WannaCry started infecting machines on May 12 2017, being downloaded onto a Windows computer and subsequently encrypting the files it requires to run.
Whilst this type of infection is not new, the sheer scale of WannaCry lead it to be headline news in many countries around the world, especially Britain where it lead the National Health Service (NHS) to suspend a number of services, including operations.
The infection wasn’t particularly sophisticated and certainly wasn’t some new super virus that will bring down the world’s computing infrastructure… however, it did highlight a more brazen approach by hackers to demand money up front for their crimes. In this case, the sum of $300-worth of bitcoin was demanded to decrypt the infected machines.
In this article, I will explain how this virus worked and what you can do to both protect your system and ensure you don’t get the infection on your own machine.
What Is WannaCry?
The origin of WannaCRY is still unknown.
However, as is the case with most of these infections, states such as Russia (I’m sorry to say because the Russian people are generally very cultured), China or such places as Nigeria, North Korea, Libya etc are often cited as potential sources.
It will take the likes of the FBI some time to determine the specific source of the infection, until then we’ll just have to speculate as to who wrote it and why.
It must be stated that the infection was indiscriminate in who it targeted. Russia was particularly badly hit, as was a large number of multinational companies, one of whom in France had to close their factories to remove the virus. I’ll explain how this happened in a second.
To give you a brief explanation, WannaCry is a “ransomware” virus. This is a type of “malware” (malicious software) application which – when installed – will block access to many core aspects of your system and prevent you from being able to access your files.
Computer viruses come in many forms. Malware is a particularly stubborn type because they often evade detection from antivirus applications – posing as legitimate tools that you may wish to download onto your system. Obviously, you discover their true intentions too late.
Malware can only be removed by actively removing the files that it uses to run (it’s just standard software which runs like all the other programs you have).
The problem with WannaCRY is that since it encrypts the user’s files, it can be very difficult to undo any of the damage that it causes. This is why backing up your data, especially with some sort of “cloud” data system is so strongly recommended.
Why Did It Spread So Far?
Whilst WannaCRY is obviously a terrible infection, the main reason I am writing about it is because of how widely it spread.
The following are some of the more high-profile victims:
Hundreds of hospitals across UK suffered a massive outage in the wake of the infection with the administration being forced to delay or even cancel surgeries and X-rays of a large number of patients.
The Spanish telephone giant said it was attacked.
The French automobile giant was hit, forcing it to halt production at sites in France and its factory in Slovenia as part of measures to stop the spread of the virus
- Deutsche Bahn
The German train operator was hit as travellers tweeted pictures of hijacked departure boards showing the ransom demand instead of train times. The company, insisted train services were unaffected.
The US package delivery group acknowledged it had been hit.
The firm’s manufacturing plant in Sunderland (UK) was affected.
… said that its email service was hit, and that some of its staff were unable to access attachments or send and receive messages.
The reason for the spread was how WannaCRY targeted its victims.
This particular infection was designed to target an exploit in Windows XP, Vista and 7 systems which had not been updated.
Specifically, a network infection vector called EternalBlue was released by a hacker group the month before. This was used by the CIA to hack into older Windows systems. This vulnerability was open on millions of systems still running older versions of XP, Vista or Windows 7. This is how the virus was able to infect such a large number of systems.
In terms of how the virus found its way into the networks that it did… the key lies in the way the virus is spread. Malware is not like typical virus infections – it has to be downloaded manually by the user. It cannot just install itself.
As such, viruses such as WannaCRY end up being sent to users via phishing emails (fake emails which purport to be from the likes of Paypal or a bank).
Clicking onto a fake email, or downloading an insecure link, would then lead the virus to be installed onto the system. It’s my guess that the infection was sent to a large email list, the recipients of which then downloaded the infection, causing the damage it did.
As with many infections, remedies are often created and implemented.
In the case of WannaCRY, several things happened.
Firstly, a British spyware technician was able to locate a “killswitch”. This was a web domain which when registered prompted the software to stop spreading.
The point of the killswitch was to allow the creators to determine a “quarantine” zone to test the virus. They would just add the domain to their test machines to ensure they could control when the infection struck. By registering the domain in real life, the technician essentially made almost all the infections cease to spread.
Secondly, Microsoft released an update to Windows XP, Vista and 7 users. This is despite the fact that Microsoft had publicly announced its dropping of support for Windows XP several years ago. Shows the importance of keeping your system up to date.
As of the end of May 2017, the majority of large organizations who were affected have updated their systems. Many in the security community are working to determine the source and scope of the infection, and I believe there are a number of tools available to fix it.
How To Protect Your Systems
The big lesson from this was that you must keep your system up to date.
The only reason why WannaCRY was such a wide infection was because of how it exploited a backdoor that was open on millions of systems around the world.
For example, there were many NHS systems still running XP even though support for it had ended.
Apart from updating your system, there are a number of other considerations to look at:
- Ensure your system’s antivirus protection is adequate
- Download and install an adequate anti-malware tool
- NEVER download attachments from emails you don’t know
- NEVER download programs from websites you don’t know the origin of
- ALWAYS double check if in doubt
In terms of WannaCry itself – if you are running the latest version of Windows, preferably Windows 10, you should be okay. That doesn’t mean you shouldn’t remain vigilant, but the targets for WannaCRY were pretty specific.