What is WannaCry ransomware?
WannaCry is a ransomware that spreads across computer networks. Ransomware is any trojan, worm, or virus. This ransomware encrypts files on your computer and tries to charge you money for decryption. In most cases, you won’t be able to get the key back unless you pay the ransom. The only solution to get your files back is from backup or paying the attacker for the decryption key.
In May of 2017, this ransomware got spread across the internet over the entire world. In United Nations, a health organization, called NHS (National Health Organization) became a victim of this attack. The entire network of NHS got affected due to this ransomware. It spread across the entire world at a very high speed. Wannacry is one the most harmful computer malware in history.
This malware exploited a Windows vulnerability. NSA (National Security Agency) discovered this zero-day vulnerability. NSA did not try to contact Microsoft to patch the vulnerability. Instead, they created malware that exploits this zero-day vulnerability of Windows. The name of the malware is Eternal Blue, this malware is still used to exploit windows vulnerability to get remote access.
How does WannaCry work?
WannaCry is quite an unusual trojan or worm. It has a self-replicating payload which most ransomware doesn’t have. This Windows vulnerability is in the SMB protocol. The SMB protocol is used for sharing files over the network. This is common as the larger industries would like to share all their data through a central server to all its smaller components over the network.
So when a person clicks o this malware. It starts to reach out to other unpatched devices on the network. It starts to sniff out on port 445. So this is the directed exploit, which would be able to run the same code on the target machine.
The majority of ransomware is a trojan because it masquerades something else. And is usually sent via emails in phishing or spear-phishing attack. It is also a worm as it has the ability to propagate itself using this exploit.
How did WannaCry stop?
A computer hacker, Marcus Hutchins, basically stumbled upon a kill switch to this. He polled upon an unregistered internet address. This unregistered anonymous name server. So, basically, if this DNS existed, the ransomware would stop automatically spreading in the network. As soon as this name server was made public, all the future installations of “wannacry” ransomware stopped immediately.
But as expected by Marcus Hutchins, other versions of this malware were released. Probably just by hex editing the kill switch. Microsoft patched the vulnerability. And inadvertently, the impact of this malware got reduced. Further, the SMB ports were blocked internally by firewalls. Many of the networks were compromised.
How does WannaCry encrypts files?
Wannacry uses both symmetric and asymmetric or public-key cryptography. It combines both of them to create an effective exploit. So, first, the ransomware tries to get its service offline. So even if the exploit is not connected to its command and control server, it would still encrypt your disk. When any ransomware runs, it generated a decryption key. This key is auto-deleted from the computer and sent back to the command and control server. But while on this network, the traffic can be intercepted and a decryption key can be found. So, that’s not a good solution.
In the wannacry ransomware case, this is the part where asymmetric encryption comes. This decryption key is encrypted before sending it back to the network. So when they encrypt the file with a public key, they can provide this private key, after they pay off ransom. When wannacry runs, it generates the keys which are used to encrypt your files. Then delete the private key after sending it to the command and control server.
These keys are hidden on the dark web. The onion addresses of these servers are completely anonymous. The private key is generated by the command and control server. And only this key is used to decrypt a file. The good news is that if someone on the dark web discovers these keys, then they can decrypt the files by making these keys public. There are series of encryption that takes place while running this ransomware.