WannaCry Ransomware Outburst

May 15, 2017
Info notes

Updated on 17th May 2017


On May 2017, multiple companies and organisations around the world were hit by variations of a crypto-ransomware dubbed WannaCry / WannaCrypt / WanaCrypt0r / WCrypt / WCRY (here on called WannaCry for simplicity). The ransomware also acts as a worm and once it infects a system, it then self-propagates throughout the rest of the network. The ransomware campaign caused chaos due to its massive distribution, affecting more than 150 countries and infecting over 230,000 systems. Interestingly the attack was mounted on Friday 12th May 2017, just before the weekend, making it very difficult for companies and organisations to quickly react and resolve the crisis.

Background & Attack vector

Ransomware is one of the top threats identified in ETL 2016. Crypto ransomware is a type of malware that encrypts a user’s data and asks a ransom (in bitcoins) in order to decrypt them.

Users affected by WannaCry have their files encrypted. Each file is encrypted with a different encryption key. The criminals send a message to the affected user that they must pay a ransom of $300 (around €275) in Bitcoins. However, even after paying there is no guarantee that the files will be decrypted. According to the ransom note left by the ransomware, failing to do so within three days the ransom would be doubled ($600, approximately €550). Users unable to pay within six months would have their files decrypted for free. At the time of writing this paper the amount that the attacker received (from a review of their bitcoin wallets by ENISA) was approx. $77,000 (€69,000) paid by over 250 victims

Ransomware usually spreads via phishing e-mails containing malicious attachments or hyperlinks. This deployment technique uses social engineering in order to mislead the recipient to activate the malware in their system.

In the case of WannaCry the initial threat and entry vector is not clear. There are two possible scenarios:

  • Phishing/spear-phishing was used as an initial attack vector followed by the worm-spreading functionality of the ransomware which exploited a Microsoft Windows vulnerability.
  • Internet scanning for systems vulnerable to a Microsoft Windows vulnerability and remote exploitation of the vulnerable systems.

The latter scenario is most probable due to the mass and rapid spread/deployment of the ransomware around the globe. 

Infection & Propagation

What’s particularly interesting about the WannaCry ransomware variant is its successful worm-spreading functionality. It exploits a known SMB vulnerability (Server Message Block is a Microsoft Windows protocol for file-sharing over a network) and once a system becomes infected the ransomware propagates to the rest systems of a network and infects them -if they are vulnerable. Moreover, it also scans for public IPs in its attempt to infect external networks as well. WannaCry ransomware exploits an SMB vulnerability, which is known to be leveraged by the “EternalBlue” exploit that was revealed in the recent “Shadow Brokers” leak in April 2017. The leak contains hacking tools/cyber weapons allegedly owned or developed by the NSA. Upon infection, the ransomware also installs the “DoublePulsar” backdoor (also part of the “ShadowBrokers” leak). It was also reported that even if the “EternalBlue” exploit fails, the malicious code tries to leverage the “DoublePulsar” backdoor, which might have been installed in a previous attack. This backdoor allows the attacker to have remote access to the infected computer system so that additional malware can be loaded on to the victim. As an example, this backdoor could in theory allow for data exfiltration.


Figure 1: Timeline of event

The fact that the ransomware essentially also acts as a worm is the main reason for its speed of propagation. This is not the first time such a worm-spreading approach has been seen. Conficker (2008) is another example of a worm exploiting an earlier Windows SMB vulnerability MS08-067 with a similar worm spreading technique. Conficker effectively infected millions of computers around the world. The key difference between them is that WannaCry is encrypting files in the infected systems making the effects of the infection even more devastating. WannaCry is not the first “ransomworm” (ransomware and worm). Zcryptor and Alpha also had worm spreading capabilities.

A few hours after the outbreak of the ransomware a security researcher managed to constrain the rapid spread of WannaCry by registering a domain identified in the binary code of the malware, which was used as a kill-switch. The registration of the domain enabled the kill-switch and slowed down the malware propagation. Since the malware was not proxy aware (ignores the proxy settings of the machine), the kill-switch was not as effective as it was initially thought to be as many infected machines did not have direct access to the internet. A few other variant/s with different kill-switches have already been launched and have been identified. In that context, the cyber-attack has been evolving and continuing.




Figure 2: ATM (left) and Deutsche S-Bahn (right) infected by WannaCrypt

WannaCry has spread through a massive campaign affecting over 230.000 systems around the world from different sectors. To name a few: Spanish Telecommunications company Telefonica, UK’s National Healthcare Service (NHS), Deutsche Bahn systems, Renault and Nissan and manufacturing plants, Universities etc.

