It was Friday, May 2017 when the new worldwide first celebrity ransomware was born. The notorious WannaCry campaign is a misfortunate result of a chain of failures from Microsoft protocols, all the way to the American NSA agency and up to lazy CISOs in small to huge organizations and institutions around the world.

Yes, it was the first time that a ransomware was introduced to the general public, and not only tech-savvy. WannaCry impact was so significant that it got the attention of all mass media channels.

In a nutshell, WannaCry is ransomware that uses a few components to execute malicious payloads into a computer device, encrypts files of its victims, and demands a payment to restore the stolen information, usually in bitcoin. But more of its “achievement” the WannaCry signal the new era of ransomware cyber threat vector of choice for both organized cybercriminals as well as national-sponsored actors. WannaCry reflects the new movement that will escort and affect our lives until this very day.

First Blood: 150 countries, 200K devices, $4 billion

In its first 24 hours of operation, the WannaCry became viral with an infection of more than two hundred thousand unique end devices across 150 countries, creating a staggering loss of four billion dollars, not to include collateral damage to reputation, supply chain delays, and even urgent life-saving surgeries. The ransomware targets hundreds of organizations, SMBs, and enterprises in the private as well as the public sector such as UK-based healthcare facilities including NHS (National Health Service) hospitals, US delivery monsters FedEx, German transportation giants such as the Deutsche Bahn, and the German railway company and the French motor production factories, and assembly lines, Spanish telecommunication corporates, energy sector including power plants and many more.

since WannaCry first premiered in the cyber scene, it’s been shown as the most “stable” and commonly detected variant of all every year in many cyber analytics reports.

Your secret is safe with NSA (Not Secret Anymore )

The WannaCry damages were real, painful, and tangible. Looking backward we all should ask ourselves how did it all happen? Were there any hidden signs or warnings of the cyber tsunami ahead of us? And could this multi-billion dollar damage could somehow be avoided? The answers are yes, yes, and oh yes.

The urban legend argues that the American (NSA) National Security Agency discovered a potential exploit in Microsoft’s operating system SMBs implementation as early as five years before the outbreak. Oddly, instead of being “good citizens” and warning Microsoft, the NSA (allegedly) decided to keep the information to themselves and develop a code that will leverage that vulnerability. That piece of code, which will be known as the EternalBlue, will find its way to the Shadow Brokers hacking group, which will leak it to the highest bidder. That is perhaps the only time in history that a super organization could rightfully accuse the government of not sharing information with the mass public and violating the laws of privacy…

You had one job

Despite the good fortune of Microsoft identifying the exploit and providing a fix on March 14th, 2017 (two months before the outbreak), it didn’t change the fact the security professionals simply haven’t deployed the patch on their system. Microsoft almost begged to deploy their critical red flag security patch release (MS-17-010) in their operating systems (from XP) Server Message Block protocol. Sadly, despite all efforts, many IT security in enterprise companies, and organizations lack to update their systems with the security patch and update their policy before the execution Friday.

Ground Zero – One Zero

The WannaCry ransomware is combined of multiple components. The most important of them is the leaked  EternalBlue exploit that enables WannaCry of spreading itself within infected networks. infects nodes and initiates a paid spreading process. The EternalBlue is a powerful, wormable-in-nature exploit, that takes advantage of the Windows implementation of the Server Message Block (SMB) protocol. The SMB protocol enables numerous machines on a corporate network to communicate, and Microsoft’s implementation could be fooled by specially crafted packets into executing arbitrary code. Additionally, the exploit uses DoublePulsar exploit to upload, duplicate, and execute a copy of its code to other machines in the network.

the WannaCry reaches the infected computer in the form of a dropper; a self-contained hardcoded password-protected ZIP file that during execution extracts a variety of malicious components and applications and drops them into a directory from which it was executed. The executable components extract and install binary and configuration files from its resource section, and creates application data for encryption and decryption keys, as well as copies of Tor.

But the exploit doesn’t stop there. After encrypting the files of the local machine, it’s making an effort to spread and infect as many nearby nodes as possible. This process is done by scanning all machines in the network, and by looking for an open TCP 445 port. If the scan finds an open port and the connection is established, it will exploit the EternalBlue using the SMB vulnerability.

Once extracted, the exploit tries to access a hard-coded URL (also called a “kill switch”). Depending on the result of reaching the URL, the malware proceeds in encrypting the files using the RSA and AES-128-CBC encryption methods. It would mainly focus on popular file formats such as Microsoft Office documents, PDFs, Zip archives, MKVs, etc. leaving blocking access for the user. It then changes the windows configuration, and creates a file name “WanaDecryptor.exe” which appears on the desktop, displays a ransom notice on an executable file, on the desktop, and read me files. Normally the ransom demand to get the decryption keys is between $300 to $600 in Bitcoin depending on the time passed.

The Smoking Gunsomware

Some analysts suggested that the WannaCry zero-day main exploit component (EternalBlue) was mysteriously stolen from the NSA (who used it for years for their own needs) by the Shadow Brokers hacking group, which later own leaked it to numerous hacking groups, including the infamous North Korean based Lazarus Group

To this day no one can pinpoint the exact source of the attack, however some indication point the fingers toward China and North Korea, as the original code linguistic wise was written in both traditional and simplified Chinese.

The British Cyvior: 5th anniversary for Saint Hutchins Day

The WannaCry campaign could have had much worse outcomes if not for the curiosity and prompt action of the 22-year-old British cybersecurity researcher Marcus Hutchins who cleverly and elegantly managed to disable the threat all by himself using a lean trick that disable the ransomware functionality of encrypting and spreading around.

Hutchins start investigating the WannaCry as soon as it burst. During his outstanding research, Hutchins discovered that the code tries to access a specific quite long, gibberish URL that acts as the Command and Control domain. Marcus saw that even if a victim’s machine has been successfully penetrated, the malware won’t immediately start with the encryption process. Instead, it will first make an effort to access that domain before executing the encryption components. If WannaCry can access that domain, it will simply shut itself down.

Shortly after Hutchins realized that this domain is available for sale, so he purchased that hard-coded “kill switch” domain for a bit under $11, registered it, set up a site there, and put an end to the hasty functionality spread of the malware.

Thanks to Marcus’s resourceful plan to register and claim that “kill switch” domain, along with Microsoft’s MS-17-010 security patch of the SMB’s EternalBlue exploit, the unstoppable cyber-campaign lasted for merely a few days.

Let’s Cut the Cake

Sounds like a happy ending for a Hollywood movie. If only we would have learned from our mistakes. Unfortunately, with all the mistakes made by both the WannaCry developers as well as the IT security professionals, five years into the outbreak that changed our cyber-life it seems that the hackers just getting smarter and we must follow …. In the next part of our WannaCry 5th anniversary special, we will explore what happened since the first ransomware war was killed switch, how it affected decision-makers and how it changed forever the lives of cyber criminals around the world. After party part II– stay tuned