WannaCry is a strain of ransomware that emerged in the wild on May 12, 2017, and quickly spread to infect over 200,000 systems in more than 150 countries.
Also known as WannaCrypt, WanaCrypt0r, WCrypt, and WCRY, the WannaCry worm takes advantage of a specific exploit in Microsoft’s Server Message Block (SMB) protocol codenamed “EternalBlue” and uses phishing e-mail scam tactics to infect older, unpatched Microsoft Windows systems.
Potential Damage of WannaCry Mitigated by Security Patch and Kill Switch
Microsoft patched the “EternalBlue” SMB security flaw in an update advisory released on March 14th (MS17-010), although it only applied to Windows 10 at the time. WannaCry however was developed to target unpatched Windows 7 and Windows Server 2008 and earlier operating systems.
While these security patches have helped mitigate the potential spread of WannaCry, many Windows systems remain out of date when it comes to recent security patches and as a result continue to be vulnerable to ransomware like WannaCry and other malware.
The potential damage of WannaCry has also been mitigated by the trigger of a “kill switch” found in the WannaCry code. The WannaCry code was designed to attempt to connect to a specific domain and only infect systems and spread further if connecting to the domain proves unsuccessful. Since its emergence in the wild, the domain name in the WannaCry was registered and set up, resulting in limiting the further spread and damage of the initial strain of WannaCry.
How WannaCry Works and Spreads
WannaCry has two main components: a dropper Trojan that seeks to exploit the SMB security vulnerability on older, unpatched Windows systems and the ransomware itself.
Systems infected by WannaCry are used to attempt to infect other unpatched Windows systems on the local network as well as across the Internet.
On infected machines, WannaCry encrypts all the files it finds and renames them with a .WNCRY file name extension. WannaCry then creates a ransom message in each directory and replaces the background wallpaper image with a ransom message demanding users pay $300 in Bitcoin currency in order to have all their files decrypted and restored to normal.
Protecting Against WannaCry and Other Ransomware / Malware Attacks
To protect systems from WannaCry and other forms of ransomware and malware, Microsoft recommends upgrading to Windows 10, which isn’t vulnerable to the WannaCry / WannaCrypt variants.
Users are also encouraged to install the SMB security update on older Windows systems and to stay current on all security patches and updates through the Windows Update service.
Additionally, users can specifically disable SMB if desired by following the instruction in this Microsoft Knowledge Base Article or restrict SMB traffic by adding a rule on the network router or software firewall to block incoming SMB traffic on port 445.