We’re sorry, your browser appears to be outdated.
To see the content of this webpage correctly, please update to the latest version or install a new browser for free, such as Avast Secure Browser or Google Chrome.

Not sure which solution is right for your business?

What is WannaCry Ransomware?

WannaCry ransomware can encrypt your files, folders, and applications, making them inaccessible until a “ransom” is paid. As the number of ransomware attacks on businesses continues to grow, in size and scale, learn who created WannaCry, how it infects networks, and how you can protect your systems from such attacks.

What is the WannaCry ransomware attack?

WannaCry is a type of ransomware – a malware that encrypts data, either specific files or entire computer systems, and demands a ransom payment to decrypt them. WannaCry infects devices by exploiting a vulnerability in Windows software and has caused far-reaching financial and reputational damage.

WannaCry was developed from an exploit code-named EternalBlue, which was stolen from the US National Security Agency (NSA) by the cyberhacking group, The Shadow Brokers. The group used the exploit to target unpatched or outdated Windows operating systems. Although Microsoft had released patches to strengthen their software, many organizations had not installed these updates, allowing hackers to exploit these vulnerabilities and carry out an attack.

On 12 May 2017, WannaCry ransomware saw one of its most significant attacks to date. Spreading to more than 230,000 Windows PCs in over 150 countries in just one day, it affected businesses, government agencies, and medical facilities. Notable companies that were hit include Telefonica, Deutsche Bahn, LATAM Airlines Group, FedEx, as well as automotive companies, Hitachi, Renault, and Honda.

The UK’s National Health Service (NHS) was also one of many healthcare services that was affected because of unpatched Windows software, rendering multiple systems to become encrypted and inaccessible. The attack caused billions of dollars worth of damage worldwide and is known to be one of the most significant ransomware events to date.

The WannaCry ransomware was finally stopped by cybersecurity expert Marcus Hutchins. In the same month, he developed a domain name that effectively acted as a kill switch to stop the malware in its tracks and hindered any attempts to remove it.

Many businesses are now aware of the importance of patching, but there are many methods used by bad actors to access business systems. Ransomware remains a significant danger for several reasons:

  • It can result in extensive financial and reputational damage
  • The average downtime a company experiences after a ransomware attack is 21 days
  • It can pose compliance challenges and open your business up to further repercussions.

Who created WannaCry?

Although The Shadow Brokers stole the EternalBlue exploit housed by the NSA, the code was further developed and weaponized by other hacking groups. Both the UK and US governments have since announced that they believe North Korea’s hacker division, the Lazarus Group, to be behind WannaCry.

In February 2021, the US Department of Justice confirmed that three North Korean computer programmers were charged for creating and distributing WannaCry ransomware, extorting money from victims, and stealing sensitive data.

How does WannaCry infect networks?

WannaCry ransomware looks for vulnerabilities in Windows operating systems, utilizing the EternalBlue exploit code. This involves accessing the Server Message Block (SMB) protocol, which enables users to access shared files and services, encrypt files, and then ask for a ransom payment. It is similar to Phobos ransomware, an older type of ransomware that looks for unprotected Remote Desktop Protocol (RDP) ports.

In the event of a WannaCry attack, the exploit will send an SMB Echo request code to a targeted Server Message Block (SMB) protocol used by Microsoft Windows devices. If there is no response to the request, a backdoor (a way into the system that avoids authentication and authorization security measures) is established.

Using the backdoor malware tool, DoublePulsar, to execute WannaCry ransomware, hackers can build a connection that enables information to be taken, or to input malware, such as WannaCry ransomware, into the system.

The tool enables hackers to develop a connection between the SMB (TCP port 445) or RDP (TCP port 3389) protocols and deploys an Asynchronous Procedure Call (APC). This step enables the tool to release a DLL into the Local Security Authority Subsystem Service (Lsass.exe), which is responsible for Windows operating system security policies, such as password changes and authentication services, as well as the replication of programs. Once this is completed, shellcode can be released into these systems, otherwise known as heap spraying and the existing backdoor code can be eradicated.

Once WannaCry ransomware gets into one device, it uses its worm-like capabilities to also scan the network for other devices which house similar unpatched or outdated software or weaknesses and will replicate its malicious code across these devices.

Unlike many other types of ransomware attacks, WannaCry ransomware makes its appearance abundantly clear by displaying a similar message to the one shown below and demanding a ransom payment.

Once your devices are infected, the only way to access your files is by using an external backup of your files and folders, if this is available, or by paying the ransom. However, this is not advisable, and it is not guaranteed that you will regain access to your operating systems.

Windows patches

Following the WannaCry ransomware attacks in 2017, Microsoft developed emergency security patches for all its Windows systems, including Windows XP, Windows Vista, Windows 8, and previous Windows Server editions. They released an announcement to state that if customers have automatic updates enabled, they will be protected – customers with manual update settings were “encouraged to install the update as soon as possible.”

With ransomware attacks continuing to evolve, increasing in both frequency and sophistication, the average ransom fees have increased from $5,000 in 2018 to around $200,000 in 2020, according to the National Security Institute. In 2021, a payout of $40 million was made by an insurance company, setting a new world record for the largest ransomware payment.

Malware remains a lucrative business for cybercriminals, and very few strains of ransomware have publicly available decryption keys. This means that removing ransomware from your PC and associated devices is complex, and it may not be possible to recover your files (even if your business pays the ransom). It is therefore essential to take vital steps to prevent a ransomware attack, including software patching, to ensure your business remains safe from future cyberattacks.

Is WannaCry still active?

A kill switch was able to stop the May 2017 WannaCry attack and Microsoft released a patch to secure vulnerable operating systems from the EternalBlue exploit, but the ransomware remains an active threat.

WannaCry continues to be updated by hacker groups and remains a significant threat to businesses. Sophisticated strains of ransomware, such as Petya and NotPetya, were inspired by WannaCry and house similar capabilities by searching for the same vulnerability across Windows applications. The percentage of organizations victimized by ransomware attacks worldwide has also risen, from 55.1% in 2018 to 68.5% in 2021.

With many threats within the cybersecurity landscape, the installation of ransomware protection tools will therefore be essential.

How to prevent a ransomware attack

Taking active steps to prevent a ransomware attack on your business is instrumental in keeping your digital assets secure:

  • Complete regular network inspections: Routine inspections of your business activities should include vulnerability assessments that scan your network, connected devices, and applications for any vulnerabilities within your software that could lead to an attack or data breach.
  • Cybersecurity awareness training: Security strategies should include cybersecurity training. This should aim to raise employee awareness of common attack vectors, such as receiving an email from an unknown source and becoming a victim of phishing, or clicking on an attachment that could contain a Trojan Horse malware.
  • Password policy: The adoption of a password policy should encourage employees to use robust passwords that safeguard your organization from external threats, as well as the use of Role-Based Access Control to protect data and sensitive files.
  • Updating your operating system and applications: Preventing threats that can impact your business and securing important files and applications will be essential. This will include updating your systems regularly and deploying tools that automatically patch any software vulnerabilities.

Protect against a WannaCry ransomware attack

Since 2017, Avast has blocked over 170 million WannaCry ransomware attacks. Discover how our Small Business Solutions can provide your business with simple yet powerful protection tools – securing your devices and data from malware, phishing, ransomware, and other advanced cyberattacks.


Almost done!

Complete installation by clicking your downloaded file and following the instructions.

Initiating download...
Note: If your download did not start automatically, please click here.
Need Help? Please call 855-745-3255
Click this file to start installing Avast.