What is WannaCry?

The full story behind one of the worst ransomware outbreaks in history

The term "WannaCry" is likely one that continues to strike fear into the hearts of many IT executives. Though more than three years have past since the ransomware first struck, it remains the de facto example of how devastating a cyber attack can be.

WannaCry first hit headlines back in May 2017 when it quickly spread throughout computers across the globe, taking users' files hostage and demanding a Bitcoin ransom for their return. 

The so-called "crypto ransomware" took advantage of a weakness in Microsoft's Windows operating system using a hack that was allegedly developed by the US National Security Agency called EternalBlue. Although Microsoft had released a patch for this flaw some two months earlier, many of those running older versions of Windows, such as Windows XP and Windows 7, were left vulnerable to the attack. 

Perhaps the most notable vicim of WannaCry was the UK's National Health Service (NHS), with a third of hospital trusts affected by the attack. It was estimated to cost the NHS a whopping £92 million after 19,000 appointments were canceled as a result. 

The outbreak, while extremely damaging, was thankfully brief, and was stopped within a few days of its discovery.  Nevertheless, WannaCry proved to the world that ransomware can be a highly effective method of attack, with its success no doubt fueling its popularity today.

Who was affected by WannaCry?

WannaCry made headlines after hitting multiple NHS organisations across the country in May 2017. Systems across 16 NHS sites, including a third of hospital trusts and 5% of GP practices, were crippled by a sudden inability to access core functions, leading to severe delays and the cancellation of some 19,000 appointments.

Despite initial reports, the ransomware infections were not part of a larger coordinated attack against the NHS, as had been feared. In fact, it's believed that the NHS was simply caught in the crossfire of a particularly virulent strain of malware that targetted older systems.

Within hours of the first detection, there were reports of WannaCry infections in at least 11 countries. The malware would ultimately infect more than 200,000 systems across 150 countries, all within 24 hours. Some of the more high profile victims included Telefonica, FedEx, Deutsche Bahn.

WannaCry is said to have caused an estimated $4 billion in losses, including £92 million for the NHS.

It was believed at the time that the worst hit organisations were those that relied on older versions of the Windows operating system, namely Windows XP. However, post-event analysis by Kaspersky revealed that the vast majority of infections (98%) were found on machines running Windows 7, an operating system that was still receiving extended security support from Microsoft at the time, with Windows XP infections making up just 0.1%.

Victims were urged not to pay the ransom demanded, and by the time WannaCry had stopped spreading, just 327 payments had been made to the hardcoded bitcoin wallet addresses associated with the malware. The total amount paid was around $140,000 when it was withdrawn from the wallets in August 2017.

It's believed that WannaCry had the potential to cause catastrophic damage had it been deliberately targetted against critical infrastructure, such as utility companies or the National Grid.

What vulnerabilities did WannaCry exploit?

Like all ransomware, WannaCry worked by gaining access to the target's computer, encrypting the contents of its hard drives and then extorting money from the victim in exchange for the decryption key. What made WannaCry unique was the way it spread.

The WannaCry package was comprised of two parts: the ransomware portion, which encrypted the target machine and threw up the ransom instructions, and a component which allowed it to quickly propagate throughout networks. It was this latter element which made it so devastating.

Based on a flaw in the Server Message Block (SMB) protocol of various versions of Windows, it scanned the local network that a machine was connected to, found other devices (including printers and other peripherals as well as PCs) with exposed SMB network ports, and then used specially-crafted packets to initiate a transfer and drop the payload on the new machine, whereupon the process would start all over again.

Related Resource

Remote worker cybersecurity best practices

Strategies and tips to follow, helping to secure your workforce

Download now

This process was based on an exploit known as 'EternalBlue', released by the Shadow Brokers hacking group. This mysterious collective of hackers dumped a number of dangerous exploits for vulnerabilities in major systems (widely thought to have been created by the NSA) onto the public web, allowing the authors of WannaCry to incorporate it into their ransomware in order to make it wormable. WannaCry also used DOUBLEPULSAR, a backdoor injection tool that was also included in the Shadow Brokers' leaks, to aid in its spread.

The EternalBlue exploit that facilitated WannaCry's spread had actually been patched by Microsoft some months earlier, but widespread failure to apply the patch in a timely manner meant that victims were left at risk. Shortly following the outbreak, Microsoft also took the unusual step of releasing an emergency patch for affected operating systems that had already reached their end-of-life date.

Who was behind WannaCry?

Attributing cyber attacks to specific individuals, groups or nation-states is always difficult; it's an inexact science at best, and made all the more difficult by malware authors planting false flags to throw investigators off the scent. However, the general consensus among the security and intelligence community is that North Korean hackers were most likely to be behind WannaCry, probably working on behalf of the government.

This assessment is lent credence by the fact that metadata within the ransomware files indicated the author's computer was set to a Korean timezone, while it has been noted by both Symantec and Kaspersky that the code bears strong similarities to code used by the Lazarus Group. This group orchestrated the hack on Sony Pictures in 2014, and has also been linked to the North Korean state.

The US government formally blamed North Korea for the attack in September 2018 - a charge that various G20 allies, including the UK, have since echoed. North Korean authorities have always denied the allegations.

How was WannaCry stopped?

The spread of WannaCry was successfully halted less than a week after its initial emergence, thanks to the combined efforts of security researchers around the world. However, the biggest blow against the malware happened virtually by accident.

A security researcher going by the handle MalwareTech (later revealed to be British citizen Marcus Hutchins) found a URL hardcoded into the malware, which the malware would query prior to releasing its payload and encrypting the target machine.

After registering the domain, he discovered that this URL was effectively acting as a kill-switch; if the malware queried the domain and didn't find anything, it would drop the payload, but if it received a response, then it didn't trigger. Some initially suggested that this was included as a deliberate kill-switch, allowing the malware's creators to pull the plug if they needed to, but Hutchins does not agree.

Some sandbox environments, which researchers use to analyse malware without risk of infecting their machine, will simulate a correct response for any URL lookup. Hutchins believes that the inclusion of a URL check is an attempt to stop it triggering in sandbox environments, making it harder for researchers to analyse and combat. The effect, however, was the same: once the domain had been registered, any new WannaCry infections would not initiate the encryption of the victim, effectively killing off its ability to spread further.

The hackers behind WannaCry attempted to launch new variants with different hard-coded domains, but they were quickly caught and registered. They also tried to knock Hutchins original domain offline via a Mirai-powered DDoS attack, but were ultimately unsuccessful. The domain is currently being maintained by Kryptos Logic, Hutchins' employer.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
Wisconsin Republican Party allegedly loses $2.3 million to hackers
hacking

Wisconsin Republican Party allegedly loses $2.3 million to hackers

30 Oct 2020
What is DevSecOps and why is it important?
Security

What is DevSecOps and why is it important?

30 Oct 2020
Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle
Security

Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle

30 Oct 2020

Most Popular

Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020