It started on the morning of Friday May 12th 2017. The media went wild. “World’s computers under attack from the deadly “WannaCry Ransomeware Crypto Worm”. Headlines and talking heads screamed, “British hospital turn away the sick and injured. India’s banking system shuts down. Spain’s telephone system in tatters, a hundred and fifty countries and hundreds of thousands of computers infected, America is next victim.” The “WannaCry” hysteria conjured images of Godzilla wading ashore at “Battery Park” in New York City. Speculation as to who was to blame included Russia, China, North Korea and Donald Trump. One wag suggested that the source must be North Korea because the first three words of the North Korean National Anthem are “we wanna cry.” Then suddenly the media went silent. At first we assumed that they must have succumbed to the attack but by Wednesday it became apparent that the WannaCry threat had been vastly overdramatized by the press. It was a wimpy third rate malware attack that fizzled.
Outside of humiliating the press, the only other major impact was Microsoft’s opportunity to chastise Windows 7 PCs users who had shut off the automatic update feature in Windows to stop Microsoft from bombarding their PCs with “security updates” that really had nothing to do with security. Microsoft had released a security patch in March that plugged the hole in Windows 7 used by WannaCry.”
The WannaCry did very little damage and infected an infinitesimal percentage of the World’s PCs. The ransom actually paid to the perpetrators has been estimated at around $200,000, the amount needed to buy about 1.5 seconds of commercial time at the 2017 Super Bowl.
This virus was only capable of infecting XP PCs and Win 7 computers that had not updated in the last few months. In addition, the attack was stopped in its early hours by a stroke of bad luck (for the hackers). For reasons too lengthy to explain here, the hackers had set up a “’kill switch” so that they could stop “WannaCry” from spreading? This was accomplished by having the virus “call home” when it found a potential host. The virus was instructed to abort the infection if it made contact with “home” but continue the infection if it could not make contact with “home.” “Home” was an intentionally unregistered domain so it could not be contacted and the virus would continue infecting and spreading. In the event that the hackers wanted to stop the spread of the virus they would simply register the “home” domain. A technician working with MalwareTech on Friday afternoon noticed the unregistered domain in the virus coding and registered it to see what it was. That immediately stopped the spread of "WannaCry." By the time the hackers recoded “WannaCry” potential victims had been able to take defensive measures. WannaCry was dead.
Interestingly, the Windows vulnerability that provided entry for this attack was in the SMB (Server Message Block) protocol which had been a part of Windows for over 20 years. Our own National Security Agency (Defense Dept) had discovered this vulnerability at some time in the past and had used it for their purposes until it was leaked earlier this year. Obviously NAS never told Microsoft about this useful vulnerability.