WannaCry: Powerful-NSA Grade Ransomware Grinds to a Halt

Wanna cry? You certainly will once your system gets hit by the WannaCry ransomware. Over 700,000 systems have been hit worldwide by this rampaging ransomware often in the groin as critical systems are forced to shut down. There have been reports of several patent-support systems in hospitals compromised by this ransomware forcing patients to transfer elsewhere. Other notable victims include FedEx, Telefonica Systems in Spain, Nissan Motors Manufacturing in the UK and the National Health Service (NHS) also in the UK. The malware was derived from one of the NSA’s hacking tools making it a worrisome threat to security experts, but thankfully, someone found a way to halt its advance.

WannaCry is derived from the stolen Eternal Blue Exploit from the US National Security Agency which targets a vulnerability within the Windows Operating System. The vulnerability is Windows’ Server Message Block (SMB) protocol mostly used in shared file access. Once a system is infected, the ransomware spreads through a network’s shared file folders and proceeds to encrypt the hard disk’s contents.  The SMB protocol has been in use since Windows 2000 up to Windows 10. Microsoft has issued a patch against this as early as March. Users who make it a point to update their systems have some level of protection against this ransomware. It’s unfortunate however that older systems no longer supported by Microsoft such as Windows XP and recently Windows Vista cannot benefit from the patch.

“This was eminently predictable in lots of ways… As soon as the Shadow Brokers dump came out everyone realized that a lot of people wouldn’t be able to install a patch, especially if they used an operating system like Windows XP (widely used by NHS) for which there is no patch.”

     — Ryan Kalember, Proofpoint

Wannacry could have become a serious worldwide threat if not for the discovery of a kill-switch within the ransomware itself. Wannacry has affected systems in Europe and Asia including the UK, Russia, China, India, Italy and Spain. By May 12, the ransomware made its way to the US and countries in South America. Since Wannacry is a derivative of an NSA tool, there was a hardcoded kill-switch within the program that halted its advance.

The kill switch involves the ransomware accessing a nonsensical domain name. If the ransomware gets a response from the site, it becomes inert and stops spreading. The world owes its gratitude to a Proofpoint cybersecurity researcher going by the Twitter account @malwaretechblog. He managed to find out the domain name and registered it. The registration stopped the malware from spreading but doesn’t help already-infected systems.

wannacry ransomeware didn't hurt as many as it could

So how much would it cost to release the hostages? 300 dollars-worth of cryptocurrency or bitcoin. 300 dollars should be easy but getting into the bitcoin bandwagon is not so simple. The fastest way to deal with Wannacry and other ransomware is to keep backups handy as well as installation or imaging media to restore infected systems.

Wannacry has unfortunately proven the great risk many users take in not upgrading their older systems simply because they still work, out of budget or owners harboring contempt over perceived unfair or malicious practices by Microsoft. This also proves the importance of having systems constantly updated especially if they connect to the internet. Perhaps critical institutions such as hospitals or government offices should consider upgrading or disconnecting their critical systems from the internet altogether if they still choose to use their older operating systems. Adequate protection and security policies work too. Such is true for all malware.