Skip to content
Skip to main content
header search
ahihi OpenLearn
OpenLearn
Menu
sticky search

About this free course

Author

Become an OU student

Download this course

Share this free course

Course content Course content
Learning from major cyber security incidents
Learning from major cyber security incidents

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

More free courses

2.2 How did it work?

WannaCry belongs to a class of malware known as ‘worms’. As you saw in Activity 2, these are stand-alone, self-replicating programs that spread through network connections, accessing uninfected machines and then hijacking their resources to transmit yet more copies across the network.

Similar to a typical malware worm, WannaCry contains an infection module and a ‘payload’. The infection module is responsible for spreading the malware, while the payload module undertakes the actual attack. The payload module of WannaCry locks data files using encryption and handles the process for demanding a ransom. Once the malware is executed, both modules work at the same time.

However, compared to other worms, WannaCry spread much more quickly. How did it achieve this rapid spreading? The security experts who analysed the malware believed it employed a powerful hacking tool known as EternalBlue. This exploited a vulnerability in Microsoft Windows operating systems, allowing the malware to install and execute itself on a vulnerable computer without any action from the computer user.

The vulnerability exploited by EternalBlue existed in almost all versions of Windows operating systems including Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10, as well as some server and embedded versions. EternalBlue is believed to have been developed by the US National Security Agency (NSA) and then stolen by a hacking group known as the Shadow Brokers, who had been trying to sell it on the black market for a number of months before the WannaCry attack (Woollaston, 2017).

EternalBlue exploited a defect in Microsoft’s implementation of the Server Message Block (SMB) protocol, which allows applications on a computer to access files and services on other computers. This remote access to files and services usually happens within the same local area network (LAN), but it is possible for a computer outside the LAN to access files and services too if firewall settings allow it to do so (e.g. through the internet). However, allowing computers outside your LAN access will significantly increase the risk of attacks.

Once the WannaCry malware infects a computer, it will scan all computers within the same local network and some computers on the internet for the EternalBlue vulnerability. When vulnerable computers are found, it installs itself on these computers and executes the malware. Therefore each infected computer becomes an attacker and will keep looking for new victims. This is how the malware can spread so quickly. Figure 1 illustrates how WannaCry infects a computer.

Described image
Figure 1 WannaCry’s infection process
Show description|Hide description

This figure shows a diagram of WannaCry’s infection process. The diagram has three grey rectangles side-by-side. The orientation of the rectangles is lengthways and from left to right they are numbered 1, 2 and 3 shown in a small black circle at their top left corners. Each rectangle has a darker grey area at the top in which there is a title.

The rectangle on the left, numbered 1, has the title ‘Arrive via exploit’. In the lower part of the rectangle there is a square-shaped icon with the label ‘Eternal Blue’.

The rectangle in the middle, numbered 2, has the title ‘execute the malware’. In the lower part of the rectangle there is an icon that looks like a document with the label ‘EXE’ and below that, situated at the bottom of the rectangle is a cloud icon with the label ‘Queries domain used as kill switch’.

The rectangle on the right, numbered 3, has the title ‘Encrypt data files’. In the lower part of the rectangle there is an icon of a padlock.

An arrow flows from the ‘Eternal Blue’ icon in the rectangle 1 to the ‘EXE’ icon in rectangle 2. Two arrows flow from this icon: one goes right to the padlock icon in rectangle 3 and the other, which is dotted, goes downwards to the cloud icon immediately below. From this cloud icon, another dotted arrow flows to the ‘Eternal Blue’ icon in rectangle 1. This dotted arrow has the label ‘Spread to other devices’.

Figure 1 WannaCry’s infection process

Once installed, the payload module will look for a range of data files, including documents and images, on the infected computer and encrypt them using a complex combination of symmetric and asymmetric methods to ensure the files cannot be unencrypted easily. It then executes the ‘Wana Decrypt0r 2.0’ and displays a black Windows desktop background image with instructions in red text. Figure 2(a) shows the desktop background image, while Figure 2(b) shows the interface of the ‘Wana Decrypt0r 2.0’. This tells the victims that their data files have been encrypted and that they have to pay a ransom of $300 to a given address if they want to recover all their files. The ransom is to be paid in bitcoin, which is a digital currency but can be bought with real money at bitcoin exchanges. The interface also has three-day and seven-day countdown timers – these are used to create a sense of urgency, as the note in the interface states that the ransom will be doubled after three days and the data files will be deleted after seven days. To convince the victims that the ‘Wana Decrypt0r 2.0’ can recover their files, it offers a free demonstration of a few files being decrypted.

Described image
Figure 2  (a) The desktop background image showing the instruction to open ‘Wana Decrypt0r’; (b) the interface of Wana Decrypt0r 2.0
Show description|Hide description

This figure shows two screen shots side by side.

The screenshot on the left is labelled ‘(a)’. It shows a Windows desktop with a black background. There is the following text on the desktop: ‘Ooops, your important files are encrypted. If you see this text but don’t see the “Wanna Encropt0r” window, then your antivirus removed the decrypt software or you deleted it from your computer. If you need your files you have to run the decrypt software. Please find an application file named “@WannaDecryptor@.exe” in any folder or restore from the antivirus quarantine. Run and follow the instructions!’ All the text is in red except for the phrases “Wanna Encropt0r” and “@WannaDecryptor@.exe” which are in blue.

The screenshot on the right is labelled ‘(b)’. It shows the Wana Decryptor 2.0 interface. Not all the details are described.

The background colour of the page is maroon. There is a scrollable window with a white background that occupies approximately two thirds of the page with its top right corner near the top right of the page. At the top of the page, in the maroon area there is the heading ‘Ooops, your files have been encrypted!’ To the left of this there is a padlock icon. There is text in the scrollable box and the scroll bar indicates that only two thirds of this text is currently visible. The text is split into three sections each with a heading.

The first section is headed ‘What Happened to My Computer?’ Below that the text reads ‘ Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.’

The second section is headed ‘Can I Recover my Files?’ Below that the text reads ‘Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time. You can decrypt some of your files for free. Try now by clicking . But if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled. Also, if you don’t pay in 7 days, you won’t be able to recover your files forever. We will have free events for users who are so poor that they couldn’t pay in 6 months.’

The third section is headed ‘How Do I Pay?’ Below that the text reads ‘Payment is accepted in Bitcoin only. For more information, click . Please check the current price of Bitcoin and buy some bitcoins. For more information, click . And send the correct amount to the address specified in this window.’

To the left of the scrollable window there are two text boxes, one above the other. The top box is headed ‘Payment will be raised on’. Below that there is a date and a countdown timer showing the time remaining. It is showing ‘03:23:59:47’. The lower box is headed ‘Your files will be lost on’. Below that there is a date and a countdown timer showing the time remaining. It is showing ‘06:23:59:47’.

Below the scrollable window there is a text box with the words ‘Send $300 worth of bitcoin to this address:’. The address has been obscured. Below this are what appear to be two buttons. The button on the right has the label ‘Check Payment’ and the button on the right has the label ‘Decrypt’.

Figure 2  (a) The desktop background image showing the instruction to open ‘Wana Decrypt0r’; (b) the interface of Wana Decrypt0r 2.0...

When the attack broke out, security experts generally advised users not to pay the ransom, as it was not guaranteed that the files would be recovered after payment (Baraniuk, 2017). It might also encourage more attacks if attackers saw this as an easy way to make money.