WannaCry Ransomware

What Is WannaCry Ransomware?

WannaCry is a notorious piece of ransomware that is capable of rapidly infecting and spreading through computer networks.

It poses a significant threat to data security and has caused widespread disruption.

Anatomy of Infiltration

WannaCry operates by employing multiple components to infiltrate a target computer system.

It enters in the form of a self-contained program known as a doppler, which extracts embedded application components within the ransomware.

These components include an encryption and decryption application, files containing encryption keys, and a copy of TOR, a network anonymization tool.

Functionality and Vulnerabilities

Unlike some other ransomware, WannaCry’s program code is not heavily obfuscated, making it relatively easier for security professionals to analyze.

Once launched, the ransomware attempts to connect to a hard-coded URL called the kill switch.

If unsuccessful, it searches for and encrypt files of specific formats, such as Microsoft Office or MP3 files.

This encryption renders the files inaccessible to the user.

Subsequently, WannaCry displays a ransom notice demanding a specific amount of currency, often in the form of Bitcoin (BTC), in exchange for decrypting and recovering the files.

WannaCry primarily exploits a vulnerability within the Windows implementation of the Server Message Block (SMB) protocol.

This protocol allows communication between nodes on a network, and a flaw in Microsoft’s implementation can be manipulated using specially crafted packets to execute arbitrary code.

WannaCry’s Vulnerability Exploitation

WannaCry serves as a prominent example of crypto ransomware, utilizing encryption to hold potentially valuable files hostage and sometimes even locking users out of their own computers.

Ransomware that employs encryption is commonly referred to as crypto ransomware, while variants that block computer access are known as locker ransomware.