Massive worldwide ransomware attack hits more than 200,000 victims, and climbing

New WannaCry ransomware tool Wanakiwi can save more people's data

equifax hack
Dmitry Tishchenko/123RF
On Friday, May 12, 2017, cybersecurity firm Avast reported on a massive ransomware attack that hit more than 75,000 victims in 99 countries and that had risen to over 126,000 in 104 countries by Saturday afternoon. While most of the targets were located in Russia, Ukraine, and Taiwan, other victims have been identified in Europe.

Most notably, Spanish telecommunications company Telefonica was a victim, as were hospitals across the United Kingdom. According to The Guardian, the U.K. attacks hit at least 16 National Health System (NHS) facilities and directly compromised the information technology (IT) systems that are used to ensure patient safety.


The WanaCryptOR, or WCry, ransomware is based on a vulnerability that was identified in the Windows Server Message Block protocol and was patched in Microsoft’s March 2017 Patch Tuesday security updates, reports Kaspersky Labs. The first version of WCry was identified in February and has since been translated into 28 different languages.

Microsoft has responded to the attack with its own Windows Security blog post, where it reinforced the message that currently supported Windows PCs running the latest security patches are safe from the malware. In addition, Windows Defenders had already been updated to provide real-time protection.

“On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed,” Microsoft’s summary of the attack began. “While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the malware, known as WannaCrypt, appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install MS17-010 if they have not already done so.”

The statement continued: “Microsoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing Windows Defender Antivirus to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.”

Avast further speculated that the underlying exploit was stolen from the Equation Group, which has been suspected of being tied to the NSA, by a hacker group calling themselves ShadowBrokers. The exploit is known as ETERNALBLUE and named MS17-010 by Microsoft.

When the malware strikes, it changes the name of affected files to include a “.WNCRY” extension and adds a “WANACRY!” marker at the beginning of each file. It also places its ransom note into a text file on the victim’s machine:


Then, the ransomware displays its ransom message that demands between $300 and $600 in bitcoin currency and provides instructions on how to pay and then recover the encrypted files. The language in the ransom instructions is curiously casual and seems similar to what one might read in an offer to purchase a product online. In fact, users have three days to pay before the ransom is doubled and seven days to pay before the files will no longer be recoverable.


Interestingly, the attack was slowed or potentially halted by an “accidental hero” simply by registering a web domain that was hard-coded into the ransomware code. If that domain responded to a request from the malware, then it would stop infecting new systems — acting as a sort of “kill switch” that they cybercriminal could use to shut off the attack.

As The Guardian points out, researcher, known only as MalwareTech, registered the domain for $10.69 was unaware at the time of the kill switch, saying, “I was out having lunch with a friend and got back about 3 p.m. and saw an influx of news articles about the NHS and various UK organisations being hit. I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”

MalwareTech registered the domain on behalf of his company, which tracks botnets, and at first, they were accused of initiating the attack. “Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freakout until I realized it was actually the other way around and we had stopped it,” MalwareTech told The Guardian.

That likely won’t be the end of the attack, however, as the attackers might be able to alter the code to omit the kill switch. The only real fix is to make sure that machines are fully patched and are running the right malware protection software. While Windows machines are the targets of this particular attack, MacOS has demonstrated its own vulnerability and so users of Apple’s OS should make sure to take the appropriate steps as well.

In much brighter news, it now appears that there is a new tool that can determine the encryption key used by the ransomware on some machines allow users to recover their data. The new tool, called Wanakiwi, is similar to another tool, Wannakey, but it offers a simpler interface and can potentially fix machines running more versions of Windows. As Ars Technica reports, Wanakiwi uses some tricks to recover the prime numbers used in creating the encryption key, basically by pulling those numbers from RAM if the infected machine remains turned on and the data has not already been overwritten. Wanawiki leverages some “shortcomings” in the Microsoft Cryptographic application programming interface that was used by WannaCry and various other applications to create encryption keys.

According to Benjamin Delpy, who helped develop Wanakiwi, the tool was tested against a number of machines with encrypted hard drives and it was successful in decryption several of them. Windows Server 2003 and Windows 7 were among the versions tested, and Delpy assumes Wanakiwi will work with other versions as well. As Delpy puts it, users can “just download Wanakiwi, and if the key can be constructed again, it extracts it, reconstructs it (a good one), and starts decryption of all files on the disk. In bonus, the key I obtain can be used with the malware decryptor to make it decrypt files like if you paid.”

