Wannacry ransomware

Maybe if you were using a Windows Operating system in 2017, you might of heard of a strain of ransomware that effected 150 countries, took hold of hundreds of thousands of computers and cyber infrastructure systems.

what is WannaCry? and where did it come from?

what is ransomware?

Ransomware is essentially like someone breaking into your house and locking you out. They keep you from all your valuables and necessities. They’ll let you back in if you pay a ransom, let’s say they demand $1000, you could just not pay it and focus on breaking back into your house. but let’s say it takes ten days to break back into your house. Where are you going to stay and eat while they control your house? A nearby hotel costs $200 a night to stay, it’s going to cost you double to not pay the ransom.

Ransomware can infect through various methods; phishing emails, and exploiting software vulnerabilities. Wannacry infected Windows operating systems through a Server Message Block vulnerability known as EternalBlue.

Once the ransomware infects your system, it uses encryption to scramble your files. This encryption process essentially turns your data into gibberish, making it inaccessible.

After encryption, you'll be presented with a message informing you that your files are locked and demanding a ransom payment, typically in cryptocurrency like Bitcoin, to regain access. The ransom amount can vary depending on the attacker and the perceived value of your data.

Ransomware attacks often employ scare tactics. The message might display a countdown timer, pressuring you to pay before your files are permanently deleted.

how was wannacry ransomware spread?

Wannacry was spread through an exploit rather than phishing emails. This exploit was called Eternalblue, This exploit, developed by the US National Security Agency (NSA), when it should’ve been reported to the infosec community. Then later leaked by a hacking group, targeted a flaw in Microsoft Windows' Server Message Block (SMB) protocol.

SMB is a file-sharing protocol commonly used on Windows networks. EternalBlue exploited a weakness in how SMB handled communication requests, allowing attackers remote access to vulnerable systems.

Microsoft had already released a security patch to fix the EternalBlue vulnerability months before the WannaCry attack. However, many users and organizations hadn't installed the patch, leaving their systems open to be exploited.

EternalBlue provided the entry point, and WannaCry, upon infecting a system, scanned the network for other vulnerable machines using the same exploit, essentially propagating itself further. kind of functioning like a computer worm.

The combination of EternalBlue's widespread presence in unpatched systems and WannaCry's worm-like behavior created a domino effect. One infected machine could quickly infect others within the same network, leading to the rapid global spread.

WHo created wannacry?

Wannacry is believed to have been developed in North Korea by the Lazurus Group.There is similar coding techniques used in WannaCry and other malware linked to North Korean hacking groups. While there is some evidence, we don’t have absolute proof.

Attributing cyberattacks can be complex. Hackers often use techniques to mask their location and identity, making it difficult to pinpoint the exact source.

The exact motives behind WannaCry are also not entirely clear. Was it a financial attack targeting ransom payments, or was it an attempt to disrupt critical infrastructure?

does wannacry still exist?

Variants of WannaCry have emerged since the initial attack, but these might be copycat attempts or modifications by other criminals. Wannacry isn’t really a significant threat anymore.

a ‘kill switch’ was discovered by a researcher named Marcus Hutchins. Hutchins noticed that the WannaCry code contained a function that checked for a specific domain name before proceeding with encryption. This domain name – a string of characters – didn't appear to be linked to any known malicious infrastructure.

for $10.96 Hutchins registered the domain name. Once Hutchins registered the domain, the behavior of WannaCry changed. The malware would check for the domain and, upon finding it active, wouldn't initiate the encryption process. This essentially functioned as a kill switch, halting the spread of WannaCry.

While Hutchins is hailed as a hero for his role in stopping WannaCry, he was later arrested on unrelated charges of creating and distributing malware.

why is wannacry significant?

Wannacry pretty much put ransomware on the map. It showed attackers the potential financial gain of this tactic, leading to a surge in ransomware attacks in the following years.

WannaCry wasn't a targeted attack; it infected hundreds of thousands of computers in over 150 countries. This massive scale highlighted the interconnectedness of the digital world and the potential for cyberattacks to have a widespread impact.

The attack exploited a known vulnerability (EternalBlue) in Microsoft Windows that had already been patched. This underscored the crucial role of keeping software up to date with security updates to address vulnerabilities and avoid becoming an easy target.

While the original WannaCry isn't a major threat for patched systems, it serves as a reminder of the ever-present danger of ransomware and the need for continuous improvement in cybersecurity measures to defend against evolving cyber threats.