WannaCry ransomware attack

The WannaCry ransomware attack was a worldwide cyberattack by the WannaCry  ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.

The attack started on Friday, 12 May 2017, and within a day was reported to have infected more than 230,000 computers in over 150 countries. Parts of Britain's National Health Service (NHS), Spain's Telefónica, FedEx and Deutsche Bahn were hit, along with many other countries and companies worldwide.

WannaCry spreads across local networks and the Internet to systems that have not been updated with recent security updates, to directly infect any exposed systems. A "critical" patch had been issued by Microsoft on 14 March 2017 to remove the underlying vulnerability for supported systems, nearly two months before the attack, but many organizations had not yet applied it. Those still running exposed older, unsupported operating systems such as Windows XP and Windows Server 2003, were initially at particular risk but the day after the outbreak Microsoft took the unusual step of releasing updates for these operating systems too. Almost all victims are running newer Windows 7.

Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA), had discovered the vulnerability in the past, but instead of informing Microsoft had built the EternalBlue exploit for their own offensive work. It was only when the existence of this was revealed by The Shadow Brokers that Microsoft became aware of the issue, and could produce a security update.

Shortly after the attack began, a web security researcher who blogs as "MalwareTech" discovered an effective kill switch by registering a domain name he found in the code of the ransomware. This greatly slowed the spread of the infection, but new versions have since been detected that lack the kill switch.
Within four days of the initial outbreak, security experts were saying that most organizations had applied updates, and that new infections had slowed to a trickle.

WannaCry malware

WannaCry is the ransomware computer worm that targets computers running Microsoft Windows. Initially, the worm uses the EternalBlue exploit to enter a computer, taking advantage of a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. It installs DoublePulsar, a backdoor implant tool, which then transfers and runs the WannaCry ransomware package.
Several organizations have released detailed technical writeups of the malware, including Microsoft, Cisco, Malwarebytes, and McAfee.

The "payload" works in the same fashion as most modern ransomware: it finds and encrypts a range of data files, then displays a "ransom note" informing the user and demanding a payment in bitcoin. It is considered a network worm because it also includes a "transport" mechanism to automatically spread itself. This transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access, and the DoublePulsar tool to install and execute a copy of itself.

Kill switch

The software contained a URL that, when discovered and registered by a security researcher to track activity from infected machines, was found to act as a "kill switch" that shuts down the software, stopping the spread of the ransomware. The researcher speculated that this had been included in the software as a mechanism to prevent it being run on quarantined machines so that it is harder for anti-virus researchers to investigate the software; he observed that some sandbox environments will respond to all queries with traffic in order to trick the software into thinking that it is still able to access the internet, so the software queried an "intentionally unregistered domain" to verify it was receiving traffic that it should not. He also noted that it was not an unprecedented technique, having been observed in the Necurs trojan.

On 19 May it was reported that hackers were trying to use a Mirai botnet variant to attack WannaCry's kill-switch by DDoSing the registered domain in the hope of knocking it offline. On 22 May @MalwareTech protected the domain by switching to a cached version of the site, capable of dealing with much higher traffic loads than the live site.

EternalBlue

The network infection vector, EternalBlue, was released by the hacker group called The Shadow Brokers on 14 April 2017, along with other tools apparently leaked from Equation Group, which is widely believed to be part of the United States National Security Agency.

EternalBlue exploits vulnerability MS17-010 in Microsoft's implementation of the Server Message Block (SMB) protocol. This Windows vulnerability was not a zero-day flaw, but one for which Microsoft had released a "critical" advisory, along with a security patch to fix the vulnerability two months before, on 14 March 2017. The patch was to the Server Message Block (SMB) protocol used by Windows, and fixed several versions of the Microsoft Windows operating system, including Windows Vista onwards (with the exception of Windows 8), as well as server and embedded versions such as Windows Server 2008 onwards and Windows Embedded POSReady 2009 respectively, but not the older unsupported Windows XP and Windows Server 2003. The day after the WannaCry outbreak Microsoft released updates for these too.

DoublePulsar
 
DoublePulsar is a backdoor tool, also released by The Shadow Brokers on 14 April 2017, Starting from 21 April 2017, security researchers reported that computers with the DoublePulsar backdoor installed were in the tens of thousands. By 25 April, reports estimated the number of infected computers to be up to several hundred thousands, with numbers increasing exponentially every day. The WannaCry code can take advantage of any existing DoublePulsar infection, or installs it itself.

Impact

The ransomware campaign was unprecedented in scale according to Europol, which estimates that around 200,000 computers were infected across 150 countries. According to Kaspersky Lab, the four most affected countries were Russia, Ukraine, India and Taiwan.

The attack affected many National Health Service hospitals in England and Scotland, and up to 70,000 devices – including computers, MRI scanners, blood-storage refrigerators and theatre equipment – may have been affected. On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted. In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP. NHS hospitals in Wales and Northern Ireland were unaffected by the attack.

Nissan Motor Manufacturing UK in Tyne and Wear, England, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.
The attack's impact is said to be relatively low compared to other potential attacks of the same type and could have been much worse had a security expert, who was independently researching the malware, not discovered that a kill-switch had been built in by its creators or if it had been specifically targeted on highly critical infrastructure, like nuclear power plants, dams or railway systems.

Cyberattack

On 12 May 2017 WannaCry began affecting computers worldwide, with evidence pointing to an initial infection in Asia at 7:44am UTC. The initial infection was likely through an exposed vulnerable SMB port, rather than email phishing as initially assumed.

When executed, the malware first checks the "kill switch" domain name;

if it is not found, then the ransomware encrypts the computer's data, then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet, and "laterally" to computers on the same network. As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of around $300 in bitcoin within three days, or $600 within seven days.

Organizations that had not installed Microsoft's security update were affected by the attack. Those still running the older Windows XP were at particularly high risk because no security patches had been released since April 2014 (with the exception of one emergency patch released in May 2014). However, the day after the outbreak Microsoft released an emergency security patch for Windows XP. As of May 2017, less than 0.1% of the affected computers were running Windows XP.

A Kaspersky Labs study reports that 98 percent of the affected computers were running Windows 7.

According to Wired, affected systems will also have had the DoublePulsar backdoor installed; this will also need to be removed when systems are decrypted.

Three hardcoded bitcoin addresses, or "wallets", are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the wallet owners remain unknown. As of 23 May 2017, at 5:00 UTC, a total of 297 payments totaling $106,180.44 had been transferred.