The internet is one of the most remarkable inventions of its time. With over 51% of the world’s population having access to the internet, it is safe to say that this invention has proved itself as one of the most successful and resourceful in its time. However, despite all of the benefits and advantages that the internet brings with it, the fact of the matter is that the invention has also made room for a lot of dangerous and detrimental activities and processes to take place. With that said, one of the most problematic of these activities is the spreading of malicious software like viruses and ransomware.
One of the most recent and popular cyber attacks of recent times was caused by one such software named WannaCry. Infecting more than 400,000 machines worldwide, WannaCry wreaked havoc and took the digital world by storm almost instantaneously. Interested in learning more about WannaCry? We’re talking all about what it is, how it spread, and who was responsible for the attack that had the entire digital world troubled and at its feet.
What is WannaCry?
Much like any other type of ransomware or malicious software, WannaCry reaches the infected computer or machine in the form of what in the digital realm is known as a dropper. Essentially, a dropper is just a program or software that comprises a number of components. These components are then extracted and executed by the main program in the dropper – and it is these components that came with the WannaCry dropper that were really responsible for infecting countless files on nearly half a million machines throughout the world.
The WannaCry package that managed to enter into hundreds of thousands of machines throughout the world came with an application that was used for the encryption and decryption of data and files, leaving them non-usable, along with files that contained keys for encryption and a copy of the Tor software that is popular among crypto currency dealers and often used as the basis for crypto currency exchange platforms.
How did WannaCry spread?
Contrary to popular belief, WannaCry actually didn’t spread through emails like most other ransomware like Amnesia and Locky. What most people still aren’t aware of is that WannaCry was spread through a vulnerability that was discovered in the Server Message Block (SMB) protocol on Microsoft machines. This vulnerability, exposed by the United States National Security Agency in EternalBlue, helped carry out the global cyber attack for WannaCry and since then has also been used for other ransomware and malware attacks like the NotPetya and Retefe attacks.
EternalBlue developed by the National Security Agency revealed that since the Server Message Block (SMB) protocol is essentially used for effective and efficient communication between different nodes on a network, there is a lot of data that is transferred with the help of this protocol. The vulnerability that was exposed, however, proved that with the help of a certain work around, Microsoft’s implementation of the protocol on machines could be sabotaged and the protocol could end up running arbitrary code.
One of the most common questions that come to the minds of people when they hear about this vulnerability in Microsoft’s implementation of the Server Message Block protocol is why nothing was done about such an important fault in the system. Why, most people questioned, wasn’t Microsoft able to discover something so important that happened to risk the privacy and security of hundreds of thousands of people and corporations including the National Health Service in the United Kingdom and renowned courier company FedEx? The fact, however, remains that Microsoft did, indeed, figure out the problem in their implementation of the Server Message Block protocol and released a patch a month before the National Security Agency exposed the vulnerability to the public. Unfortunately, not many people got around to downloading and installing the patch on their machines which is why they remained vulnerable and exposed to the threat.
How does WannaCry encrypt files?
Encryption is not one of those processes that begin from the get go as soon as a machine is infected by the WannaCry ransomware. Instead, the vulnerability of the Server Message Block protocol is leveraged and the program essentially begins to search for and tries to hit a long arbitrary URL. The program was designed in a way that WannaCry would shut down if the URL was hit. From what is generally perceived, the purpose behind trying to hit this URL was to make the code of the program difficult to understand.
If the URL is not hit (which was the case with thousands of machines before a domain was finally bought by a researcher to shut down the program), the encrypting and decrypting application that came as part of the dropper started encrypting files of a variety of formats rendering them useless.
File recovery
A ransom note that starts with “oops, your files have been encrypted!” was displayed to users of infected machines when they tried accessing them. However, since the ransom note explicitly stated that the ransom would be doubled after three days, most users thought of paying to get their files back.
For assistance with file recovery and ransomware removal, please contact MonsterCloud – cyber security experts for a professional ransomware removal.
