IDR Blog

Why Do I “WannaCry”
Star Rating Loader Please wait...
Debashish Bose | Date:10 Jun , 2017 0 Comments

In this article we are talking about the famous ransomware – “WannaCry” (Date of fame 12 May 2017). In case you have heard the following names – WCry, WCry2.0, WannaCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r, they all refer to the same ransomware. For the purpose of the article the name “WannaCry” is being used.

The WannaCry ransomware first appeared in Mar 2017. Activity from this ransomware was almost non-existent prior to the explosion in numbers of 12 May 2017 which occurred in just a few hours. WannaCry works in the same fashion as most modern ransomware; after it has reached the victims machine, it finds and encrypts a range of data files, then displays a “ransom note” informing the victim that his/her data has been encrypted and demanding a payment of a ransom in bitcoin, in case he/she wants to access the decrypted data. WannaCry was also considered a network worm because it also included a “transport” mechanism to automatically spread from one machine to another. WannaCry used exploits like ETERNALBLUE and DOUBLEPULSAR, developed by NSA and thereafter leaked online by The Shadow Brokers. The utilisation of this exploit was first detected by French security researcher Kafiene. ETERNALBLUE works by exploiting a vulnerability in windows machines and thus gaining access to the victims machine, and thereafter the DOUBLEPULSAR tool is used to install and execute a copy of itself. The vulnerability was patched by Microsoft after it was leaked online by the Shadow Brokers, however the ransomware was still hugely successful, which clearly brings out the fact that the population of unpatched machines on the internet is huge(a glaringly reality, inspite of everybody knowing that a basic tenet of cyber security states that their machines should be patched and updated). Another major departure that happened because of this ransomware was the fact that Microsoft issued a patch update to fix the flaw in Windows XP machines, which has been declared End Of Life, ages back by Microsoft and is currently not supported by them. All clouds have a silver lining.

A major issue that comes to mind is the fact that the NSA had discovered the vulnerability in the past, but instead of informing Microsoft to get the vulnerability fixed, had built the ETERNALBLUE exploit for their offensive work. It was only when the existence of this was revealed by The Shadow Brokers that Microsoft became aware of the issue, and produced a security update. This is despite the fact that the US has a comprehensive Vulnerabilities Equities Process(VEP), or is it not so comprehensive. This has been a source of endless discussion in the security domain, that whether keeping vulnerabilities hidden, for exploitation by government agencies is really worth it because finally these vulnerabilities get exploited by the hacker communities leaving the law enforcers red faced, running for cover.

WannaCry Ransom Note

WannaCry ransom notes have been discovered in the following languages:

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese.


In the initial burst, within a few hours, WannaCry spread to over 57,000 machines. Some of the initial victims were Telefonica, Gas Natural and Iberdrola all Spanish companies. Later in the day(12 May 2017), the ransomware then spread to the UK, where it hit a large number of hospitals and clinics. Other victims also include the Russian Interior Ministry, Portugal Telecom, and a large number of universities in China. Telenor Hungary, FedEx, Deutsche Bahn also suffered similar incidents. By the end of the day, a huge number of infections were reported from Russia also. Finally it infected more than 230,000 computers in over 150 countries. According to Kaspersky Lab, the four most affected countries were Russia, Ukraine, India and Taiwan.


The spread of the WannaCry ransomware as seen in the current epidemic was stopped after security researcher Malware Tech registered a hard coded domain name included in the ransomware’s source code. Wanna Cry checked this domain before it started its execution. Most probably as a protection against sandboxing. Accordingly, the ransomware used to check if the domain was unregistered, and after getting a confirmation, it would execute. If it found the domain was registered it would stop spreading, acting like a kill switch. With MalwareTech registering the domain, the ransomware now does not start anymore. The same was confirmed by Cisco Talos.


The following security firms have analysed and found connections between the WannaCry ransomware and malware used by the Lazarus Group – Kaspersky Lab, Symantec, and BAE Systems. This is the name given to a hacking group responsible for the Sony hack, the SWIFT bank attacks, and the attacks on various other financial institutions all over the globe. Analysis shows that the group is based in North Korea and associated with the official government. The main reason for this kind of assessment is because of the fact that this group has been mainly interested in attacking South Korean organizations and government and financial institutions; financial institutions because the North Korean Govtis in dire need of financial resources.

As per linguistic analysis of the WannaCry ransom notes(available in 28 different languages), the ransomware appears to be the work of a Chinese-speaking author with equally good command over English. Analysis shows that there appears to be two base notes, one written in Chinese, and the other in English, these two were used as the templates for all other ransom notes. In fact analysis narrows down geographical location to South China, Hong Kong, Taiwan, or Singapore. The final call for attribution is still not out – North Korean / Chinese speaking user or group.

In the near past another trend has been observed wherein organizations that are doing cyber espionage are deploying ransomware on their target machines after they have stolen the requisite information, because they know that when the target sees the ransomware he will format his machine and reload from a backup, as a result of which all traces of the cyber espionage operation on the target machine will be lost and the attention of the target will be diverted. For example, malware such as KillDisk and Shamoon have in the near past added ransomware modules that they deploy after stealing data from their targets. This disguises the real operation.

Many security researchers also believe that WannaCry was an under development ransomware when it exploded into an epidemic.

What Next

Security researchers have detected a new malware named “EternalRocks” that uses seven leaked NSA hacking tools, (Wannacry used only two) and leaves Windows machines vulnerable for future attacks that may occur at any time. When installed, the worm names itself WannaCry in an attempt to evade security experts.

Another new threat has cropped up in Ukraine. A virulent ransomware strain called XData. So far it has created three times as many infections as WannaCry did in Ukraine. The fact that it specifically targets Ukraine is some sort of relief, but if it were to spread globally it would create more damage than last week’s WannaCry attack.



Rate this Article
Star Rating Loader Please wait...
The views expressed are of the author and do not necessarily represent the opinions or policies of the Indian Defence Review.

Post your Comment

2000characters left