You may remember the WannaCry ransomware attack from a few years ago, and in this article we want to explain it in more detail — while being aware something similar could take place in the future, as well. Cause hackers are getting better with the day…
WannaCry ransomware attack 101
WannaCry is a cryptoworm that was used to initiate the infamous WannaCry cyberattacks. Windows computers were targeted and hackers used the NSA-developed EternalBlue exploit, demanding payments in Bitcoins for encrypted data.
The hell broke loose on May 17, 2017, affecting more than 300,000 devices in over 150 countries. Although the ransom demand was 300-600 dollars, the overall damage of WannaCry ranged from millions to billions of dollars.
Computers of the UK’s National Health Service (NHS) were among the most significantly affected, where thousands of pieces of equipment were compromised. Additionally, the likes of Renault, FedEx, and Deutsche Bahn were targeted as well as computers operated by foreign governments, such as Russia, Ukraine, India, and Taiwan.
UK hacker Marcus Hitchins managed to stop the attack for a few hours after discovering the kill switch, preventing the infected devices from spreading the attack further.
North Korea created WannaCry?
Although the culprit hasn’t been officially identified, the governments from countries around the world pointed fingers to North Korea. Their reasoning was solid as they found the WannaCry code to be similar to that of the Lazarus Group, which is a North Korean cybercriminal organization. Furthermore, Korean timestamps were found in the ransomware metadata.
How does WannaCry work?
WannaCry encrypts the data and demands a ransom in exchange for a decryption key. If the victim doesn’t pay the ransom, the data is deleted.
On a tech-level, WannaCry relies on the mentioned EternalBlue vulnerability which exploited the implementation of the Windows server message block (SMB) protocol that helps various network nodes to communicate. Hackers discovered they could use this protocol to inject crafted packets with arbitrary codes. Microsoft did release the patch to fix this, but not everyone updated their computer(s) on time.
Hackers also found a way to inject WannaCry using the DoublePulsar backdoor installed on the targeted devices.
When WannaCry arrives on a victim’s computer, it extracts the app that is used for encrypting and decrypting the data, along with files with encryption keys, and a copy of Tor.
Once installed, WannaCry will check for the kill switch domain name used to stop malware. If it’s not found, WannaCry will start to encrypt files and will further try to spread itself to random computers in the network.
Is WannaCry still a threat?
We’re sad to say that WannaCry isn’t yet a history, even though many patches are available. Despite the media attention it got, not all IT admins managed to update their systems to prevent WannaCry.
Which leads us to our final section…
How to protect yourself from WannaCry and other attacks?
As usual, we start with…
- Update, update, update – not just your operating system, but also all apps and even the firmware of your router.
- Be careful which websites you visit and where you click – viruses and trojans are spreading all around the Internet and all it takes is a single click to have your device infected.
- Take the same (careful) route with your email. Do NOT open attachments in emails you receive from people you don’t know.
- Use an antivirus – it will keep you protected from some threats.
- Use a VPN – it will keep you protected from other kinds of threats, by making sure your connection is secure – not just the files you download. Click here to find a VPN for your needs.
Finally, we would add that you should always have a working backup of your system – just in case you miss something. Or if your hard drive fails. It’s a good practice so make sure to abide by it.