• United States



Josh Fruhlinger
Contributing writer

WannaCry explained: A perfect ransomware storm

Aug 24, 202210 mins

Stolen government hacking tools, unpatched Windows systems, and shadowy North Korean operatives made WannaCry a pernicious threat that continues to this day.

A laptop sits on the surface of a stormy sea. [disaster recovery / crisis management]
Credit: Fergregory / Getty Images

What is WannaCry?

WannaCry is a ransomware worm that spread rapidly through across a number of computer networks in May of 2017. After infecting a Windows computer, it encrypts files on the PC’s hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them.

A number of factors made the initial spread of WannaCry particularly noteworthy: it struck a number of important and high-profile systems, including many in Britain’s National Health Service; it exploited a Windows vulnerability that was suspected to have been first discovered by the United States National Security Agency; and it was tentatively linked by Symantec and other security researchers to the Lazarus Group, a cybercrime organization that may be connected to the North Korean government.

How WannaCry works

The WannaCry ransomware executable works in a straightforward manner and is not considered particularly complex or innovative. It arrives on the infected computer in the form of a dropper, a self-contained program that extracts the other application components embedded within itself. Those components include: 

  • An application that encrypts and decrypts data
  • Files containing encryption keys
  • A copy of Tor, used for command-and-control communications with the ransomware gang

Whatever the original WannaCry source code is, it hasn’t been found or made available to researchers, although it’s easy enough for them to examine the binary’s execution. Once launched, WannaCry tries to access a hard-coded URL—this is a kill switch, and we’ll discuss it in more detail in a moment. If the ransomware can connect to that URL, it shuts down; if it can’t, it proceeds to search for and encrypt files in a slew of important formats, ranging from Microsoft Office files to MP3s and MKVs, leaving them inaccessible to the user. It then displays a ransom notice, demanding some Bitcoin—not an outrageous amount, often on the order of $300—to decrypt the files.

How does WannaCry spread?

WannaCry spreads via a flaw in the Microsoft Windows implementation of the Server Message Block (SMB) protocol. The SMB protocol helps various nodes on a network communicate, and an unpatched version of Microsoft’s implementation could be tricked by specially crafted packets into executing arbitrary code, an exploit known as EternalBlue.

The fact that this rather pedestrian executable spread via EternalBlue is ultimately more interesting than the ransomware itself. It is believed that the U.S. National Security Agency discovered this vulnerability and, rather than reporting it to the infosec community, developed the EternalBlue code to exploit it. This exploit was in turn stolen by a hacking group known as the Shadow Brokers, who released it obfuscated in a seemingly political Medium post on April 8, 2017. Microsoft itself had discovered the vulnerability a month prior and had released a patch, but many systems remained unpatched and vulnerable, and WannaCry, aided by EternalBlue, began spreading rapidly on May 12. In the wake of the outbreak, Microsoft slammed the U.S. government for not having shared its knowledge of the vulnerability sooner.

WannaCry kill switch

The WannaCry kill switch is a piece of functionality that requires the executable to try to access the long, gibberish URL before it begins the encryption process. Somewhat counterintuitively, WannaCry only proceeds with its ransomware mission if it fails to connect to the domain; if it can connect, it shuts itself down.

The purpose of this functionality is not entirely clear. Some researchers initially believed this was supposed to be a means for the malware’s creators to pull the plug on the attack. However, Marcus Hutchins, the British security researcher who discovered that WannaCry was attempting to contact this URL, believes it was meant to make analysis of the code more difficult. Many researchers will run malware in a “sandbox” environment, from within which any URL or IP address will appear reachable; by hard-coding into WannaCry an attempt to contact a nonsense URL that wasn’t actually expected to exist, its creators hoped to ensure that the malware wouldn’t go through its paces for researchers to watch.

Hutchins not only discovered the hard-coded URL but paid $10.96 to register the domain and set up a site there. Many instances of WannaCry never ended up encrypting the computers they infected as a result, and this helped blunt, though not stop, the spread of the malware.

Shortly after being hailed as a hero for this, Hutchins was arrested for helping develop different malware in 2014. He eventually pled guilty to related charges, and the judge in the case did not require him to serve jail time beyond his pretrial detention, saying that it was clear he had “turned a corner” in his life.

How to prevent WannaCry ransomware

WannaCry ransomware can be prevented by downloading the appropriate patch for your version of Windows from Microsoft, and the easiest way to do that is to simply update your OS to the most recent version. Ironically, the necessary patch was available before the attack began: Microsoft Security Bulletin MS17-010, released on March 14, 2017, updated the Windows implementation of the SMB protocol to prevent infection via EternalBlue. Despite the fact that Microsoft had flagged the patch as critical, many systems were still unpatched as of May of 2017 when WannaCry began its rapid spread.

