Massive worldwide ransomware attack hits more than 200,000 victims, and climbing

New WannaCry ransomware tool Wanakiwi can save more people's data

equifax hack
Dmitry Tishchenko/123RF
On Friday, May 12, 2017, cybersecurity firm Avast reported on a massive ransomware attack that hit more than 75,000 victims in 99 countries and that had risen to over 126,000 in 104 countries by Saturday afternoon. While most of the targets were located in Russia, Ukraine, and Taiwan, other victims have been identified in Europe.

Most notably, Spanish telecommunications company Telefonica was a victim, as were hospitals across the United Kingdom. According to The Guardian, the U.K. attacks hit at least 16 National Health System (NHS) facilities and directly compromised the information technology (IT) systems that are used to ensure patient safety.


The WanaCryptOR, or WCry, ransomware is based on a vulnerability that was identified in the Windows Server Message Block protocol and was patched in Microsoft’s March 2017 Patch Tuesday security updates, reports Kaspersky Labs. The first version of WCry was identified in February and has since been translated into 28 different languages.

Microsoft has responded to the attack with its own Windows Security blog post, where it reinforced the message that currently supported Windows PCs running the latest security patches are safe from the malware. In addition, Windows Defenders had already been updated to provide real-time protection.

“On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed,” Microsoft’s summary of the attack began. “While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the malware, known as WannaCrypt, appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install MS17-010 if they have not already done so.”

The statement continued: “Microsoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing Windows Defender Antivirus to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.”

Avast further speculated that the underlying exploit was stolen from the Equation Group, which has been suspected of being tied to the NSA, by a hacker group calling themselves ShadowBrokers. The exploit is known as ETERNALBLUE and named MS17-010 by Microsoft.

When the malware strikes, it changes the name of affected files to include a “.WNCRY” extension and adds a “WANACRY!” marker at the beginning of each file. It also places its ransom note into a text file on the victim’s machine:


Then, the ransomware displays its ransom message that demands between $300 and $600 in bitcoin currency and provides instructions on how to pay and then recover the encrypted files. The language in the ransom instructions is curiously casual and seems similar to what one might read in an offer to purchase a product online. In fact, users have three days to pay before the ransom is doubled and seven days to pay before the files will no longer be recoverable.


Interestingly, the attack was slowed or potentially halted by an “accidental hero” simply by registering a web domain that was hard-coded into the ransomware code. If that domain responded to a request from the malware, then it would stop infecting new systems — acting as a sort of “kill switch” that they cybercriminal could use to shut off the attack.

As The Guardian points out, researcher, known only as MalwareTech, registered the domain for $10.69 was unaware at the time of the kill switch, saying, “I was out having lunch with a friend and got back about 3 p.m. and saw an influx of news articles about the NHS and various UK organisations being hit. I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”

MalwareTech registered the domain on behalf of his company, which tracks botnets, and at first, they were accused of initiating the attack. “Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freakout until I realized it was actually the other way around and we had stopped it,” MalwareTech told The Guardian.

That likely won’t be the end of the attack, however, as the attackers might be able to alter the code to omit the kill switch. The only real fix is to make sure that machines are fully patched and are running the right malware protection software. While Windows machines are the targets of this particular attack, MacOS has demonstrated its own vulnerability and so users of Apple’s OS should make sure to take the appropriate steps as well.

In much brighter news, it now appears that there is a new tool that can determine the encryption key used by the ransomware on some machines allow users to recover their data. The new tool, called Wanakiwi, is similar to another tool, Wannakey, but it offers a simpler interface and can potentially fix machines running more versions of Windows. As Ars Technica reports, Wanakiwi uses some tricks to recover the prime numbers used in creating the encryption key, basically by pulling those numbers from RAM if the infected machine remains turned on and the data has not already been overwritten. Wanawiki leverages some “shortcomings” in the Microsoft Cryptographic application programming interface that was used by WannaCry and various other applications to create encryption keys.

According to Benjamin Delpy, who helped develop Wanakiwi, the tool was tested against a number of machines with encrypted hard drives and it was successful in decryption several of them. Windows Server 2003 and Windows 7 were among the versions tested, and Delpy assumes Wanakiwi will work with other versions as well. As Delpy puts it, users can “just download Wanakiwi, and if the key can be constructed again, it extracts it, reconstructs it (a good one), and starts decryption of all files on the disk. In bonus, the key I obtain can be used with the malware decryptor to make it decrypt files like if you paid.”

