Massive worldwide ransomware attack hits more than 200,000 victims, and climbing

New WannaCry ransomware tool Wanakiwi can save more people's data

equifax hack
Dmitry Tishchenko/123RF
On Friday, May 12, 2017, cybersecurity firm Avast reported on a massive ransomware attack that hit more than 75,000 victims in 99 countries and that had risen to over 126,000 in 104 countries by Saturday afternoon. While most of the targets were located in Russia, Ukraine, and Taiwan, other victims have been identified in Europe.

Most notably, Spanish telecommunications company Telefonica was a victim, as were hospitals across the United Kingdom. According to The Guardian, the U.K. attacks hit at least 16 National Health System (NHS) facilities and directly compromised the information technology (IT) systems that are used to ensure patient safety.


The WanaCryptOR, or WCry, ransomware is based on a vulnerability that was identified in the Windows Server Message Block protocol and was patched in Microsoft’s March 2017 Patch Tuesday security updates, reports Kaspersky Labs. The first version of WCry was identified in February and has since been translated into 28 different languages.

Microsoft has responded to the attack with its own Windows Security blog post, where it reinforced the message that currently supported Windows PCs running the latest security patches are safe from the malware. In addition, Windows Defenders had already been updated to provide real-time protection.

“On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed,” Microsoft’s summary of the attack began. “While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the malware, known as WannaCrypt, appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install MS17-010 if they have not already done so.”

The statement continued: “Microsoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing Windows Defender Antivirus to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.”

Avast further speculated that the underlying exploit was stolen from the Equation Group, which has been suspected of being tied to the NSA, by a hacker group calling themselves ShadowBrokers. The exploit is known as ETERNALBLUE and named MS17-010 by Microsoft.

When the malware strikes, it changes the name of affected files to include a “.WNCRY” extension and adds a “WANACRY!” marker at the beginning of each file. It also places its ransom note into a text file on the victim’s machine:


Then, the ransomware displays its ransom message that demands between $300 and $600 in bitcoin currency and provides instructions on how to pay and then recover the encrypted files. The language in the ransom instructions is curiously casual and seems similar to what one might read in an offer to purchase a product online. In fact, users have three days to pay before the ransom is doubled and seven days to pay before the files will no longer be recoverable.


Interestingly, the attack was slowed or potentially halted by an “accidental hero” simply by registering a web domain that was hard-coded into the ransomware code. If that domain responded to a request from the malware, then it would stop infecting new systems — acting as a sort of “kill switch” that they cybercriminal could use to shut off the attack.

As The Guardian points out, researcher, known only as MalwareTech, registered the domain for $10.69 was unaware at the time of the kill switch, saying, “I was out having lunch with a friend and got back about 3 p.m. and saw an influx of news articles about the NHS and various UK organisations being hit. I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”

MalwareTech registered the domain on behalf of his company, which tracks botnets, and at first, they were accused of initiating the attack. “Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freakout until I realized it was actually the other way around and we had stopped it,” MalwareTech told The Guardian.

That likely won’t be the end of the attack, however, as the attackers might be able to alter the code to omit the kill switch. The only real fix is to make sure that machines are fully patched and are running the right malware protection software. While Windows machines are the targets of this particular attack, MacOS has demonstrated its own vulnerability and so users of Apple’s OS should make sure to take the appropriate steps as well.

In much brighter news, it now appears that there is a new tool that can determine the encryption key used by the ransomware on some machines allow users to recover their data. The new tool, called Wanakiwi, is similar to another tool, Wannakey, but it offers a simpler interface and can potentially fix machines running more versions of Windows. As Ars Technica reports, Wanakiwi uses some tricks to recover the prime numbers used in creating the encryption key, basically by pulling those numbers from RAM if the infected machine remains turned on and the data has not already been overwritten. Wanawiki leverages some “shortcomings” in the Microsoft Cryptographic application programming interface that was used by WannaCry and various other applications to create encryption keys.

According to Benjamin Delpy, who helped develop Wanakiwi, the tool was tested against a number of machines with encrypted hard drives and it was successful in decryption several of them. Windows Server 2003 and Windows 7 were among the versions tested, and Delpy assumes Wanakiwi will work with other versions as well. As Delpy puts it, users can “just download Wanakiwi, and if the key can be constructed again, it extracts it, reconstructs it (a good one), and starts decryption of all files on the disk. In bonus, the key I obtain can be used with the malware decryptor to make it decrypt files like if you paid.”

