WannaCry is a ransomware worm that spread rapidly through across a number of computer networks in May of 2017. After infecting a Windows computers, it encrypts files on the PC’s hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them. A number of factors made the initial spread of WannaCry particularly noteworthy: it struck a number of important and high-profile systems, including major service organizations.
What is WannaCry ransomware?
The WannaCry ransomware consists of multiple components. It arrives on the infected computer in the form of a dropper, a self-contained program that extracts the other application components embedded within itself. Those components include: An application that encrypts and decrypts data Files containing encryption keys A copy of Tor The program code is not obfuscated and was relatively easy for security pros to analyze. Once launched, WannaCry tries to access a hard-coded URL (the so-called kill switch); if it can’t, it proceeds to search for and encrypt files in a slew of important formats, ranging from Microsoft Office files to MP3s and MKVs, leaving them inaccessible to the user. It then displays a ransom notice, demanding $XXX in Bitcoin to decrypt the files. WannaCry uses the EternalBlue worm exploit to spread. The first step is to search the target network for devices accepting traffic on TCP port 445, which indicates the system is configured to run SMB. The next step is to initiate an SMBv1 connection to the device; after the connection is made a buffer overflow is used to take control over the targeted system and install the ransomware component of the attack.
How to defend against WannaCry
Since WannaCry and its variants are ransomware, organizations can defend against them with the same defenses against them as against ordinary ransomware, including: Patching all Windows systems and blocking all traffic from the public internet on port 445; setting up secure backup procedures that can be used even if the network is disabled; educating users on the dangers of phishing, watering hole attacks and the use of unsafe/unvetted software; considering using anti-ransomware software solutions; and keeping antivirus and firewall software up to date