WannaCry Definition

WannaCry is a virus discovered in May 2017 that struck corporate networks running Microsoft Windows as part of a massive global cyber attack. WannaCry leveraged a security flaw known as EternalBlue in a version of Windows' Server Message Block (SMB) networking protocol to spread like a worm across targeted networks.[1]

Although Microsoft quickly issued a patch for WannaCry, not every organisation could roll it out quickly enough. In fact, some customers were using a version of Windows so outdated that the patch couldn’t even be applied.[2]

WannaCry Attack

On May 11, 2017, organizations in Western Europe and the U.S. awoke to reports of a fast-spreading ransomware strain that propagated by using the EternalBlue exploit to attack a known Server Message Block (SMB) vulnerability.[3] WannaCry made a name for itself by being the first cyberattack in which a destructive virus leveraged network vulnerabilities to infect computers at scale.

How Does WannaCry Attack / Infect?

A WannaCry ransomware attack infects networks via the EternalBlue exploit and targets the Server Message Block vulnerability in Microsoft Windows OS. The ransomware has been most successful at penetrating older versions of Windows on which network operators failed to install updates as recommended.

Once WannaCry spreads and infiltrates a network, the cybercriminal encrypts data on infected systems, locking it away from the rightful owner. The perpetrators force the victims to pay a ransom to decrypt the data and regain access.

Ransom payments are made via cryptocurrency, generally Bitcoin.[4]

How Does WannaCry Spread?

Previously, cybercriminals distributed ransomware via either email or a web download. But WannaCry marked the beginning of a new wave of malware distribution that leveraged network vulnerabilities to infect computers at scale.[3]

WannaCry spread using an exploit called EternalBlue, created by—and subsequently stolen from—the U.S. National Security Agency (NSA). EternalBlue enabled attackers to discover vulnerable computers on the target network. WannaCry also leveraged an NSA backdoor called DoublePulsar to install WannaCry on the network.

Removing WannaCry

Preventing WannaCry is far less painful than removing it. WannaCry created and distributed a ransomware worm that infected over 250,000 systems globally. Organisations infected with WannaCry have little recourse but to either pay the ransom or wipe infected systems and restore encrypted data from backups (if they have any).

Fortunately, security researchers—including two from Proofpoint—found a domain name encoded in the malware used to manage communications between the attacker and infected machines. WannaCry’s author had failed to register the domain, an oversight that allowed the researchers to halt its spread.

Chief among the network threats and vulnerabilities at issue is legacy systems that are unpatched or poorly configured. The best bet for protecting such networks is to install the latest patches, validate your security setup and test your backup infrastructure to ensure that you can restore individual machines and company-wide data.

Learn more about Proofpoint’s involvement in stopping WannaCry.

WannaCry Ransomware Protection Best Practices

One of the key lessons learned from the WannaCry ransomware and related cyber-attacks is to be diligent in applying patches to your operating systems. Organisations worldwide must have the latest patches installed and have backups tested and ready in the event of a ransomware attack.

More broadly, organisations need to take a multi-pronged approach to the ransomware issue—and not assume the threat is slowing down.

The best security strategy against ransomware is a mix of prevention, detection, and recovery capabilities. Because the bulk of ransomware is spread via malicious emails, organisations should invest in solutions that block the delivery of harmful emails.

The second prevention measure requires configuring your IT environment to deter one of the most common ways ransomware is spread— through malicious macros in documents. Most organisations can block users from enabling macros in documents received from outside the network without interrupting any business processes.

Detection controls also help. Endpoint and network security tools can often stop ransomware from encrypting user files or downloading the encryption key from the ransomware’s command-and-control infrastructure.

Finally, a proactive recovery strategy can do wonders to protect against ransomware. Larger organisations with solid backup processes can often avoid paying ransoms; they can simply restore the encrypted data (though the user may lose a few hours’ worth of work). In response, some ransomware now tries to encrypt backups first. That makes proper security configurations essential for the backup infrastructure itself.