The downside is that neither Wanakiwi nor Wannakey works if the infected PC has been restarted or if the memory space holding the prime numbers has already been overwritten. So it is definitely a tool that should be downloaded and held at the ready. For some added peace of mind, it should be noted that security firm Comae Technologies assisted with developing and testing Wanakiwi and can verify its effectiveness.

You can download Wanakiwi here. Just decompress the application and run it, and note that Windows 10 will complain that the application is an unknown program and you will need to hit “More info” to allow it to run.

massive ransomware attack hits 75000 victims worldwide wanakiwi run instructions
Mark Coppock/Digital Trends
Mark Coppock/Digital Trends

Ransomware is one of the worst kinds of malware, in that it attacks our information and locks it away behind strong encryption unless we pay money to the attacker in return for a key to unlock it. There is something personal about ransomware that makes it different from random malware attacks that turn our PCs into faceless bots.

The single best way to protect against WCry is to make sure that your Windows PC is fully patched with the latest updates. If you have been following Microsoft’s Patch Tuesday schedule and running at least Windows Defender, then your machines should already be protected — although having an offline backup of your most important files that can’t be touched by such an attack is an important step to take. Going forward, it is the thousands of machine that have not yet been patched that will continue to suffer from this particular widespread attack.

Updated on 5-19-2017 by Mark Coppock: Added information on Wanakiwi tool.


Instagram tool accidentally exposes user passwords. Were you affected?

Instagram's Download Your Data tool accidentally exposed the passwords of a small number of users. Here is the explanation on what happened, and how to find out which Instagram accounts were compromised.

Problems with installing or updating Windows 10? Here's how to fix them

Upgrading to the newest version of Windows 10 is usually a breeze, but sometimes you run into issues. Never fear though, our guide will help you isolate the issue at hand and solve it in a timely manner.

Windows Update not working after October 2018 patch? Here’s how to fix it

Windows update not working? It's a more common problem than you might think. Fortunately, there are a few steps you can take to troubleshoot it and in this guide we'll break them down for you, step by step.

Recover your beloved data with these great software tools

The best data recovery software isn't always free, but whether you've lost files on a hard drive, SD card, or even physical media like CDs and DVDs, there's a chance they'll be able to get that data back.

Google confirms it will add Android support for foldable displays

It's already clear a few smartphones of 2019 will be foldable, and Google is embracing the trend. The company announced its adding Android support for foldable devices, which will allow apps to work seamlessly with the new form factor.

Rugged Cat phones look to crack U.S. market through new deal with Sprint

The biggest name in rugged smartphones is launching a new device in the U.S. with Sprint. The Cat S48c is a tough, but affordable phone that can handle drops, water, dust, and extreme temperatures.

Bosch, Daimler team up to deploy autonomous Mercedes-Benz S-Classes in San Jose

In 1986, when Bosch and Daimler joined an autonomous car research project, the technology seemed overly futuristic. Now, the partners are aiming to make a production self-driving car by the early 2020s.
Home Theater

Comcast wants you to take control of your smart home through your TV

Comcast is looking to take on Google and Amazon as the center of your smart home. The company is reportedly testing a program that would allow broadband-only customers to turn their TVs into smart home hubs.

Bags with brains: Smart luggage and gadgets are making travel smoother

The bag you use to tote your stuff can affect the experience of any trip. In response, suitcases are wising up, and there are now options for smart luggage with scales, tracking, and more. Here are our favorite pieces.
Movies & TV

Disney+ streaming service gets a new name, logo, and more confirmed content

Disney is bringing the full weight of its massive content library to its own streaming service in 2019. How will Disney+ compare to Netflix, Hulu, and Amazon Prime? Here's what we know so far.

Apple to boost its Amazon presence with listings for iPhones, iPads, and more

Apple is about to start offering more of its kit on Amazon. The tech giant currently only has very limited listings on the shopping site, but the deal will see the arrival of the latest iPhones, iPads, MacBooks, and more.

Autonomous cars could lead to sex on wheels, study shows

Fully autonomous cars can change the way we commute, but they can also have a far-reaching impact on the tourism industry. Two researchers published a study that outlines how self-driving technology could create a new dimension in tourism.

Netflix is testing a cheap mobile-only subscription tier in some markets

Netflix is trying to reach potential subscribers in emerging markets. To that end, the company has begun rolling out a cheaper, mobile-only subscription tier, which comes at around $4 per month -- half the price of the Basic subscription…
Smart Home

Huawei could soon take on Google and Amazon with a new digital assistant

According to a report from CNBC, Huawei is working on a new digital assistant that could try to take on the likes of Google and Amazon's Alexa. Huawei already has a digital assistant in China, but the new one will be aimed at markets…