Figure 3 Live map with ongoing infections 15.05.2017 15:30 GMT+2


If you have been hit by WannaCry - during the infection

In some cases (depending on the privileges acquired by the malware during its execution), if your system is running one of the following Microsoft Windows versions:

Windows 7, Windows 8, Windows 8.1, Windows 10 with UAC (User Account Control) and shadow copies enabled -prior to infection,it is possible to prevent the deletion of the backups of the system even if the rest of the files have been encrypted by WannaCry. In order to manage this

Pay attention and DO NOT click YES on the UAC prompt window appearing during the infection

See image below:

Figure 4 UAC WANACRY bypass prompt

Since the operation for deleting the shadow copies of the system requires local administrator rights the User Account Control will prompt the user for allowing elevated privileges in order to execute the operation.

If the user follows the aforementioned recommendation, the existing shadow copies will not be deleted by the ransomware. Therefore, the user can disinfect the machine and then proceed in restoring all of the files using their shadow copies, which are intact, by following this guide.

If you have been hit by WannaCry – Right after the infection

  • Isolate and take the infected host/s offline in order to contain the ransomware and prevent it from spreading to the rest of the network and external networks.
  • Do not pay the ransom. It is highly probable that paying the ransom will not lead to the decryption of your files. It has been reported that people who have already paid the ransom have not had their files decrypted.
  • Affected users should be vigilant for fake decryption tools that claim they can help them decrypt their files. At the time of publishing this report there is no decryption tool available. Users are advised not to download and execute tools coming from untrusted sources.
  • It was reported that in some cases a user’s files may be recoverable without the existence of a backup. User files saved on the “Desktop”, “My Documents”, and on removable devices are encrypted after the infection and their original files are wiped. On the other hand, files stored elsewhere on the system still get encrypted but the original files are simply deleted –not wiped, which means that they might still be recoverable with the use of forensic tools.

If you have NOT been hit by WannaCry

If your systems have not been hit by the ransomware, please apply the following recommendations as soon as possible:

  • Back-up and protect your systems and files
  • Patch your system with Microsoft’s patch which addresses the SMB vulnerability. Microsoft has published this patch since March 2017. In the event of the massive spread of the malware affecting legacy Microsoft Systems (e.g. Windows XP, Windows Server 2003) and Microsoft Windows 8, Microsoft released patches for these versions of Windows as well.
  • Update your Antivirus signature database to the latest version. Antivirus firms are now detecting all the current variations of the ransomware.
  • Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445 from untrusted sources. Additionally, filter NetBIOS port 139 and RDP port 3389 in order to refrain WannaCry from infecting other devices in the same network segment. 
  • CCN-CERT (Spanish CERT) has reportedly developed a Vaccine, which allegedly prevents WannaCry from executing and encrypting a system if the systems gets infected by WannaCry afterwards. While ENISA has not verified the effectiveness of this software users can get more information from their web site.
  • If you are unable to patch your system disable SMBv1:

Powershell command:

PS H:\> Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

  • or

Manual removal using Windows Add & Remove programs feature:

Add Remove Programs -> Turn Windows features on or off -> Untick SMB v.1

  • or consult:

Microsoft offers instructions on how to do this.

For detection purposes there are available different types of indicators of compromise.

Follow best security practices

Proactively please follow best security practices ensuring a good security hygiene:

  • Never use high privileged system / domain accounts for daily business
  • Keep your operating system and installed software always up-to date
  • Apply security patches/updates as soon as they become available
  • Backup your systems/files following the 3-2-1 scheme. Verify that backups are fully operational
  • Do not open suspicious e-mails and attachments
  • Restrict access to network resources, block unnecessary ports, disable unnecessary services and segregate your network separating core operational systems from the rest of the network

General Recommendations for protecting against ransomware are provided in ENISA’s Info Note about Locky ransomware. More information on prevention measures against ransomware are provided here and here.

Observations & Conclusions

Even though the patches addressing the vulnerability exploited by the ransomware were available since March 2017, the impact is quite significant. It should be noted that the similar Conficker malware affected millions of users. This is because in particular cases patching is not that straight forward due to the type of work and characteristics of the systems in certain types of environments. For example, critical financial systems used by banks, stock markets or other organizations running legacy systems would not risk in deploying such patches due to the potential negative impact.

The evolution of ransomware has been significant. From simple ransomware that locked the users’ systems, ransomware quickly moved to crypto-ransomware, then to ransomware with wiping capabilities (being able to spot and erase system backups) and finally to ransomworms with worm-spreading capabilities. It is now clear that after WannaCry, the trend of ransomworms will rise and many improved copy-cats will appear aiming for a share in this lucrative business. Self-propagating ransomware (and other types of malware in general) with remote code execution capabilities are going to be the next big threat of cyber security. By adding the inherently insecure IoT devices to the equation, the consequences are more than foreseeable. Thus, the world and Europe must learn from current events and be in a position to respond when the next crisis arrives.


We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information