Unlike most ransomware that spread through malicious email attachments, WannaCry has a worm component that exploits a Server Message Block (SMB) protocol implementation in older versions of Windows. <\/p>\n\n\n\n
SMB is a protocol that essentially allows multiple nodes to talk to each other over a network. Because of its flawed design, hackers were able to execute arbitrary code and the malware could self-propagate, spreading at incredible speeds. Once it infected one machine, its transmission rate grew almost exponentially. <\/p>\n\n\n\n
Unlike most worms that don\u2019t have ransomware functionality, WannaCry, has a module that encrypts files. After corrupting the data it directs victims to a website which explains how to make a bitcoin payment to restore the lost information. Some people paid and still didn\u2019t get data back, though, which is a reminder that it\u2019s never a good idea to give in to the demands of cybercriminals.<\/p>\n\n\n\n In the case of WannaCry, the ransom amount was $300, but delaying the payment increased it to $600. This is a surprisingly small demand for cyber gangs that focus on extortion.<\/p>\n\n\n\n Most ransomware hacks are highly targeted, take a lot of preparation and attempt to score big. The Sobikonibi gang is a perfect example: they chose targets carefully, hit hard, and then demanded tens of millions of dollars. <\/p>\n\n\n\n But WannaCry striked wide instead, banking on the sheer number of infections. And indeed, the infection rate of the initial attack in 2017 was astronomical.<\/p>\n\n\n\n In fact, it would have been even greater if not for a shortsighted implementation of an anti-evasion technique: before executing, WannCry would query a hardcoded domain, which did not exist: <\/p>\n\n\n\n iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. Day after the attack Marcus Hutchins, a security researcher, discovered this function and registered that domain. This killswitch didn\u2019t stop the attack completely, but greatly blunted the rate at which it was spreading.<\/p>\n\n\n\n The WannaCry outbreak played out incredibly quickly. And although it was swiftly stopped, it still delivered insane damage. Here\u2019s how it all unfolded: May 12, 2017<\/strong> May 13, 2017<\/strong> May 14, 2017<\/strong> May 19, 2017<\/strong> May 22 2017<\/strong> <\/p>\n\n\n\n Shortly after that, the decryption on Windows PCs was automated with a tool called WannaKey. This was pretty much the last nail in the WannaCry\u2019s coffin. All combined together, these measures had cut off the flow of infections. But when the dust settled, the damages were still measured in billions. <\/p>\n\n\n\n This is where the story really takes a surreal turn. Although this is not proved definitively, the EternalBlue exploit behind the WannaCry outbreak was allegedly discovered by the NSA, the US National Security Agency. But instead of reporting the vulnerability to Microsoft, the NSA went on to develop it for their own offensive use. (The NSA\u2019s involvement in global surveillance is, obviously, a myth.) The NSA itself was then hacked by a group called The Shadow Brokers, who leaked the exploit into the wild. After that, it was picked up by North Korean hackers who developed WannaCry. Some say the attack was ordered by the North Korean government, but other researchers blame a private gang called the Lazarus Group. However, the whole story could have been avoided altogether. Microsoft discovered the flaw in their SMB implementation independently, and on March 14, 2017 released updates for all operating systems that were supported at the time. These warnings were issued a month before the attack, and the security update was flagged as critical. But despite Microsoft’s alarm, many organizations were slow to install the patch. Among them were such big names as Honda, Renault, Boeing and FedEx, who all fell victim to WannaCry.