WCry: The Virus that Shook the World

Written by Anne Shephard

WCry (WannaCry, WannaDecrypt etc.) was a virus designed to hijack your computer and capture your files, forcing you to pay a ransom to regain them. There are many ‘ransomware’ viruses like WCry but what made this particular virus so nasty was its capability to spread incredibly quickly, which led to it infecting upwards of 100,000 computers in over 90 countries from May the 12^th to the 15^th last year. So, what exactly happened? And how can you protect your business from such a threat?

Initial Outbreak

The US Government National Security Agency (NSA) discovered a loophole in the Microsoft Windows system. This vulnerability (MS17-010) remained unnoticed until the hacking group ‘Shadow Brokers’ managed to obtain information on it and released the hole to the web under the name ‘EternalBlue’. Microsoft responded to this release in March 2017 with a security patch that seemed to fix the issue.

However, on the 12^th of May, the WCry virus first appeared. Most accurately termed as a ‘ransomware cryptoworm’, the WCry virus utilised the ‘EternalBlue’ fault to rapidly gain forced entry onto a quickly growing number of computers, as many users had not installed (or ran old computers that could not install) Microsoft’s security patch.

If the virus found a computer, it could gain access to that machine through this exploit without any misaction on the part of that computer’s user and, once the virus had infected that computer, it would immediately scan the computer’s network for further machines to infect. This meant that, if left alone, the virus would spread at an incredible rate across networks with little issue.

Running its Course

After infecting a computer, the ransomware scans that PC for its target file types, before then converting those files into an undecipherable language (encryption); the files then become unobtainable without the decryption key, which reverts the files.

After encryption users are notified of what has happened by the program. It then leaves information on how to obtain the decryption key, for a significant price, and then deletes itself, leaving no evidence or program to analyse for a fix.

Microsoft issued emergency patches, even for Windows XP computers, which were the most vulnerable as Microsoft no longer supports them. In addition, an emergency stop mechanism within the virus was found and, once utilised, shut down the virus and prevented it from spreading. These two factors together stopped any further spread of the ransomware but did not stop the operation of the virus on machines already infected.

Preventing Reoccurrence

As the EternalBlue vulnerability has been patched, the chances of WCry returning in this exact form is minuscule, but ransomware remains an issue. To avoid this virus, ensure you backup your files regularly. If you can roll back your data to a day before infection, it will cost you time but nowhere near as much as if you’re caught by the virus without any preparation. In addition, keeping your operating system up-to-date is imperative to prevent a minor crack from evolving into a major issue and, lastly, disable macros and Adobe Flash player on your machine, as viruses can often slip through masquerading as either.

Although WCry is no longer an issue, new threats will always evolve. As a business, it’s imperative for data security and customer protection that you stay on top of these threats. Significant computer issues cost a lot of money and manpower to make right. But develop the right habits (such as backing up your data), browse responsibly, and keep an eye on and prepare for new threats, and your business should weather issues without fault.