WannaCry is a ransomware worm that spread rapidly across a number of computer networks in May of 2017. After infecting a Windows computer, it encrypts files on the PC's hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them.
How It Works
The WannaCry ransomware works in a straightforward manner and is not considered particularly complex or innovative. It arrives on the infected computer in the form of a dropper, a self-contained program that extracts the other application components embedded within itself.
How It Spreads
WannaCry spreads via a flaw in the Microsoft Windows implementation of the Server Message Block (SMB) protocol. The SMB protocol helps various nodes on a network communicate, and an unpatched version of Microsoft's implementation could be tricked by specially crafted packets into executing arbitrary code, an exploit known as EternalBlue.
The WannaCry Kill Switch
The WannaCry kill switch is a piece of functionality that requires the executable to try to access the long, gibberish URL iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com before it begins the encryption process. Somewhat counterintuitively, WannaCry only proceeds with its ransomware mission if it fails to connect to the domain; if it can connect, it shuts itself down.
The Culprit Behind WannaCry
The security firm Symantec believed that the code behind this malware might have a North Korean origin. They fingered the Lazarus Group as the culprits behind WannaCry, a hacking group that has been tied to North Korea. Beginning their run in 2009 with crude DDoS attacks on South Korean government computers, they've become increasingly sophisticated, hacking Sony and pulling off bank heists.
Does It Still Exist?
WannaCry still exists and still continues to spread and infect computers, which on the surface may come as a surprise. After all, while the EternalBlue exploit is a powerful one, it only works on Windows machines that haven't received the appropriate patch, and that patch is available for free to all Windows users (even Windows XP users!) and has been for years. But IT pros know that far too many shops don't properly keep up with patching, either due to lack of resources, lack of planning, or fear that updating an existing system will cause downtime or interfere with crucial running software.
Comments
Post a Comment