Glossary

WannaCry Ransomware

Easy

WannaCry is a piece of ransomware that can infect and spread rapidly through a number of computer networks. 

What Is WannaCry Ransomware?

WannaCry is a piece of ransomware that can infect and spread rapidly through a number of computer networks. 

WannaCry consists of multiple components and infiltrates the target computer in the form of what is known as a doppler, which is a self-contained program that extracts the other application components embedded within the ransomware. These components include an application that encrypts and decrypts data, files containing encryption keys, and a copy of TOR.

The program code is not obfuscated and is relatively easy for security professionals to analyze. Once it is launched, the ransomware attempts to access a hard-coded URL known as the kill switch and, if it cannot do this, proceeds to search for and encrypt files in specific formats, such as Microsoft Office files or MP3 files. This encryption makes the files inaccessible to the user of the computer. The ransomware then displays a ransom notice, demanding a specific amount of currency, usually Bitcoin (BTC), in order to decrypt and thus recover the files.

When it comes to Windows, the vulnerability that WannaCry exploits involves the Windows implementation of the Server Message Block (SMB) protocol. The SMB protocol allows various nodes on a network to communicate, and Microsoft's implementation can be tricked, through specifically crafted packets, into executing arbitrary code.

WannaCry can be seen as a prime example of what crypto ransomware can look like and how it can be used to extort money. It does this by encrypting potentially valuable files and can even lock a user out of his or her computer altogether. Any ransomware that uses encryption is called crypto ransomware. The type that specifically locks users out of the computer is called locker ransomware.