WannaCry Ransomware

Understanding WannaCry Ransomware

WannaCry Ransomware is a type of malicious software that has the capability to rapidly infect and spread across multiple computer networks.

WannaCry consists of various components and enters the targeted computer as a self-contained program called a doppler. This program extracts other embedded application components within the ransomware, including an encryption and decryption application, files containing encryption keys, and a copy of TOR.

The program code of WannaCry is not hidden, making it relatively simple for security professionals to analyze. Once it is launched, the ransomware attempts to access a hard-coded URL known as the kill switch. If it is unable to do so, it proceeds to search for and encrypt files in specific formats, such as Microsoft Office files or MP3 files. This encryption makes the files inaccessible to the computer user. The ransomware then displays a ransom notice, demanding a specific amount of currency, typically Bitcoin (BTC), in order to decrypt and recover the files.

WannaCry primarily exploits a vulnerability in the Windows implementation of the Server Message Block (SMB) protocol. This protocol allows communication between different nodes on a network, and Microsoft’s implementation can be manipulated through specially crafted packets to execute unauthorized code.

WannaCry serves as a prominent example of how crypto ransomware operates and how it can be utilized to extort money. By encrypting potentially valuable files and even locking users out of their computers, it falls into the category of crypto ransomware. Specifically, when it locks users out of their computers, it is known as locker ransomware.