What Is Known About WannaCry ransomware
WannaCry ransomware is a first known ransomware attack in history that on May 12, 2017 targeted more than thousands of computers in 150 countries around the world; among its targets were Honda, University of Montreal,FedEx and National Health Services of England and Scotland.
Ransomware that also goes by the names like Wanna Decryptor, WannaCryptor and WannaCrypt uses for its spread an exploit called EternalBlue (supposedly leaked from the National Security Agency (NSA)) that allows threat actors to use a zero day vulnerability to subsequently get an easy access to a system.
Ransomware specifically targets Windows systems with legacy versions of the Server Message Block (SMB) protocol.
Actually WannaCry ransomware is a worm that spreads by exploiting vulnerabilities in Windows OS. Such a variant of a ransomware is particularly dangerous because it doesn’t need the involvement of a victim to spread it can do so automatically.
Other common ransomware variants use phishing or other social engineering attacks to spread meaning they need a direct involvement of a targeted person to spread and infect. Because of its malware nature WannaCry is often referred to as ransomworm or cryptoworm.
But basically WannaCry ransomware does what any other typical ransomware variants do — encrypt files so that users can’t access them and demand ransom for giving access to the files back.
In May 2017 WannaCry demanded ransoms from $300 to $600 in bitcoin. Victims were given up to three days to pay the ransom and if the payment had been made victims received their decryption keys.
Who May Be Behind WannaCry ransomware
At its very beginning cyber security specialists attributed WannaCry ransomware activity to Lazarus Group, a nation-state advanced persistent threat (APT) group linked to the North Korean government.
In December 2017 the White House officially announced that WannaCry attacks were conducted on behalf of the North Korean government. The government of the accused country denied the accusation.
According to early reports WannaCry ransomware operators initially didn’t provide victims with decryption keys which could indicate that the WannaCry release in May 2017 could have been done too early and operators obviously didn’t have at that time a fully operated system for decrypting victim systems after they paid their ransoms.
Another important element of WannaCry ransomware attacks included the NSA EternalBlue exploit which received the identification of Common Vulnerabilities and Exposures 2017-0144.
Shadow Brokers, a hacker group that appeared in 2016 when they started releasing various exploit codes as they were saying from the NSA. The group leaked the NSA EternalBlue exploit on April 14, 2017 a month after Microsoft released a patch for this vulnerability.
Because many companies and organizations simply didn’t make the updates of their systems in time they fell victim to WannaCry ransomware.Days after ransomware began attacking massively, security researcher Marcus Hutchins (MalwareTech) found a kill switch that stopped WannaCry from further spreading.
How Much WannaCry Attacks Cost
The initial outbreak of WannaCry ransomware caused significant financial and operational damages to companies and organizations around the globe. However experts note that the said damages could have been worse because of WannaCry ransomware worm nature.
Some general estimates show that the cost of damages amounted to hundreds of millions to companies and organizations around the world, but specialists from Symantec/ Broadcom calculated that the actual damages possibly amounted to 4 billion dollars.
Nevertheless during the first outbreak of the WannaCry ransomware attack in May 2017 more than 200,000 devices have been hit and still ransomware infects devices.
After the first major outbreak of WannaCry ransomware U.S Congress prepared the Protecting Our Ability to Counter Hacking Act shortly after it in May 2017. It was proposed that any government’s software or hardware should be inspected by an independent organization. But the act was never passed.
The WannaCry ransomware was followed by an insurge in numbers of commercial ransomware attacks. It has been reported that in 2017 ransomware made up 39% from the general malware attacks incidents.
Not only this but the sudden and strong outbreak of WannaCry ransomware raised important questions concerning cyber security of companies and organizations. Some roles in the IT security field have become more prominent due to their new and reimagined responsibilities.
Does WannaCry Still Present A Threat
Various exploits of Microsoft’s SMB protocol seem to be pretty popular with malware operators of all sorts and EternalBlue is no exception. In the June 2017 attack of NotPetya ransomware this exploit played the main role.
Another Russian-linked APT group that goes by the names Sofacy, APT28, Sednit or its more known name Fancy Bear. This cyberespionage group in 2017 attacked wifi networks in various European hotels using the EternalBlue exploit. In addition specialists note that the exploit has also been seen to be used by malicious cryptominers as one of their spreading mechanisms.
Although Microsoft has issued a patch for the exploited vulnerability systems that are still unpatched remain unprotected. And in fact specialists from Check Point Research observed a 53% increase of instances where companies or organizations were attacked by WannaCry.
The report was made about the first quarter of 2021. And in Q4 2020 and Q1 2021 specialists observed an increase of WannaCry attacks up to 57% .
WannaCry ransomware also set the tendency for cryptoworm and ransomworm concepts that were more than eagerly embraced by cybercriminals. Such code can easily spread via network endpoints, cloud networks and remote office services.
Basically ransom worms operators need only to find one entry point so that their malware could infect a whole network because it can quickly move across different devices and systems.
Another trend that was set by WannaCry ransomware is cybercriminals turning their attention to automated ransomware variants that can also have the ability to self learn. It’s a more prospective way of conducting ransomware attacks than operating traditional ransomware that need to be controlled via constant communication.RansomwareRansomwormsWannaCry