Open in app

Sign in

Write

Sign in

A brief overview of wannacry ransomware

Girish Venkatachalam
3 min readAug 26, 2023

What is ransomware?

Ransom is a very common well understood word. It is the sum of money demanded by kidnappers or blackmailers. We have seen enough of it in movies.

Spyware, adware and similar words refer to software that do spying or display ads. So that should certainly mean that ransomware somehow combines ransom with software.

It turns out that our guess is about right. Ransomware refers to a software method of locking you out or hiding your files with encryption thereby stealing your files/data and then demanding a bitcoin payment to get back your digital assets.

Who created Wannacry?

There have been several ransomware attacks usually spread through email in a process called phishing. But they are definitely not the only propagation method.

Wannacry has shaken the whole cybercrime landscape by infecting 200,000 computers in 150 countries. The main countries affected are

  • Russia
  • India
  • Ukraine
  • Taiwan

It started in a telecom company in Spain and spread in Europe bringing down the already under funded NHS in UK. In addition to being a ransomware this also had a worm component which enabled it to quickly spread using the Windows file sharing protocol SMB.

It was created by NSA but who stole and spread nobody knows.

Which organizations got affected?

Here is the map of the countries affected in red(wikipedia). The ransom amount was quite modest 300$ in bitcoin. But the issue is that despite paying it, most companies could not recover their data.

The attack was somewhat contained by registering a funny sounding long domain by a British guy, a former malware author. But the damage this caused already ran into billions of dollars.

What is SMB?

SMB or server message block stands for the Windows file sharing protocol. It has components running in ring 0 of Windows kernel which got exploited by the EternalBlue exploit and using the shellcode in DoublePulsar they could obtain a backdoor.

With that obviously the machine becomes compromised and serves as a slave to the commands of the attacker that is remote.

Why couldn’t vendors patch their Windows?

This damage was all caused because NSA created this vulnerability 5 years before it got stolen by a group called Shadow Brokers. Microsoft quickly put together a patch but then most people already missed applying the EternalBlue CVE patch.

Most Windows users did not wish to suffer downtime or undergo risk of patch disturbing their setup.

At any rate the spread of the ransomware brought worldwide supply chain to a halt including TSMC, the company that manufactures the PCB for all phones.

Conclusion

We have seen how devastating using Windows can be. All malware attacks so far has been in Windows including Stuxnet, NotPetya, wannacry an many more.

In fact I think most malware writers have to be experts in Windows. This is never a problem for we Linux geeks. But malware and ransomware attacks are no longer just a problem in some unknown corner of the Internet affecting unknown people or a small group.

It has become a reality for most of us already.

Wannacry Ransomware
Eternalblue
Smb

--

--

Girish Venkatachalam

Written by Girish Venkatachalam

109 Followers

I am a software developer with 25 years experience. Now mostly working on JS and Python. I run Linux. Love to teach and work on cool things. Give a follow!

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams