Select language

What is WannaCry?

Infecting more than 230,000 Windows PCs worldwide — many of them belonging to government agencies and hospitals — WannaCry is the most widespread ransomware attack seen so far. Our Avast antivirus has successfully blocked more than 2 million WannaCry attacks.


What is WannaCry?

WannaCry ransomware targets networks using SMBv1, a protocol that helps PCs communicate with printers and other devices connected to the network. This version, dating back to 2003, left computers exposed to hackers, a vulnerability labeled as MS17-010. Microsoft released a patch to fix this earlier in March for versions of Windows it still supported, but anyone who didn’t install it became an easy target for the hackers who built WannaCry.

Hamburguer menu icon

This article contains:

    Also known as WanaCrypt0r 2.0, or WCry, WannaCry takes advantage of PCs running Windows to encrypt files and block users from accessing them, unless they pay $300 worth of bitcoins within 3 days. After that, the price doubles.

    Who is WannaCry targeting?

    During a major ransomware outbreak in May 2017, Russia, China, Ukraine, Taiwan, India, and Brazil were the most targeted countries. WannaCry has affected both individuals, as well as government organizations, hospitals, universities, railway companies, tech firms, and telecommunications providers in over 150 countries. UK’s National Health Service, Deutsche Bahn, Spanish company Telefónica, FedEx, Hitachi, and Renault were among the victims.


    Where WannaCry comes from

    Experts have noticed that WannaCry ransomware behaves like a worm, using two attack methods found in the leaked arsenal of the NSA (ETERNALBLUE and DOUBLEPULSAR). They also found evidence linking the ransomware outbreak to the North-Korean Lazarus Group.

    In 2014, the hackers — known to use bitcoin in their operations — have wiped almost a terabyte’s worth of data from Sony Pictures’ database. They also created a malicious backdoor in 2015, and were involved in an $81m cyberattack on the Central Bank of Bangladesh in 2016.

    How to recognize WannaCry

    You probably won’t be able to recognize WanaCrypt0r 2.0 before infection, because it doesn’t require your input to do so. This type of ransomware behaves like a worm, spreading through networks and making its way to your PC, where it finally encrypts your files. When infected, you receive a warning and you won’t be able to access your files, or worse — you won’t be able to log in to your computer at all.



    How to remove WannaCry

    You can remove WannaCry using an antivirus software, but unfortunately that doesn’t magically decrypt your files. Once you’ve been affected, there is little you can do about it. Avast Free Antivirus comes with a ransomware decryption tool, but the encryption in WannaCry is very strong (AES-128 combined with RSA-2048). Your best hope is recovering your files from a backup, if possible, but first you have to clean and update your computer.

    How to prevent WannaCry

    To stay safe from WannaCry ransomware attacks, it’s vital to keep your software — especially your operating system — up to date. Microsoft recently made patches available even for older versions of Windows it no longer official supports. Make sure you use an antivirus, as this will help detect any suspicious activity on your computer. Avast will protect you with or without a patch. Advanced users can configure their Firewall settings, to control network traffic using specified connection parameters. These are called packet rules and may include network protocols, source or destination IP addresses, and local and remote ports.

    Protect your iPhone from threats
    with free Avast Mobile Security


    Protect your Android from threats
    with free Avast Mobile Security