Ransomware attacks can hit hard and fast, with organizations unaware of the issue until the damage is already done. WannaCry spread to businesses around the globe in mere hours on May 12, and by the afternoon, the infection was making national headlines. Companies and consumers alike panicked in the fallout of WannaCry’s ransom demands, wondering if their systems would be affected and how to prevent their hardware from getting breached. For the victims, the question was whether or not to pay to restore their data.
As time passed, solutions and patches to WannaCry have emerged to protect users, while those affected have taken action to recover. How could this strain have made as big of a splash as it has and what does it mean for the future? Here’s everything we know about WannaCry ransomware so far:
Europe Was Hit First
Earliest infection reports show that the first attack struck in Europe, where a computer user unknowingly opened a malicious email attachment, allowing WannaCry into their system. According to Financial Times, Spanish mobile operator Telefónica was among the first organizations to report a WannaCry infection. Shortly after, U.K. hospitals and clinics, French carmaker Renault, as well as some Russian and U.S. organizations announced they had been impacted. In total, at least 200,000 companies around the globe were attacked by WannaCry ransomware.
It Was Developed With Leaked NSA Tactics
The U.S. National Security Agency has been developing and refining its arsenal of hacking techniques, but WannaCry’s capabilities struck a familiar chord with the group. In summer 2016, a group known as the “Shadow Brokers” started leaking software tools coming from the U.S. government. According to the New York Times, it’s believed that these methods came from NSA’s Tailored Access Operations unit, which infiltrates foreign networks, and that Russia may have been involved in the theft of these tools.
To make matters worse, security firms around the world warned organizations that the NSA leak might lead to a cyber weapon, and that an attack could impact them. The problem is that so many threats are reported and overhyped, creating a sea of cyber security risks and alarm fatigue, according to the Los Angeles Times.
WannaCry is believed to have been spawned from the NSA’s cyber spying tool known as EternalBlue, which was stolen and leaked online. EternalBlue uses a security loophole within Windows operating systems to spread malicious code within file-sharing structures without user permission. In work environments where file sharing is part of everyday tasks, the ransomware can easily spread to unsuspecting users and cause damage.
“A critical kill switch stopped WannaCry from locking computers and slowed down its spread.”
A Kill Switch Slowed Its Terror
Whenever these events happen, it’s a rush against time to minimize the threat. Microsoft released emergency patches including a fix to protect aging devices using Windows XP, which the company hasn’t supported since 2014. Malware analysis expert MalwareTech found a critical kill switch to stop WannaCry from locking computers and slow down its spread.
Before WannaCry encrypts contents on the machine’s hard drive, a command in its code demands that it tries to communicate with a certain web address. If the domain is inactive, the communication would fail, enabling WannaCry to continue infecting the device. MalwareTech discovered this Achilles’ heel and registered the domain to shut it down, at least temporarily, according to Wired. This kill switch puzzled the cyber security world as to why it would exist in the first place. Some posited that it might have been intentional to help the creators rein it in if they wanted to or to shield it from being analyzed by security professionals.
Protecting Yourself From WannaCry
This likely isn’t the last that the world has seen of WannaCry. Its low demand of $300 in bitcoin demonstrates that this could have just been a preliminary test. It serves as an important reminder for organizations to train employees on proper ransomware prevention and to update their systems. DarkReading contributor Gary Warner noted that businesses should migrate away from legacy systems like Windows XP. If it’s absolutely necessary, test it to prove that it’s truly network-isolated from everything.
Companies can take action to protect themselves by using backup strategies. When ransomware hits, rather than paying the attacker, simply use backups to retrieve data and recover quickly. Organizations can also use reboot to restore tools to keep computer configurations in a frozen state across all terminals. This means that if anything malicious is downloaded, it will be removed upon the next startup.
WannaCry and similar ransomware strains are becoming more prevalent as the technology advances. Businesses must take action now to implement security measures, establish a backup strategy and integrate reboot to restore tools. Organizations will have peace of mind that threats are being prevented while providing users with the resources they require to operate effectively.