdoor tool, DoublePulsar, to create a backdoor, which is an entry point into a system or network of systems that allows attackers to gain easy access at a later time. This backdoor was used to deliver the WannaCry ransomware payload. Using the EternalBlue exploit, the ransomware further spread to every other unpatched computer system in the network. The worm-like feature of this ransomware helped the attackers carry out an RCE and spread the ransomware across other systems.

When a system gets infected with WannaCry, it attempts to connect with an unregistered domain. If it's not able to establish the connection, the damage begins to occur. It starts scanning for the port in the network that SMBv1 uses, Port 445, and if the port is open, WannaCry then spreads to that computer.

The damage happens in two parts:

  1. The ransomware payload encrypts the files in the victim's system.

  2. The worm-like component spreads ransomware to any connected vulnerable device in the network.

The WannaCry attackers also built a kill switch within the ransomware. Inside the malware was a hard-coded, nonexistent, gibberish web domain that acted as the kill switch. The malware checked if this URL was live when it ran. If WannaCry was not able to access the URL, it would proceed with the attack and infect the system.

Marcus Hutchins, aka MalwareTech, a British security researcher, discovered that by registering the web domain and posting a page on it, the kill switch would be activated. He paid $10.96 to register the domain and set up a site there, thus halting the spread of the malware.

However, due to the ever-evolving threat landscape and the huge number of unpatched, unprotected systems in the world, WannaCry still poses a threat. This attack is an alarm bell warning society to take effective, efficient cybersecurity measures.

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks


© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.