WannaCry – Analysis of the NHS Ransomeware Attack

On May 12, 2017, over 200,000 computers in 99 countries got infected by WannaCry, a type of ransomware program that targets Microsoft Windows.

WannaCry shut down the NHS, Telefónica, FedEx, Deutsche Bahn and more, causing serious alarm, specifically from people who had their important personal details on their systems. The virus locks down the computer and demands a ransom payment amounting $300 (£230) in Bitcoin within 3 days in order for access to be restored. Bitcoin is a form of digital currency, created and held electronically which makes tracing the perpetrators more difficult.

Over a hundred known families of ransomware are propagating online and WannaCry is one of the newest that has recently attacked some of the largest Organisations.

What is WannaCry?

Also known as WannaCrypt, WanaCrypt0r 2.0 and Wanna Decryptor, WannaCry is a type of ransomware that infects a computer’s hard disk drive via local area network (LAN), email, or a drive-by download. Once it has been successfully encrypted, it attempts to exploit the Server Message Block (SMB) vulnerability to pass on the virus to other computers on the internet or those within the same LAN.

On May 12, 2017, over 200,000 computers in 99 countries got infected by WannaCry, a type of ransomware program that targets Microsoft Windows.

WannaCry shut down the NHS, Telefónica, FedEx, Deutsche Bahn and more, causing serious alarm, specifically from people who had their important personal details on their systems. The virus locks down the computer and demands a ransom payment amounting $300 (£230) in Bitcoin within 3 days in order for access to be restored. Bitcoin is a form of digital currency, created and held electronically which makes tracing the perpetrators more difficult.

Over a hundred known families of ransomware are propagating online and WannaCry is one of the newest that has recently attacked some of the largest Organisations.

What is WannaCry?

Also known as WannaCrypt, WanaCrypt0r 2.0 and Wanna Decryptor, WannaCry is a type of ransomware that infects a computer’s hard disk drive via local area network (LAN), email, or a drive-by download. Once it has been successfully encrypted, it attempts to exploit the Server Message Block (SMB) vulnerability to pass on the virus to other computers on the internet or those within the same LAN.

In March 2017, Microsoft released a patch for the vulnerabilities that the National Security Agency (NSA) has created. WannaCry, identified to use EternalBlue exploit, is a collection of hacking tools that was created by NSA. They have lost it due to the efforts of The Shadow Brokers, a hacking group.

Microsoft released a patch on March 14, 2017. However, those who failed to update their system became susceptible to the attack.

What Solved WannaCry?

It was an accidental kill switch. MalwareTech, a malware analyst expert, found a way to control WannaCry by spending roughly 10 Dollars. He did various reverse-engineer samples on Friday and discovered that the hackers had built a dummy URL. The unregistered and inactive domain was the ‘switch’.  WannaCry visits the URL and if it finds it inactive, the spread continues. However, since MalwareTech purchased and activated it, it automatically stops the attempt to encrypt the virus to a target computer.

According to theories, it was an intentional kill switch in case the hackers wanted to stop the ransomware they had created.

WannaCry 2.0 Continues to Attack Vulnerable Computers

However, hackers were not halted by the recent kill switch functionality. There are more samples of WannaCry that are wildly attacking unpatched and unsupported versions of Windows and servers.

Since the kill-switch feature was in the SMB worm, not in the ransomware module itself. “WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant,” MalwareTech told The Hacker News.

According to MalwareTech, the best measure you can take is to ensure that you have patched your computers.

Venom IT offers a free Needs Analysis

Venom IT wants to help you ensure that your computer is safe from WannaCry, or any type of virus. We currently offer a free business security needs analysis. You can call us at 0330 202 0220 to book one or you can use our form here.