For those unpatched systems that are infected, there is little remedy beyond restoring files from a safe backup—so let that be a lesson that you should always back up your files. While those monitoring the bitcoin wallets identified in the extortion message say that some people are paying the ransom, there’s little evidence that they’re regaining access to their files

How to detect WannaCry

WannaCry can be detected by taking a close look at your system logs and network traffic. Because WannaCry won’t activate if it can contact the “kill switch” URL, it can lurk on your infrastructure without necessarily encrypting your files, so if you have unpatched Windows machines it’s a good idea to try to sniff it out before a change in circumstances causes it to become active.

SolarWinds has a good primer on using your server logs to detect WannaCry’s activities. They advise that you look for file creation—specifically for encrypting files with WannaCry’s own document extension, and to keep an eye out for outbound traffic for SMBv1 ports TCP 445 and 139, as well as DNS queries for the kill switch domain. Positive Technologies says you should also be looking for connections to the Tor network on ports 9001 and 9003.

WannaCry and Windows 10

As noted, Microsoft released a patch for the SMB vulnerability that WannaCry exploits two months before the attack began. While unpatched Windows 10 systems were vulnerable, the automatic update feature built into the OS meant that almost all Windows 10 systems were protected by May of 2017.

The Microsoft SMB patch was initially only available for currently supported versions of Windows, which notably excluded Windows XP. There are still millions of internet-connected Windows XP systems out there—including at Britain’s National Health Service, where many WannaCry attacks were reported—and Microsoft eventually made the SMB patch available for older versions of the OS as well. However, a later analysis found that the vast majority of WannaCry infections struck machines running Windows 7, an operating system still supported when WannaCry was at its peak.

Who created WannaCry?

The security firm Symantec believed that the code behind this malware might have a North Korean origin. They fingered the Lazarus Group as the culprits behind WannaCry, a hacking group that has been tied to North Korea. Beginning their run in 2009 with crude DDoS attacks on South Korean government computers, they’ve become increasingly sophisticated, hacking Sony and pulling off bank heists.

Symantec made this identification in a blog post in late May of 2017, just a few weeks after WannaCry began its rapid spread. In December of 2017, Tom Bossert, who at the time was the U.S. National Security Advisor, wrote an op-ed in the Wall Street Journal in which he said that the U.S. government agreed with this assessment.

How did WannaCry start?

WannaCry exploded across the internet on May 12, 2017, taking advantage of EternalBlue, but Symantec’s initial blog post on WannaCry’s origins also revealed some important and little-known information about how the malware got started even before that. WannaCry had in fact been circulating for months before it became impossible to avoid. This earlier version of the malware was dubbed Ransom.Wannacry, and Symantec noted “substantial commonalities in the tools, techniques and infrastructure used by the attackers” between this version of WannaCry and those used by the Lazarus Group, which is how Symantec pinned the attack on the North Koreans.

However, Ransom.Wannacry used stolen credentials to launch targeted attacks rather than EternalBlue, which meant that its spread was much less virulent and dramatic. It’s assumed that the Lazarus Group directed the shift to EternalBlue as a distribution mechanism, but

Does WannaCry still exist?

WannaCry still exists and still continues to spread and infect computers, which on the surface may come as a surprise. After all, while the EternalBlue exploit is a powerful one, it only works on Windows machines that haven’t received the appropriate patch, and that patch is available for free to all Windows users (even Windows XP users!) and has been for years. But IT pros know that far too many shops don’t properly keep up with patching, either due to lack of resources, lack of planning, or fear that updating an existing system will cause downtime or interfere with crucial running software.

Unfortunately, this is a recipe for chaos, and has resulted in wholly preventable WannaCry infections in the years since the malware first arrived on the scene. For instance, in March 2018, Boeing was hit with a suspected WannaCry attack. The company claimed it did little damage, however, affecting only a few production machines. Boeing was able to stop the attack and bring the affected systems back quickly, but a company of Boeing’s size and stature should’ve had adequate patches in place by that time.

As the years wore on, WannaCry remained a pernicious threat. A report in May of 2019—a full two years after the EternalBlue patch became available—found that 40% of healthcare organizations and 60% of manufacturers had experienced at least one WannaCry attack in the previous six months. This led Ben Seri, VP of research at Amris, to declare that WannaCry was “still unmanageable.”

That trend still continues today. The ongoing COVID-19 pandemic has made health care providers a particularly tempting target for ransomware gangs, and a surge of WannaCry attacks began in early 2020. Check Point Research found that the number of organizations affected by WannaCry grew by 53% in 2021. Some have asked how WannaCry was stopped; the answer is that, while patching slowed its spread, it hasn’t been stopped yet.

All EternalBlue-based malware exploits the same Windows vulnerability, so the fact that these attacks are ongoing suggests that plenty of unpatched Windows systems are still out there. It’s only a matter of time before an attacker finds them. Don’t let your infrastructure end up on their list.