The downside is that neither Wanakiwi nor Wannakey works if the infected PC has been restarted or if the memory space holding the prime numbers has already been overwritten. So it is definitely a tool that should be downloaded and held at the ready. For some added peace of mind, it should be noted that security firm Comae Technologies assisted with developing and testing Wanakiwi and can verify its effectiveness.

You can download Wanakiwi here. Just decompress the application and run it, and note that Windows 10 will complain that the application is an unknown program and you will need to hit “More info” to allow it to run.

massive ransomware attack hits 75000 victims worldwide wanakiwi run instructions
Mark Coppock/Digital Trends
Mark Coppock/Digital Trends

Ransomware is one of the worst kinds of malware, in that it attacks our information and locks it away behind strong encryption unless we pay money to the attacker in return for a key to unlock it. There is something personal about ransomware that makes it different from random malware attacks that turn our PCs into faceless bots.

The single best way to protect against WCry is to make sure that your Windows PC is fully patched with the latest updates. If you have been following Microsoft’s Patch Tuesday schedule and running at least Windows Defender, then your machines should already be protected — although having an offline backup of your most important files that can’t be touched by such an attack is an important step to take. Going forward, it is the thousands of machine that have not yet been patched that will continue to suffer from this particular widespread attack.

Updated on 5-19-2017 by Mark Coppock: Added information on Wanakiwi tool.


Hackers are scoring with ransomware that attacks its previous victims

Computer viruses are always evolving. In a new one, dubbed "Ryuk," hackers are targeting PCs with ransomware that scours an infected network in order to pinpoint and attack and enterprises with big money.

Problems with installing or updating Windows 10? Here's how to fix them

Upgrading to the newest version of Windows 10 is usually a breeze, but sometimes you run into issues. Never fear though, our guide will help you isolate the issue at hand and solve it in a timely manner.

Getting Windows 10 updated doesn't have to be so painful

Windows update not working? It's a more common problem than you might think. Fortunately, there are a few steps you can take to troubleshoot it and in this guide we'll break them down for you step by step.

Change your mouse cursor in Windows with these quick tips

The standard mouse cursor is boring, so change it! With this guide on how to change your mouse cursor in Windows, you can choose to use one of Microsoft's pre-installed cursors or download something a bit more extravagant.
Emerging Tech

SpaceX nails its first launch and landing of 2019, but job cuts loom

SpaceX has nailed its first launch and landing of 2019 with a mission that deployed more satellites for Virginia-based Iridium Communications. But the success was soured somewhat by reports of upcoming job losses at the company.

‘Aquaman’ becomes first DC cinematic universe movie to cross $1 billion

Aquaman fell to second place at the weekend box office, but its worldwide earnings crossed the $1 billion mark, making it the first film in Warner Bros. Pictures' DC Extended Universe to do so.
Emerging Tech

The enormous ‘Flying Bum’ moves toward a commercial design

A prototype of the world's largest aircraft is being retired as the company behind it prepares to build a production model. The new Airlander 10, also known as the "Flying Bum," could be ready for commercial use by 2025.

Tidal faces legal jeopardy over fake stream numbers accusation

In another challenging chapter for music subscription service Tidal, Norwegian authorities have begun a formal investigation into charges that the company faked millions of streams for artists such as Kanye West and Beyoncé.

Best tax software deals from TurboTax, H&R Block, and more

Do you dread doing your taxes? Luckily for you, there are plenty of tax software options available to guide you through the process. And guess what? Some of them are even on sale today! Check out deals from TurboTax, H&R Block, and…

Cathay Pacific messes up first-class ticket prices — again

A couple of weeks ago, an error on Cathay Pacific's website resulted in first-class seats selling for a tenth of the price. On Sunday, January 13, the airline made the error again. The good news is that it'll honor the bookings.
Emerging Tech

Drones: New rules could soon allow flights over people and at night

With commercial operators in mind, the U.S. government is looking to loosen restrictions on drone flights with a set of proposals that would allow the machines greater freedom to fly over populated areas and also at night.

Some of Volkswagen’s electric models will wear a ‘Made in the USA’ label

Confirming earlier rumors, Volkswagen has announced it will build electric cars in its Chattanooga, Tennessee, factory. The facility currently produces the Passat and the Atlas. Production will start in 2023, Digital Trends can reveal.
Home Theater

Not chill: Netflix is hiking prices across all its tiers

Netflix has to get the billions of dollars it's spending on new content from somewhere. The streaming giant announced price hikes across the board, raising its monthly rates between $1 and $2 per tier in the next few months.
Movies & TV

NBCUniversal will launch its own streaming service in 2020

NBCU is prepping a streaming service filled with its original content for a debut sometime next year, meaning that Michael, Dwight, and the rest of the Scranton crew might be moving to a new home.