WannaCry Ransomware
Table of Contents
Today is WannaCry’s Birthday, the Ransomware that causes ransomware attacks turns 2 years old. To mark that “Special occasion “(!)” I am happy to share the academic research paper I wrote back then. It is still interesting to read, I believe.
1. Introduction
WannaCry, also known by Wanna Decryptor is a computer virus that attacks Windows OS-based devices. It became the most widely spread malware in a matter of days. Ransomware is believed to be able to infect computers via the internet and not through phishing, as is the case with most ransomware (Woo, McMillan 2017,).
Once it infects a computer it will find a number files and encrypt them. The pop-up asking for ransom is displayed. It charges $300 to decrypt files within 72-hours. After that, the charges increase to $600 and threaten to permanently destroy files in seven working days (McMillan 2017, 2017). It was first discovered in Asia on 12 May 2017. Since then, it has infected over a quarter-million computers in more than 150 countries (Melba 2017).
2. Background information
The exploit EternalBlue was allegedly developed by the US National Security Agency and used to spy on computers. The exploit was designed to exploit a vulnerability in Microsoft Windows’ Server Message Block. EternalBlue enabled an attacker to execute any command within the OS. Shadow Brokers, a group of hackers who were responsible for WannaCry’s first infected, released the exploit two months prior to WannaCry’s first attack (McMillan 2017, McMillan). This group is known for releasing NSA-waffed software exploits (Leonhard 2017, 2017).
The group has released more than 1GB exploits from NSA in just 8 months (Leonhard 2017, 2017). Their release of EternalBlue was regarded as the most dangerous. Microsoft was forced to patch its operating systems to fix the vulnerability. It also released patches for older versions of XP, which it had stopped supporting in 2014 (McMillan 2017, 2017). EternalBlue was believed to have been used to install DoublePulsar, a backdoor tool, on WannaCry’s victim computers, after its release (Melba 2017,).
Shadow Brokers also released this tool. The hackers could install the tool and execute WannaCry on the victim computers.
3. Discussion
3.1 The attack
The malware hunts for vulnerable computers online, as has been stated. It also spreads itself to other computers in the network by infecting them. The ransomware checks the kill switch domain name before infecting a computer. This kill switch allows the virus to identify, among other things, where it is being executed from and whether it is being conducted in a controlled environment. It will end its life if it detects that it is being run in a controlled environment, such as a virtual machine.
The malware creators might have created the kill switch to prevent the virus from being studied and countermeasures developed. The kill switch domain name was already identified and activated, which is a pity for the creators. This has resulted in a decrease in the number of infections. After the malware has checked the kill switch, it is believed that it continues to encrypt the host’s data. The pop-up that the attacker has requested is displayed. It varies on how long it takes to pay. The payment is made using bitcoin, a cryptocurrency that provides anonymity for the parties to a transaction.
At first, it was believed that older versions of Windows, such as Windows XP or Windows 2003, were more vulnerable to the malware. Microsoft has since released an update.
