In 2023, a study conducted by Cybersecurity Ventures revealed that a cyberattack occurs every 39 seconds, highlighting the growing scale and frequency of digital threats. Among the many cyberattacks that have rocked the world in recent years, the WannaCry attack, launched on May 12, 2017, stands out as one of the most devastating in cybersecurity history—an attack the world had never seen before.
This ransomware not only caused massive disruptions on a global scale but also exposed alarming vulnerabilities in computer systems worldwide. Transfergratis invites you to explore in-depth the details of this landmark attack.
I - What is WannaCry?
WannaCry is a ransomware, a type of malicious software designed to take hostage the data on a computer and demand a ransom in exchange for decrypting it. This malware went by several names, including Wana Decrypt0r 2.0, WannaCrypt, WCRY, and Wcrypt. To date, the most widely recognized name for this cyberattack is WannaCry.
The “entry point” used by WannaCry was a Windows security vulnerability named MS17-010. This vulnerability was exploited using the EternalBlue exploit, a technology developed and used by the National Security Agency (NSA) in the USA, before being stolen and leaked by a hacker group known as the Shadow Brokers. Microsoft became aware of the issue and attempted to address it in March 2017 with a security patch. However, since this patch was not compatible with all systems, some users did not update their systems, allowing WannaCry, the successor to EternalBlue, to spread freely two months later.
Over 230,000 computers in nearly 150 countries were attacked, with their data or entire operating systems locked. Users were required to pay a ransom, equivalent to $300 in Bitcoin, to unlock the affected data.
II - The Course of the Attack
The WannaCry attack began with a massive spread of ransomware via phishing emails or automatic exploitation of the EternalBlue vulnerability.
EternalBlue was discovered by the United States National Security Agency (NSA) and is part of a series of cyber-surveillance tools used by the NSA to infiltrate foreign computer systems. In March 2017, these tools were leaked by the Shadow Brokers, a hacker group. Among these tools, EternalBlue proved to be particularly powerful and dangerous.
EternalBlue targets a vulnerability in the Microsoft Windows Server Message Block (SMB) protocol. SMB is a network protocol used to share files, printers, and other resources between computers on a network. The vulnerability, identified as CVE-2017-0144, lies in the way Windows systems handle malicious SMB requests.
Specifically, EternalBlue allows an attacker to trigger a buffer overflow by sending specially crafted requests to a vulnerable computer. This overflow can enable the attacker to execute arbitrary code remotely with elevated privileges, thereby taking complete control of the targeted system. The WannaCry ransomware used EternalBlue to spread rapidly across computer networks and proliferate exponentially, exploiting vulnerable systems without requiring user interaction.
Once a computer was infected, the ransomware encrypted the user’s files and displayed a ransom demand in Bitcoin, threatening to delete the files if the ransom was not paid within 72 hours. It then sought out other machines on the local network or via the Internet to spread the infection and continue taking files hostage.
III - The Global Impact of WannaCry
It is difficult to precisely quantify the damage caused by WannaCry. Experts estimate the total cost at several billion dollars due to the devastating impact. Among the victims were hospitals, businesses, government institutions, and individuals.
For instance, the NHS (National Health Service) in the UK was so severely affected that many important surgeries had to be postponed, patient electronic medical records were inaccessible, and ambulances were receiving incorrect information. More than 30% of NHS hospitals were temporarily attacked by WannaCry.
In Germany, Deutsche Bahn was primarily impacted by WannaCry. Signage boards and video surveillance systems failed in many train stations. Similar issues were reported within the Russian railway company.
In Spain, WannaCry led to restrictions on Telefónica’s telephone network. Other severely affected companies included FedEx, Honda, and Renault. Additionally, Romania’s Ministry of Foreign Affairs was attacked, as well as universities in Montreal and Thessaloniki, and the São Paulo court.
IV - Response and Consequences
The massive 2017 attack lasted only a few days. While examining WannaCry, British cybersecurity expert Marcus Hutchins discovered a kind of “kill switch” that had been embedded, either intentionally or by mistake, in the malware’s code. The researcher was able to register a domain that halted WannaCry, which helped stop its spread. This discovery was crucial in containing the attack and minimizing further damage.
In response to the incident, strengthened measures were implemented across many sectors to improve cybersecurity. Organizations became more aware of the importance of keeping their systems up to date and adopting more rigorous security practices. The disclosure of the EternalBlue vulnerability also led to a global debate on the management of cyber-espionage tools and the responsibility of security agencies.
Some Tips to Protect Against Ransomware like WannaCry
Although ransomware constantly evolves, there are effective tactics you can use to protect your system from WannaCry or its successors.
1. Keep Systems Updated: Always ensure your system is up to date. This not only prevents your computer from slowing down but also closes most entry points for WannaCry and other malware. During the attack, many victims were using outdated versions of Windows, which facilitated the ransomware’s spread.
2. Perform Regular Backups: While regular backups do not prevent ransomware attacks, they significantly reduce the damage if you become a victim. In the event of a lockout, you can reinstall the system and access a previous version. There are also specific software solutions that automatically and regularly perform backups.
3. Use Security Software: Protect your system with a firewall and use a reliable antivirus program to ensure early detection of ransomware.
4. Check Sources: Never open a link that seems suspicious or comes from an unknown sender. Exercise caution with USB drives and other external data storage devices as well.
The WannaCry attack marked a turning point in the history of cyber threats, demonstrating the scale and speed at which malware can spread and cause damage. By exploiting a critical vulnerability in Windows systems, WannaCry crippled thousands of organizations around the world, from hospitals to businesses.
Although a solution was found, the danger is not yet completely eliminated as recent versions of WannaCry still circulate and are distributed without the kill switch, making them formidable.
The consequences of this attack were catastrophic, highlighting the importance of cybersecurity and the need for businesses and individuals to remain vigilant and informed.
To deepen your understanding of cybersecurity issues and discover strategies to protect your systems against such threats, feel free to visit our blog. We share analyses, practical tips, and resources to help you strengthen your digital defense.
Sources :