How WannaCrypt attacks

WannaCrypt's roots -- the malware behind world's biggest ransomware attack ever -- lie in an old Windows network protocol.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

We all know -- or, well, we should all know -- how to block malware attacks.

You don't install unknown applications. You don't open dodgy email attachments. And you don't download files from strange websites. But then, there's WannaCrypt, aka WannaCry. It starts by infecting you the old-fashioned way, but once it makes it on your network, it uses an out-of-date version of Windows' Server Message Block (SMB) networking protocol to spread like wildfire.


WannaCrypt ransomware's origin story starts in an old Windows networking protocol: SMBv1.

SMB is an old protocol. Although Microsoft is commonly given credit for its creation, IBM network architect Barry Feigenbaum created it in early 1983. Over the years, Microsoft has guided its development.

The protocol is typically used to share files over networks. One version of it, Common Internet File System (CIFS), has been used since the introduction of Windows 2000 for file transfers on Windows and many other operating systems including Linux, Unix, and macOS.

On modern networks, SMB works by using the TCP port 445. Before that it was used with the NetBIOS. But, ever since Microsoft introduced SMBv1 over port 445 in Windows 2000 with Direct hosting of SMB over TCP/IP, a hidden security hole was waiting to be exploited. SMB1 is where the flaw WannaCrypt uses hides.

SMBv1, which has been superseded since SMBv2, was released in 2006. SMBv1 is terribly insecure and you should turn it off. Microsoft strongly recommends disabling SMBv1 on any version of Windows from Vista on up to Windows 10.

There are many ways to exploit the SMBv1 hole -- and they're still being used. Rapid7, makers of the penetrating testing program, Metasploit, reports there are over a million devices, which leave port 445 wide open. Of those, over 800,000 run Windows. Anyone foolish enough to leave this port open to the internet is dumb enough to still be running SMBv1 and to not patch their systems regularly.

WannaCrypt is more deadly than previous ransomware, because once any single Windows PC is infected on a network using SMB, all the networked Windows PCs are open to attack. While SMB is used on many operating system -- such as the Linux-powered network-attached storage (NAS) on many small business networks -- WannaCrypt can only attack Windows systems. Specifically, WannaCrypt uses a SMB Remote Code Execution (RCE) vulnerability to accomplish this.

The mechanism used to spread WannaCrypt is built from from a pair of National Security Agency (NSA) hacker tools (EternalBlue / DoublePulsar), which was revealed by a hacker group called the Shadow Brokers. EternalBlue allows remote attackers to execute arbitrary code on Windows systems via SMB crafted packets. DoublePulsar is a Trojan horse that opens a back door on the compromised computer. Between them, they open the door to attackers and spread the ransomware payload over your Windows network.

Once the ransomware arrives, WannaCrypt tries to connect to the following domains using the Windows API InternetOpenUrlA():

  • www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Unlike other ransomware programs, if it can get to these sites, it won't try to do any more harm. If it can't, then the "fun" begins.

On your infected system, it will create a service called mssecsvc2.0. This program attempts to infect all other Windows PCs it can reach on your network. That done, it will unzip the actual password-protected ransomware .zip archive. This painful package includes a program that encrypts all the files it can find. It then renames them by appending "WNCRY" to the file name. For example, if a file is named "dog.jpg," it encrypts it and renames it "dog.jpg.WNCRY."

That done, it then deletes your Volume Shadow files. So, forget about recovering your files from the Windows standard local-backup. It won't work. If you don't have a third-party backup of your files, you're screwed. Their is no way to recover your encrypted files. In theory, you could pay the $300 of Bitcoin ransom -- and some people have paid -- but there's no record of anyone getting their files back.

So, what can you do? In short order:

  1. Stop using Windows on the desktop, use Linux instead.
  2. If you insist on using Windows, upgrade to Windows 10
  3. Patch Windows
  4. Disable SMB1
  5. Block port 445 on your network firewall.

While we now note in great detail how WannaCrypt works, there is no cure for it.

Related stories:

Editorial standards