The downside is that neither Wanakiwi nor Wannakey works if the infected PC has been restarted or if the memory space holding the prime numbers has already been overwritten. So it is definitely a tool that should be downloaded and held at the ready. For some added peace of mind, it should be noted that security firm Comae Technologies assisted with developing and testing Wanakiwi and can verify its effectiveness.

You can download Wanakiwi here. Just decompress the application and run it, and note that Windows 10 will complain that the application is an unknown program and you will need to hit “More info” to allow it to run.

massive ransomware attack hits 75000 victims worldwide wanakiwi run instructions
Mark Coppock/Digital Trends
Mark Coppock/Digital Trends

Ransomware is one of the worst kinds of malware, in that it attacks our information and locks it away behind strong encryption unless we pay money to the attacker in return for a key to unlock it. There is something personal about ransomware that makes it different from random malware attacks that turn our PCs into faceless bots.

The single best way to protect against WCry is to make sure that your Windows PC is fully patched with the latest updates. If you have been following Microsoft’s Patch Tuesday schedule and running at least Windows Defender, then your machines should already be protected — although having an offline backup of your most important files that can’t be touched by such an attack is an important step to take. Going forward, it is the thousands of machine that have not yet been patched that will continue to suffer from this particular widespread attack.

Updated on 5-19-2017 by Mark Coppock: Added information on Wanakiwi tool.

Home Theater

Why are current smart TVs still dumb enough to be hacked?

Our smart TVs can stream on-demand music and movies, and even control our smart home devices. But these features come at a cost and many of us don't even know there's a risk. Can our smart TVs be hacked and what can we do about it?

Android vs. iOS: Which smartphone platform is the best?

If you’re trying to choose a new phone and you’re not sure about the merits and pitfalls of the leading smartphone operating systems, then come on in for a detailed breakdown as we pit Android vs. iOS in various categories.
Small Business

Norton vs McAfee: Which Antivirus software is best for your small business?

Effective antivirus software is essential within a small business environment. With Norton and McAfee the biggest names in the business, we take a look at what's best for your company.

Use one of these password managers to help protect yourself online

The internet can be a scary place, especially if you don't have a proper password manager. This guide will show you the best password managers you can get right now, including both premium and free options.
Small Business

These apps will take your small business to the next level

There are a few apps you need to keep things running when you're on the go or in the office. Here are our picks for the best apps for small businesses to keep your money in check, promotions on point, and your time accounted for.

5G's arrival is transforming tech. Here's everything you need to know to keep up

It has been years in the making, but 5G is finally becoming a reality. While 5G coverage is still extremely limited, expect to see it expand in 2019. Not sure what 5G even is? Here's everything you need to know.
Smart Home

These are the best security camera systems to guard your small business

Security cameras can help small businesses but not all systems are created equally though, and each has its benefits and its drawbacks. We’ve rounded up the best security cameras for small businesses in 2019.

5 of the best antivirus solutions for your small business

Getting your business off the ground is hard enough, and dealing with viruses, hackers, and security breaches only makes it harder. These 5 antivirus solutions can help keep you protected.

Boost your company's productivity with the best tablets for small businesses

Tablets and convertible laptops are increasingly popular with small companies. The ability to carry a lightweight tablet to and from the office and hook it up to a keyboard or even a monitor, gives entrepreneurs the flexibility they seek.

When customers don't carry cash, mobile card readers help small companies thrive

Small businesses that market directly to customers benefit from having a point of sale system ready for clients who don't carry cash. Card readers should support swipe, the newer chip standard, and various smartphone-based wallets.
Social Media

These 3 social media management tools will get your small businesses noticed

Social media is a great way to spread the word about your business, connect with customers and network. Here are the best social media management tools for small businesses to help you schedule posts, track engagement, and much more.

Amazon drops Pre-Prime Day discount on Brother black and white office printer

There are a lot of high-speed printers out in the market. A good option would be Brother's HL-L5100DN. This monochrome printer is normally sold for $200, but Amazon has cut 16% off the price, bringing its cost down to $168.

Need a computer for your small business? These are the desktop PCs to consider

Whether you need a powerful PC to work done or an elegant system for your customer-facing operation, we've selected some of the best desktops for your small business. From $500 to $5,000, these PCs will help you stay productive.