Lessons Learned from the WCry Ransomware Attack

The following post is by guest blogger and Cengage author Dr. Mark Ciampa.

Over the past few days a malicious attack has shut down computers around the world. However, the quick actions by a security researcher prevented it from becoming a major catastrophe.

This global attack distributed one of the fastest-growing types of malware known as ransomware. Ransomware prevents a user’s device from properly and fully functioning until a fee is paid. The ransomware embeds itself onto the computer in such a way that it cannot be bypassed, and even rebooting causes the ransomware to launch again.

Ransomware continues to be a serious threat to users. One recent report estimated that $1 billion was paid in ransom in one year, yet only 42 percent of those who paid the ransom could then retrieve their data. Enterprises are also prime targets. A recent survey revealed that almost half of all enterprises have been a victim of a ransomware attack. Several recent well-publicized ransomware attacks demanding higher ransoms were against:

  • Hollywood Presbyterian Medical Center ($17,000)
  • Los Angeles Valley College ($28,000)
  • San Francisco’s Municipal Transportation Agency ($73,000).


An ever more malicious form of ransomware has recently appeared. Instead of just blocking the user from accessing the computer, this ransomware encrypts all the files on the device so that none of them could be opened. This is called crypto-malware. A screen appears telling the victim that his files are now encrypted and a fee must be paid in order to receive a key to unlock them. In addition, threat actors increased the urgency for payment: the cost for the key to unlock the crypto-malware increases every few hours or a number of the encrypted user files are deleted every few hours, with the number continually increasing. And if the ransom is not paid promptly (often within 36 to 96 hours) the key can never be retrieved.

On Friday (May 12 2017) a new strain of crypto-malware ransomware suddenly appeared around the world, locking up computers at banks, hospitals, telecommunications services, transportation agencies, as well as user’s personal computers. The malware, known as Wanna, Wannacry, or Wcry, initially infected at least 75,000 computers in at least 74 countries. Russia was the victim of the highest number of attacks by a wide margin, followed by Ukraine, India, and Taiwan. Ransomware infections also spread through the United States. The Wcry ransom is $300 and users had 3 days to pay before it doubled to $600. If they did not pay in one week then the ransomware threatened to delete the files altogether.


There were two elements that made this attack unique. First, the ransomware was written with ransom demands in over two dozen languages, so it clearly was intended to be a global attack. Second, the ransomware exploited a vulnerability called “EternalBlue”, first uncovered by the National Security Agency (NSA) which was using it as part of its own arsenal in attacking and spying on other nations This EternalBlue code was stolen from the NSA and leaked to the world last month by a group calling itself Shadow Brokers. The Wcry ransomware copied virtually verbatim large sections of EternalBlue.

In the initial hours of the attack wide-spread concern quickly grew that this would cripple computers around the world and become a major cybersecurity attack. However, just a quickly as it started it suddenly died down. What happened?

How Was This Attack Taken Down?

A British security researcher who was following the initial attack received a sample of the malware code and quickly analyzed it. He saw that the malware contacted an attacker’s command and control (C&C) server that was based on an unregistered domain. As part of the normal protocol of security researchers who try to limit attacks, he promptly registered the domain so that now he controlled it and not the attackers. As it turned out, this was a major stroke of luck. The attackers who wrote the code included an instruction to try to circumvent it from being analyzed. Wcry ransomware attempted to connect to the specific domain used by the attackers: if the connection is NOT successful the ransomware leaps into action and locks up the computer, but if it IS successful the malware exits. By registering the domain and taking control of it this British security researcher saved the day: all instances of Wcry did connect to the domain (after it was registered) and thus did nothing.

This significantly crippled WCry. As of the first of this week (May 15 2017) only 263 payments have been made to the three Bitcoin wallets linked to the code in the malware earning the attackers only $71,000. This is a far cry from what could have happened.

So what are the lessons learned?

As with many attacks, WCry’s initial success was based on an oft-repeated user mistake: not keeping their computers patched. The vulnerability in Windows that was exploited by WCry (Apple computers are not impacted) was actually patched back on March 14. Had users patched their computers, Wcry could not have spread as it did. Microsoft also took the unprecedented step of creating a patch for the Windows 8, Windows XP, and Windows Server 2003 operating systems, even though those software versions are no longer supported.

Apply the Patch Now

It appears that there are some variations of WCry still circulating without the “kill switch,” so vigilence is still the word. If you have a Windows 10 computer you can apply the patch here.  and if you have an older Windows verion you can apply the patch here

To read the technical details of the attack you can go here.

To read about the attack from information written by the British researcher go to the Ars Technica site here.

Stay secure!

Dr. Mark Ciampa is an Associate Professor of Information Systems in the Gordon Ford College of Business at Western Kentucky University in Bowling Green, Kentucky.  Prior to this he was an Associate Professor and served as the Director of Academic Computing at Volunteer State Community College in Gallatin, Tennessee for 20 years. Mark has worked in the IT industry as a computer consultant for the U.S. Postal Service, the Tennessee Municipal Technical Advisory Service, and the University of Tennessee.  He has published 17 articles in peer-reviewed journals and is also the author of over 23 technology textbooks, including Security+ Guide to Network Security Fundamentals 5ed, CWNA Guide to Wireless LANs 2ed, Guide to Wireless Communications, Security Awareness: Applying Practical Security In Your World 5ed, and Networking BASICS. Dr. Ciampa holds a PhD in technology management with a specialization in digital communication systems from Indiana State University and also has certifications in Security+ and HIT.