<\/p>\n\n\n\n Unfortunately, yes. Researchers from CheckPoint warned<\/a> in 2021 that WannaCry-related incidents were inexplicably on the rise. The information came some four years after Hutchins released the first killwith. Because the ransomware exploits a vulnerability in older versions of Windows, this may indicate that many organizations have not yet installed a patch. The risk of infection is highest in hospitals, where some models of medical equipment rely on older Windows operating systems with no way to update them. But while some businesses are stuck with legacy software out of necessity, others put off updating because it is costly and inconvenient. Installing a patch can be a laborious process that causes a long outage. In some cases, systems even need to be rebuilt from scratch when moving to a new generation of OS. This is why, while there is a remedy for WannaCry, it will take a long time before it is completely eradicated.<\/p>\n\n\n\n With ANY.RUN online malware sandbox <\/a>organizations and independent researchers can find ransomware in suspicious files or links. Interact with Wannacry ransom note and so called “decryptor” inside VMs. This ransomware is detected by different behavior activities, such as command line and dropped binary file. All processes and commands you may check in process tree or process graph. For example, this ransomware drops file @WanaDecryptor@.exe and typically deletes shadow copies by vssadmin using the command vssadmin delete shadows \/all \/quiet.<\/em> MITRE map gives you a good illustration of the tactics and techniques this malware uses: <\/p>\n\n\n\n WannaCry sample for your analysis: While the original version of WannCry is inactive, thanks to the killswitch discovered by Marcus Hutchins, the variants that are at large today still use the EternalBlue exploit. The worm is, in fact, present in over 100 countries. <\/p>\n\n\n\n What\u2019s more, if your organization uses or used to use computers running older windows versions, chances are they are infected right now. Perhaps, with an older version of WannaCry that persists dormantly after establishing contact with one of the killswitch domains.<\/p>\n\n\n\n Don’t let yourself fall prey to ransomware. Update your systems frequently.<\/p>\n\n\n\n If you want to read more about malicious history? Check out ILOVEYOU malware<\/a> created back in May 2000. Or read about the Sobig history<\/a>,<\/a> which activity was first recorded in January 2003. <\/p>\n\n\n\n
<\/p>\n\n\n\n![\"\"\/](\"https:\/\/lh3.googleusercontent.com\/Y-nJBp4wJm29tlPB596yR2WKB2AvJTcQZnH4MO6GIxgImO9gHJcUisFcxXaLyyQfsQoDVa1ocZb4_UENyHY-HLi5pYbIjZYtg9MXT36Qzk80sbOUA_5Sw9LsMV5Aou2abOGPRmyjPSZycyZ_n8nScOHcP7vXmJqpPLz5fgDzD5U88t1vLYDuMQziHdss6A\")
<\/p>\n\n\n\nThe timeline of 2017 WannaCry ransomware attack<\/h2>\n\n\n\n
<\/p>\n\n\n\n
The first signs of WannaCry appeared in Asia at about 07:00 UTC. The initial infection, which used an exposed SMB port, began spreading like wildfire. Within a day over 200,000 computers in 150 countries were wrecked by the ransomware.
<\/p>\n\n\n\n
Microsoft re-released an out-of-band security update for Windows XP, Windows 8 and Windows Server 2003. At the same time, Researcher Marcus Hutchins reverse-engineered the ransomware and registered a killswitch domain.
<\/p>\n\n\n\n
The second variant of WannaCry was released into the wild, querying a different domain. A researcher named Matt Suiche registered the new kill-switch, promptly stopping its transmission.
<\/p>\n\n\n\n
Hackers attempted to DDoS the killswitch domains using a Mirai botnet variant. When that failed, they began working on a new version of WannaCry without a killswitch.
<\/p>\n\n\n\n
Hutchins improved the DDoS resistance of his killswitch website. Independently, researchers from University College London and Boston University shared that they had a way to recover the encryption keys. <\/p>\n\n\n\nWhat made the WannaCry ransomware attack possible?<\/h2>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\nIs WannaCry ransomware still a threat?<\/h2>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\nChecking for ransomware with ANY.RUN<\/h2>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n![\"WannaCry's](\"https:\/\/lh3.googleusercontent.com\/dqZzLdURtFSJXvwyompRtDBsjMcvlYLydt5uPtaiJshODqzkFhRoOxhjzVDiVKGumpWcZaLGPQCvgZkKJ8nBa5hSPAtrA6FilrpQR-sX-y7_aJKRnF1hgm8POtdWJIWFFl6FLHz9DiD8xyTtaFyi4mQkmIYKbMcP_aUkZY8SZZ9J-hPEqeiCp9lLuy766g\")
![\"WannaCry's](\"https:\/\/lh3.googleusercontent.com\/jUapN6NoOdNt5Mw21ChHzzL97s1TarUtYQ2rO7soyEa-RJBb9ithXxduSzqEPwoExLSXdaIXoJAximQVDsNXAP9a7KNPxTIjXCdZujImXaaQAywPVf_NIZVe3ebekmREitYAE1pU5siJQ8FM_jpbapfmOjIoU_K_x_z7mt67IfTEaDwuuzqdh-gpEijPQA\")
https:\/\/app.any.run\/tasks\/b28a4f68-c06b-40dc-8d8a-8b0df1ab75a3<\/a><\/p>\n\n\n\nConclusion<\/h2>\n\n\n\n