WannaCry Ransomware Attack: Overview, Vulnerabilities, and Defense Strategies

On the night of May 12, 2017, the worm‑like ransomware WannaCry spread worldwide, crippling government, educational and medical networks; in China the education network suffered the most severe damage, with many computers and documents encrypted.

Statistics show the virus affected the entire nation. Early on May 13, Shandong University posted an urgent notice on its official Weibo account warning about the ONION ransomware.

Kingsoft Antivirus detected a large‑scale outbreak of the Onion/WannaCry ransomware and issued emergency preventive measures.

In response to the Shadow Brokers leak of a critical Microsoft vulnerability, Tianyi Cloud warned that attackers could exploit ports 135, 137, 139, 445, and 3389 to gain Windows system privileges, urging users to apply security patches.

WannaCry Incident Description

Analysis shows WannaCry is a ransomware built from the leaked NSA exploit “EternalBlue”, which uses the SMB vulnerability MS17‑010 (port 445) that Microsoft patched in March 2017.

All Windows versions newer than Windows 7 have received the patch; older systems such as Windows XP/2003 remain unpatched and vulnerable.

When a Windows system is infected, a dialog appears demanding Bitcoin payment to restore encrypted files.

Numerous government and education networks in China reported massive infections; encrypted files can only be recovered by paying a ransom, as no decryption tool exists.

WannaCry Vulnerability Introduction

The attack exploits a Microsoft SMB protocol vulnerability originally discovered by the U.S. National Security Agency and named “EternalBlue”.

SMB (Server Message Block) is the default file‑sharing protocol in Windows; attackers use it to gain remote code execution on systems with port 445 open, elevating privileges to SYSTEM level.

DeepSecurity Cloud had already released an SMB vulnerability detection and mitigation solution a month before the outbreak.

At RSA 2017, ransomware defense was a hot topic; the conference dedicated a full day to ransomware, highlighting the growing threat and the need for effective countermeasures.

What Is Ransomware

Ransomware is malicious code that encrypts files such as Office documents, images, and videos, rendering them inaccessible until a ransom is paid, typically in cryptocurrency.

For example, the Cryptolocker ransomware encrypts a victim’s files and displays a message demanding payment for the decryption key within a limited time.

Ransomware typically spreads via phishing emails or malicious web links; once executed, it exploits system vulnerabilities to install itself, contacts a command‑and‑control server, generates an RSA key pair, encrypts files with an AES key, then encrypts the AES key with the RSA public key.

1. Attackers send phishing emails or embed malicious links on compromised websites.

2. Users click the link or run the file; the ransomware exploits system vulnerabilities and may connect to a C&C server.

3. After connection, the malware generates an RSA key pair and downloads the public key to the victim’s machine.

4. The ransomware scans for files, encrypts them with a randomly generated AES key, then encrypts the AES key with the RSA public key and stores it.

5. The attacker delivers a ransom note demanding payment.

Victims often do not notice the encryption process until files become inaccessible; attackers may use emails or even change the desktop wallpaper to deliver the ransom demand.

Some attackers also publish the encryption algorithm details to pressure victims into paying quickly to obtain the decryption key.

Evolution of Encrypting Ransomware

The first known ransomware dates back to 1989 (PCCyborg), which encrypted file names and demanded $189 for decryption.

Since then, ransomware has evolved from simple symmetric encryption to hybrid schemes combining symmetric (AES) and asymmetric (RSA) encryption, with key lengths reaching 2048 bits (e.g., Cryptolocker 2013, Locky 2016).

Attackers began demanding payment in cryptocurrencies such as Bitcoin from 2008 onward to obscure the money trail.

Target victims have shifted from individual users to enterprises, because organizations face higher operational pressure and tend to pay larger ransoms quickly.

According to Cisco Talos, the Locky ransomware infected up to 90 000 victims per day, with an average ransom payment rate of 2.9 % (0.5–1 BTC). The ransomware industry was estimated to be a $1 billion market in 2016.

Warm Reminder: Search for “ICT_Architect” or scan the QR code below to follow the public account for more content.

When reposting this article, please credit the author, source, and QR code.