The WannaCry ransomware attack affected an estimated 230,000 computers across 150 countries, costing around $4 billion in losses. The attack took place in May 2017, and was arguably the most devastating cyber-attack to date. The attack was a form of crypto-ransomware, which is where the victim’s data is encrypted and is the most common type of ransomware.
How WannaCry Ransomware Works
The WannaCry strain specifically targets computers using Microsoft Windows. To be more precise, it exploits a vulnerability known as EternalBlue, using a hack that was allegedly developed by the United States National Security Agency, and made available by a hacking group called the Shadow Brokers. Even-though Microsoft released a security patch for this vulnerability a couple of months before the attack was launched, many individuals and organizations failed to install it and were thus left exposed to the attack. In addition to leveraging the EternalBlue vulnerability to infect the victim’s device, WannaCry also exploited a vulnerability known as DoublePulsar, which enabled the attackers to create a communication channel between the infected device and their Command & Control (C&C) server, which they used to initiate the attack and perform other relevant tasks.
Once the victim’s computer has been infected, and their data has been encrypted, they will be presented with a ransom note, demanding that they pay the ransom in Bitcoin in order to get their files back. The ransom amount started off as $300, although later rose to $600. If the victim refused to pay the ransom, their files would be permanently deleted, or at least that’s what they were told. It should be noted that few people actually got their data back after paying the ransom. This was allegedly because the attackers failed to keep a clear record of who paid the ransom. However, research carried out by a company called F-Secure, revealed that some of the victims did in fact get their data back.
Examples of WannaCry Ransomware attacks
Many organizations, in many different countries, were hit by the WannaCry attack. Below are a few of the largest organizations that were affected by the incident.
The UK’s National Health Service (NHS)
The NHS was hit hard by the WannaCry attack, which affected hundreds of hospitals and surgeries across the UK. Thousands of appointments and operations were canceled, and ambulances were reportedly rerouted. The WannaCry attack cost the NHS an estimated £92 million.
German rail operators
Deutsche Bahn, a German rail operator, was hit by the WannaCry attack, with some electronic boards used to announce arrivals and departures showing a red screen with a message demanding a cash payment (either $300 or $600) in Bitcoin, in order restore access.
Spanish telephone operators
Telefonica, one of Spain’s largest telephone operators and mobile network providers, was hit by the attack, which left hundreds of the company’s computers inaccessible. As the attack unfolded, an audio warning was played over speakers inside the company’s headquarters, asking employees to shut down their machines immediately.
How to protect against WannaCry Ransomware
While the most damaging WannaCry attacks took place within a few weeks after May 12, 2017, the strain is still alive and kicking. In fact, we’ve even seen a significant increase in WannaCry attacks over the last few years. The difference being that most organizations have since installed the relevant security patches, thus limiting the damage that it can cause. That said, there are still lessons we can learn from the attack. Below are some of the most commonly cited ways to protect your systems and data from the WannaCry attack.
- Make sure that all software, including your operating system and anti-virus software, is up-to-date.
- Educate your employees about the nature of ransomware, which includes how to identify and report suspicious activity. Employees must be trained to never open untrusted emails, download applications from untrusted websites, or attach untrusted devices to their machines.
- Use a VPN when accessing the corporate network from an unsecured public Wi-Fi hotspot.
- Ensure that you take regular backups, and store them in a secure location.
- Use intrusion prevention software (e.g. firewalls, IPDS, DLP, and SIEM solutions) to detect and block suspicious inbound or outbound network traffic, the installation of unauthorized software, and other system events.
- Monitor your network for suspicious data-centric activity, which might include the creation of new accounts, out-of-hours access to sensitive data, and other irregular user actions. Most sophisticated real-time auditing solutions allow you to detect and respond to events that match a pre-defined threshold condition, such as when a large number of files have been copied or encrypted within a given time-frame. If the threshold is met, the solution can execute a custom script which may stop a specific process, disable a user account, change the firewall settings, or simply shut down the affected systems.