In May 2017, a cyberattack shook the world. A ransomware attack shut down hospitals, locked doctors out of patient data, and spread across the globe within hours. WannaCry infected more than 200,000 computers, including systems at FedEx, Honda, Nissan, and the UK's National Health Service (NHS).
What is ransomware?
Ransomware is malware that stealthily installs itself on your PC or mobile device and holds your files or operating system hostage. It locks you out of your device and files, then demands payment. If you refuse to pay, WannaCry threatens to delete all encrypted files — and all your data will be lost forever.
What exactly happened?
WannaCry spread through a vulnerability called "EternalBlue" that was initially developed by the NSA. About a month before the attack, a hacker group called The Shadow Brokers stole and leaked this exploit.
Microsoft released a patch to fix the vulnerability, but many organizations failed to install it. Older versions of Windows — like Windows XP and Windows 8 — remained especially vulnerable.
Security researcher Marcus Hutchins temporarily neutralized WannaCry when he discovered a "kill switch" that disabled the malware.
Later, investigators announced that the North Korean government was behind the attack, though some security researchers argue it was the work of the North Korea-based Lazarus Group.
How does WannaCry work?
WannaCry used the EternalBlue exploit to spread. Here's how it worked:
- First, it scanned networks for devices accepting traffic on port 445, which indicated the system was configured to use SMB (Server Message Block Protocol) — a feature that enables file sharing and network browsing.
- Next, it initiated an SMBv1 connection to the device.
- Then it used a buffer overflow to seize control of the targeted system and install the ransomware.
- The ransomware encrypted files with extensions like .doc, .xls, .ppt, .jpg, and .pdf using strong encryption algorithms.
- WannaCry then scanned local networks and the internet for other vulnerable devices, spreading automatically
The Kill Switch
Marcus Hutchins, a security researcher, began reverse engineering the source code of WannaCry. He discovered that it included a function that would query a domain specified in the source code before executing — a website that didn't exist.
So he registered the domain.
After doing so, he noticed that while the copies continued to spread, they stopped executing. What happened was WannaCry stopped itself once it started receiving responses from the domain.
The domain query was basically put into the code to check if the ransomware was inside a sandbox.
A sandbox is an anti-malware tool similar to a virtual machine, meaning it runs separately from the system and the network, providing a safe environment to test and execute untrusted files.
The copies of WannaCry shut themselves down, believing they were inside a sandbox.