Table of Contents
    Home / Definitions / WannaCry
    Security 5 min read

    WannaCry was one of the most damaging malware attacks in history. On Friday, May 12, 2017, WannaCry ransomware infected computers all around the world, demanding that victims pay a ransom to get their data back.

    Also known as WannaCrypt, WanaCrypt0r, WCrypt, and WCRY, the WannaCry worm takes advantage of a specific exploit in Microsoft’s Server Message Block (SMB) protocol codenamed “EternalBlue” and uses phishing email scam tactics to infect older, unpatched Microsoft Windows systems.

    What Is WannaCry? 

    WannaCry was ransomware that infected computers and restricted access to files until a ransom was paid. It was designed to take advantage of a Windows XP vulnerability, which Microsoft had patched with the MS17-010 update in March 2017. Many XP users hadn’t installed this security patch prior to the attack, while non-XP users were also vulnerable to WannaCry because it affected newer versions of Windows as well.

    WannaCry Ransomware
    Source: Image by Securelist, accessed 5/5/22.

    How Did WannaCry Work?

    WannaCry has two main components: a dropper Trojan that seeks to exploit the SMB security vulnerability on older, unpatched Windows systems and the ransomware itself.

    Systems infected by WannaCry are used to attempt to infect other unpatched Windows systems on the local network as well as across the internet.

    On infected machines, WannaCry encrypts all the files it finds and renames them with a .WNCRY file name extension. WannaCry then creates a ransom message in each directory and replaces the background wallpaper image with a ransom message, demanding users pay $300 in Bitcoin currency in order to have all their files decrypted and restored to normal.

    In summary, WannaCry infected computers by turning off users’ ability to access data and then held it hostage until a ransom was paid to release it. The ransomware locked down files on an infected computer, encrypted them, and then spread the payload to other computers in the same network via copies of itself. These copies are saved to any available volumes on a network or are sent via spam email with the link.

    How Did WannaCry Spread? 

    WannaCry spread through an email link or infected file that tricked users into opening it. Once launched, the malware’s payload encrypted user files and displayed a message demanding payment for a decryption key. Three days after the attack, the malware informed users that the ransom had doubled.

    How Far Did WannaCry Spread? 

    Within days of its discovery, WannaCry spread to 150 countries around the world. It affected large companies, like Nissan and Honda, as well as many hospitals in Britain.

    Three days after it was launched, on Monday, May 15, 2017, the hackers stopped spreading the malware after their Bitcoin wallets were cut off by authorities. Soon after, Microsoft released a patch for Windows XP and Windows 8 computers that were still vulnerable to attack.

    The next day, on Tuesday, May 16, Europol’s European Cybercrime Centre (EC3) reported that they had identified “a possible link to Lazarus Group.” EC3, part of Europol, is an agency of the European Union located in The Hague.

    Lazarus Group is an international cybercrime ring that has been linked to other high-profile attacks on Sony Pictures Entertainment and Target stores, in 2014 and 2015 respectively. 

    How Was WannaCry Ransomware Stopped?

    Microsoft patched the “EternalBlue” SMB security flaw in an update advisory released on March 14th (MS17-010). However, the patch only applied to Windows 10 at the time, while WannaCry was targeting unpatched Windows 7, Windows Server 2008, and earlier operating systems.

    Following the discovery of WannaCry in May 2017, Microsoft extended the new SMB patch to additionally cover Windows XP, Windows 7, Windows 8, and Windows Server 2003 operating systems.

    While these security patches helped mitigate the potential spread of WannaCry, many Windows systems remained outdated and, as a result, continued to be vulnerable to ransomware like WannaCry.

    The potential damage of WannaCry was also mitigated by the trigger of a kill switch found in WannaCry code. The WannaCry code was designed to attempt a connection to a specific domain and only infects systems and spreads further if connecting to the domain proves unsuccessful. Since its emergence, the domain name in WannaCry has been registered and set up, resulting in the mitigated spread of and damage caused by the initial strain.

    Protecting Yourself Against WannaCry Ransomware

    Businesses and individuals can take proactive steps to protect their networked computers. The simplest step is staying current with OS patches and security updates, or even updating to less vulnerable operating systems, such as Windows 10.

    Software updates are designed to provide protection against new threats like the WannaCry ransomware attack by fixing any vulnerabilities that were found in previous versions of the software and closing any security holes that could leave your system vulnerable. 

    Users should also follow data security best practices by avoiding links and file attachments from unknown senders.

    Read next: Best Ransomware Protection

    This article was updated by Prakash Kumar.