What Is WannaCry?

WannaCry was a ransomware attack discovered in May 2017 that struck corporate networks worldwide running Microsoft Windows as part of a massive global cyber attack. WannaCry leveraged a security flaw known as EternalBlue in a version of Windows' Server Message Block (SMB) networking protocol to spread like a worm across targeted networks demanding ransom payments in the Bitcoin cryptocurrency.^[1]

Although Microsoft quickly issued a patch for WannaCry, not every organisation could roll it out quickly enough. In fact, some customers were using a version of Windows so outdated that the patch couldn’t even be applied.^[2]

On May 11, 2017, organisations in Western Europe and the U.S. awoke to reports of a fast-spreading ransomware strain that propagated by using the EternalBlue exploit to attack a known Server Message Block (SMB) vulnerability.^[3] WannaCry made a name for itself by being the first cyberattack in which a destructive virus leveraged network vulnerabilities to infect computers at scale.

How Does It Infect/Attack?

WannaCry ransomware infects networks via the EternalBlue exploit and targets the Server Message Block vulnerability in Microsoft Windows OS. The ransomware has been most successful at penetrating older versions of Windows on which network operators failed to install updates as recommended.

Once WannaCry spreads and infiltrates a network, the cybercriminal encrypts data on infected systems, locking it away from the rightful owner. The perpetrators force the victims to pay a ransom to decrypt the data and regain access.

Ransom payments are made via cryptocurrency, generally Bitcoin.^[4]

How Does It Spread?

Previously, cybercriminals distributed ransomware via either email or a web download. But WannaCry marked the beginning of a new wave of malware distribution that leveraged network vulnerabilities to infect computers at scale.^[3]

WannaCry spread using an exploit called EternalBlue, created by—and subsequently stolen from—the U.S. National Security Agency (NSA). EternalBlue enabled attackers to discover vulnerable computers on the target network. WannaCry also leveraged an NSA backdoor called DoublePulsar to install WannaCry on the network.

Preventing WannaCry is far less painful than removing it. WannaCry created and distributed a ransomware worm that infected over 250,000 systems globally. Organisations infected with WannaCry have little recourse but to either pay the ransom or wipe infected systems and restore encrypted data from backups (if they have any).

Fortunately, security researchers—including two from Proofpoint—found a domain name encoded in the malware used to manage communications between the attacker and infected machines. WannaCry’s author had failed to register the domain, an oversight that allowed the researchers to halt its spread.

Chief among the network vulnerabilities at issue is legacy systems that are unpatched or poorly configured. The best bet for protecting such networks is to install the latest patches, validate your security setup and test your backup infrastructure to ensure that you can restore individual machines and company-wide data.

One of the key lessons learned from the WannaCry ransomware and related cyber-attacks is to be diligent in your patch management strategy to update your operating systems. Organisations worldwide must have the latest patches installed and have backups tested and ready in the event of a ransomware attack.

More broadly, organisations need to take a multi-pronged approach to the ransomware issue—and not assume the threat is slowing down.

The best security strategy against ransomware is a mix of prevention, detection, and recovery capabilities. Because the bulk of ransomware is spread via malicious emails, organisations should invest in solutions that block the delivery of harmful emails.

The second prevention measure requires configuring your IT environment to deter one of the most common ways ransomware is spread— through malicious macros in documents. Most organisations can block users from enabling macros in documents received from outside the network without interrupting any business processes.

Detection controls also help. Endpoint and network security tools can often stop ransomware from encrypting user files or downloading the encryption key from the ransomware’s command-and-control infrastructure.

Finally, a proactive recovery strategy can do wonders to protect against ransomware. Larger organisations with solid backup processes can often avoid paying ransoms; they can simply restore the encrypted data (though the user may lose a few hours’ worth of work). In response, some ransomware now tries to encrypt backups first. That makes proper security configurations essential for the backup infrastructure itself.

[1] ZDNet. “This malware just got more powerful by adding the WannaCry trick to its arsenal”
[2] Ryan Kalember (Proofpoint). “Worldwide WannaCry Ransomware Attack Hits 99+ Countries, Proofpoint Researchers Significantly Reduce Impact”
[3] Proofpoint. “Cybersecurity Predictions for 2018”
[4] Proofpoint. “Ransomware is Big Business”