Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What is WannaCry Ransomware

WannaCry Ransomware

What is WannaCry Ransomware?

WannaCry is a strain of ransomware that has the ability to self-propagate by exploiting a weakness in the Windows Server Message Block (SMB) protocol. This protocol allows for Windows devices to communicate with one another on a network, but the way Microsoft implemented it made it susceptible to being manipulated through carefully designed packets, resulting in the execution of malicious code by adversaries.

WannaCry was allegedly developed by the North Korean Lazarus Group, and combined stolen US government exploit code with custom code to create a ransomware worm that was able to spread rapidly and infect an estimated 200,000 computers within three days in a global attack in May 2017. The attack caused billions of dollars in damage, with the UK’s National Health Service (NHS) alone incurring an estimated cost of US$100 million. The attack was only stopped by the discovery of a “kill switch” within the WannaCry code, which prevented further spread of the worm.

WannaCry is able to encrypt 176 different file types and demands a US$300 ransom in Bitcoin. Since the 2017 outbreak, modified versions have been identified but none have been as successful as the original.

How WannaCry Ransomware Works/Spreads

As with other strains of ransomware, WannaCry attacks work in three key steps, which are explained below:

Step 1: Infection

Unlike other ransomware strains, WannaCry spreads automatically instead of being carried by emails or malware droppers. It uses the EternalBlue exploit to take advantage of a flaw in Windows’ SMB protocol, which was discovered by the NSA and leaked by the Shadow Brokers. Although Microsoft released a patch in April 2017, many organizations had not installed it when the WannaCry outbreak occurred. Infected machines search the Internet for other vulnerable machines, sending and running a copy of WannaCry.

Step 2: Encryption

The purpose of ransomware is to prevent victims from accessing their data unless they pay the ransom. This is achieved by encrypting the victims’ data, which can only be decrypted using a secret key held exclusively by the ransomware operator. Consequently, victims are compelled to pay the demanded ransom to recover their information. In order to prevent system instability, WannaCry selectively encrypts a limited number of file types on a computer. If the wrong files were locked, the victim’s ability to comply with the ransom demand or retrieve their data may be hampered.

Step 3: Payment

WannaCry asks its victims to pay a ransom of $300, but the payment must be made in Bitcoin, as it is less traceable than conventional currencies, making it easier for ransomware operators to embed a payment address (akin to a bank account number) in their ransom message without immediately exposing their identity to the authorities. Paying the ransom entitles the victim to receive a decryption key to restore access to their data. NOTE: There is no code to suggest that encrypted files will be deleted if a ransom is not paid.

Examples of WannaCry Ransomware attacks

Many organizations, in many different countries, were hit by the WannaCry attack. Below are a few of the largest organizations that were affected by the incident.

The UK’s National Health Service (NHS)

The NHS was hit hard by the WannaCry attack, which affected hundreds of hospitals and surgeries across the UK. Thousands of appointments and operations were canceled, and ambulances were reportedly rerouted. The WannaCry attack cost the NHS an estimated £92 million.

German rail operators

Deutsche Bahn, a German rail operator, was hit by the WannaCry attack, with some electronic boards used to announce arrivals and departures showing a red screen with a message demanding a cash payment (either $300 or $600) in Bitcoin, in order restore access.

Spanish telephone operators

Telefonica, one of Spain’s largest telephone operators and mobile network providers, was hit by the attack, which left hundreds of the company’s computers inaccessible. As the attack unfolded, an audio warning was played over speakers inside the company’s headquarters, asking employees to shut down their machines immediately.

How To Protect Against WannaCry Ransomware

While the most damaging WannaCry attacks took place within a few weeks after May 12, 2017, the strain is still alive and kicking. In fact, we’ve even seen a significant increase in WannaCry attacks over the last few years. The difference is that most organizations have since installed the relevant security patches, thus limiting the damage that it can cause. That said, there are still lessons we can learn from the attack. Below are some of the most commonly cited ways to protect your systems and data from the WannaCry attack.

Install Windows updates as soon as they become available

Make sure to update your Windows operating system as soon as possible. If you have one of the latest versions of Windows (10/8.1/7, etc.) and have enabled automatic updates, you should have already received the necessary fix that was released in March 2017. In response to the WannaCry attack, Microsoft issued uncommon patches for older versions of Windows that it no longer provides support for. To safeguard against this malware, you can download the security updates from the following source.

Install a dedicated anti-ransomware utility

Don’t assume that old versions of antivirus have ransomware protection. Check your settings or research your product to see if it has the features you need. If not, install a dedicated anti-ransomware utility such as TotalAV Antivirus, Malwarebytes Anti-Ransomware, or BitDefender Antivirus Plus.

Use a cloud-based backup facility

If you are using a cloud-based backup solution, there is a possibility that you can retrieve all of your files that have been encrypted by WannaCry. Dropbox, for example, stores snapshots of all file changes made in the past 30 days. It is a good idea to explore your online backup or storage provider’s ability to maintain rollback versions of your files, as this can help you avoid paying the ransom.

Educate your employees about ransomware

Employee training is a crucial element in preventing ransomware attacks and should cover the basics of what ransomware is and how it spreads. Key topics for a practical ransomware training program include recognizing phishing emails and websites, using removable media safely, and reporting and responding to threats. Effective training should be an ongoing process that adapts to new strains, such as those targeting hybrid and work-from-home environments.

How Lepide Helps

Lepide Data Security Platform can be a valuable tool in protecting against ransomware attacks. Here are some ways in which it can help:

Real-time threat detection: Lepide’s platform can detect and alert you to any suspicious activity on your network in real time, including attempts to install ransomware. This allows you to respond quickly and prevent the ransomware from spreading further.

File activity monitoring: The platform can monitor all file activity on your network, allowing you to quickly identify any unusual file activity that could be an indicator of ransomware. This helps you to catch ransomware attacks early on and prevent them from causing significant damage.

Access monitoring: The platform can also monitor user access to files and folders, ensuring that only authorized users are accessing sensitive data. This helps to prevent ransomware attacks that rely on stolen credentials to gain access to sensitive data.

User behavior analysis: Lepide’s platform uses machine learning algorithms to analyze user behavior and detect anomalies that could be an indication of a ransomware attack. This can help you to catch ransomware attacks that would be difficult to detect using traditional methods.

Automated response: In the event of a ransomware attack, the platform can automatically quarantine affected files, isolate infected devices, and shut down network access to prevent the spread of the attack. This helps to limit the damage caused by the attack and prevent it from spreading further.

Using the Lepide Data Security Platform, you can take proactive steps to protect your network against ransomware attacks, detect threats in real-time, and respond quickly to mitigate the damage. With the threat of ransomware attacks increasing every day, it is more important than ever to have a comprehensive security solution in place to protect your organization’s valuable data.