WannaCry began infecting computers around May 2017, being downloaded onto windows machines and consequently encrypting the files it needs to run. While this form of infection is not new, the absolute scale of WannaCry leads it to be breaking news in most countries across the globe, especially the United Kingdom where it resulted in the NHS (National Health Service) to append various services, including operations. The infection was not mostly sophisticated and evidently was not some new super malware that will undermine the world’s computing infrastructure. Nonetheless, it did outline a more bold approach by hackers to request money upfront for their crimes. In the NHS scenario, a sum of over $300 worth of Bitcoin was demanded to decrypt the infected computers. Most of you are probably pondering the question ‘what is WannaCry?’ Well, you will learn more in this article.
What is WannaCry?
WannaCry is a Trojan virus known as ransomware. Just as the name suggests, the malware in effect holds the infected machine hostage and requests that the victims pay a huge amount of money in order to reclaim access to the files on their PCs. RansomWare such as WannaCry operates by encrypting most or all of the files on a user’s PC. Then, the program demands that payment be paid to have the files decrypted. In most cases, the program requests that the victim part with a ransom of $300 in bitcoins at the point of infection. If the victim fails to pay within three days, the ransom doubles to $600. WannaCry will then delete the encrypted files altogether, and data will be lost if no payment is made after seven days.
It is essential to note that WannaCry ransomware contains several components. The ransomware gets into the infected machine in the form of a dropper, an independent program that extracts other app components rooted within it. These components include:
- An app that encrypts and decrypts data
- Files that contain encryption keys
- A copy of Tor
The origin of WannaCry is still unknown, but the program code was simple, and the IT experts efficiently analyzed it. After being launched, the ransomware attempts to get into the hard-coded URLs. However, it continues to look for and encrypt files in some essential formats, ranging from MKVs to MP3s to Microsoft Office files if it fails to locate the hard-coded URLs. Afterward, it shows the ransomware notice requesting the $300-worth of Bitcoin to decrypt the affected files.
How Ransom Payment Work
The WannaCry hackers demand that the payoff is paid using Bitcoins. WannaCry generates a matchless Bitcoin wallet address for every infected machine, but due to a race condition error, this code executes inappropriately. Afterward, WannaCry changes to 3-hardcoded Bitcoin address for the payment. It is often impossible to have your files decrypted since the attackers are unable to determine the victims that have parted way with the ransom using the hardcoded addresses. The WannaCry hackers consequently released a new version of the ransomware that resolved this bug, but this version was not successful in comparison to the original. After this release, a new notice was sent to the infected PCs informing the victims that the files would be decrypted if the payoff was paid.
How WannaCry Infects Computers
The attack method for WannaCry is quite interesting than the ransomware itself. The susceptibility the ransomware exploits is founded in the Windows enactment of SMB (Server Message Block). The server message block assists several nodes on a network to communicate, and specially crafted packets could dupe the enactment of Microsoft into implementing the arbitrary code. It is noted that the United States National Security Agency found this susceptibility and developed a code known as EternalBlue rather than reporting it. The exploit was however stolen and released in a complicated manner by a hacking team named Shadow Brokers. Microsoft on its part had discovered the susceptibility earlier and released a patch to counterattack it, but most systems remained susceptible, and WannaCry continued infecting PCs rapidly by utilizing EternalBlue. Microsoft blamed the United States government for not sharing the knowledge of the susceptibility.
WannaCry does not start encrypting files even if the computer has been successfully infected. This is so because the ransomware attempts to access the hard-coded URL first before beginning the work. The WannaCry then shuts itself down if it fails to access the domain.
Can users recover the encrypted files or should they just pay the ransom?
The decryption of encrypted files is not possible at the moment, but several researchers continue to examine the possibility. You may be able to retrieve your files if you have backup copies of your affected files. Most IT experts do not recommend users to pay for the payoff. In some situations, it is possible to recover files without using the backups. Files which are often saved on My Documents, Desktop or a removable disk are encrypted and their original copies deleted. These files are unrecoverable. Files which are stored in other locations in your PC are encrypted and their original copies just deleted. It means that these types of files can be retrieved by using a recovery tool.
Who is impacted by WannaCry?
All unpatched windows machine are potentially vulnerable to WannaCry. Companies are specifically at risk due to its capability to spread across networks, and several companies worldwide have been affected. Europe is the continent that has been majorly affected. Nonetheless, the ransomware can also affect individual PCs.
The best practices for protecting against ransomware such as WannaCry
- Always ensure that the security software is up to date to defend yourself against potential attacks since ransomware appears on a frequent basis.
- Make sure that your operating system is up to date. Software upgrades often integrate patches for newly discovered security susceptibilities that could be misused by attackers.
- You should be wary of suspecting mails specifically if the mail contains attachments and URLs.
- Backing up essential data is a significant way of avoiding the ransomware infection. Attackers have the tendency of encrypting valuable files and documents and then leave them inaccessible. You can, however, restore the encrypted files if you have any backup.
- Using cloud services can help alleviate the ransomware infection because most retain the earlier versions of files allowing the user rollback to the unencrypted form.