{"id":3220,"date":"2017-05-16T00:00:00","date_gmt":"2017-05-16T00:00:00","guid":{"rendered":"http:\/\/otava.test\/breaking-down-the-wannacry-ransomware-attack\/"},"modified":"2025-05-28T20:44:27","modified_gmt":"2025-05-28T20:44:27","slug":"breaking-down-the-wannacry-ransomware-attack","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/","title":{"rendered":"Breaking down the WannaCry ransomware attack"},"content":{"rendered":"\n<p>Companies across the globe are still reeling and recovering from the <a href=\"https:\/\/www.cbsnews.com\/news\/cyberattack-hit-more-than-100000-groups-in-at-least-150-countries-europol-says\/\" target=\"_blank\" rel=\"noopener noreferrer\">global ransomware attack<\/a> known as WannaCry on Friday, which took down tens of thousands of machines in 150 countries, including Britain&#8217;s National Health System. How and why did this happen?<\/p>\n\n\n\n<p>We&#8217;ve talked at length about <a href=\"https:\/\/otavawebsite.wpengine.com\/blog\/what-is-ransomware-and-how-do-you-protect-against-it\/\" target=\"_blank\" rel=\"noopener noreferrer\">ransomware<\/a>&nbsp;and how it&#8217;s distributed, how it particularly <a href=\"https:\/\/otavawebsite.wpengine.com\/blog\/ransomware-facts-and-figures\/\" target=\"_blank\" rel=\"noopener noreferrer\">affects healthcare<\/a>,&nbsp;and the rise of <a href=\"https:\/\/otavawebsite.wpengine.com\/blog\/how-does-ransomware-as-a-service-work\/\" target=\"_blank\" rel=\"noopener noreferrer\">ransomware as a service<\/a>. Friday&#8217;s attack was unusual in how quickly the infection spread, but it also reminded us of an age-old life lesson: It&#8217;s really important to keep your systems patched and up to date.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Prevention_is_the_best_cure\"><\/span>Prevention is the best cure<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The security world has been saying it for years, but now it has another true-to-life case in point: Update your machine when it tells you to. The attack on Friday took advantage of a zero-day vulnerability in all Microsoft systems before Windows 10. Microsoft had released a patch for it back in March (even issuing a rare patch for the now-unsupported Windows XP systems), but most people treat system updates the way they treat pre-cancer screenings: &#8220;I&#8217;m fine now, so why should I worry about it?&#8221;<\/p>\n\n\n\n<p>Well, just like you don&#8217;t want cancer when you&#8217;re older, you don&#8217;t want ransomware, either. Company-issued patches often address security vulnerabilities and keep your system better protected against ransomware and other malicious activity. For personal computers it&#8217;s a matter of dedicating the few minutes it takes to install the patch(es) and reboot. For enterprise, it&#8217;s a different story. It&#8217;s not only the time it takes to install patches on potentially hundreds of machines, but there are software compatibility and patch priority issues as well, which can turn a simple update into a much more complicated mess. It&#8217;s for these reasons that many enterprises are slow to patch their systems, and this unfortunately leaves them as prime targets for malicious actors to take advantage of.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_does_WannaCry_work\"><\/span>How does WannaCry work?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>WannaCry (and now new variants) are exploiting a vulnerability in Windows known as SMBv1 and SMBv2. SMB, known as <a href=\"https:\/\/en.wikipedia.org\/wiki\/Server_Message_Block\" target=\"_blank\" rel=\"noopener noreferrer\">Server Message Block<\/a>, is a networking component of Windows that&#8217;s mainly used for providing shared access to\u00a0files, printers and miscellaneous communications between nodes on a network. Security researchers believe that is how the infection has been able to spread so quickly&#8211;much more quickly than anticipated.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Why_ransom_payments_are_low\"><\/span>Why ransom payments are low<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>You might have noticed that while the WannaCry attack from Friday hit thousands and thousands of computers, the<a href=\"https:\/\/www.cnbc.com\/2017\/05\/15\/wannacry-ransomware-hackers-have-only-made-50000-worth-of-bitcoin.html\" target=\"_blank\" rel=\"noopener noreferrer\"> total ransom collected so far<\/a> is less than $100,000. That&#8217;s pretty low by ransomware standards. There are a few reasons for this:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>The ransomware gave victims 72 hours before their payment doubled, and that time window has only just passed. Security researchers expect\u00a0more money to go to the Bitcoin wallets of the hackers but for now, it&#8217;s pretty low considering the scale of the attack.<\/li>\n\n\n\n<li>Despite Bitcoin&#8217;s growing popularity, most people don&#8217;t use it or know how to get it. Doing so takes some time, and determining how much to pay based on how many computers were infected will also take time.<\/li>\n\n\n\n<li>The hackers, by all accounts, seem to be pretty unsophisticated. The original payment asked for $300, which is absurdly reasonable compared to the average payment of $1,000 or more. Then there&#8217;s the problem of WannaCry&#8217;s decryption process, or lack thereof. According to a blog post from cybersecurity firm <a href=\"https:\/\/blog.checkpoint.com\/2017\/05\/14\/wannacry-paid-time-off\/\" target=\"_blank\" rel=\"noopener noreferrer\">Check Point<\/a>, &#8220;WannaCry doesn&#8217;t seem to have a way of associating a payment to the person making it.&#8221; For now, victims just have to pay, and wait. Most security researchers and governments have urged victims not to pay the ransom, and it appears that most victims haven&#8217;t&#8211;yet.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Whats_next\"><\/span>What&#8217;s next<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>A security researcher going by the name Malware Tech <a href=\"https:\/\/www.wired.com\/2017\/05\/accidental-kill-switch-slowed-fridays-massive-ransomware-attack\/\" target=\"_blank\" rel=\"noopener noreferrer\">accidentally stumbled<\/a>&nbsp;upon a killswitch built into the malware, which stopped Friday&#8217;s infection from spreading. However, a new variant of the malware has already been released, known as <a href=\"https:\/\/heimdalsecurity.com\/blog\/security-alert-uiwix-ransomware\/\" target=\"_blank\" rel=\"noopener noreferrer\">Uiwix<\/a>. This new variant is believed to no longer have the killswitch built in, which means the only way of stopping the new infection is to patch the SMB vulnerability in Windows. Information can be found for Microsoft <a href=\"https:\/\/blogs.technet.microsoft.com\/msrc\/2017\/05\/12\/customer-guidance-for-wannacrypt-attacks\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>&nbsp;for WannaCry support, as well as <a href=\"https:\/\/www.catalog.update.microsoft.com\/Search.aspx?q=KB4012598\" target=\"_blank\" rel=\"noopener noreferrer\">direct downloads<\/a> for each version of Windows with the SMB vulnerability. Be sure you&#8217;re also running a robust antivirus that can check for new malware strains as they appear.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Companies across the globe are still reeling and recovering from the global ransomware attack known as WannaCry on Friday, which took down tens of thousands of machines in 150 countries, including Britain&#8217;s National Health System. How and why did this happen? We&#8217;ve talked at length about ransomware&nbsp;and how it&#8217;s distributed, how it particularly affects healthcare,&nbsp;and the rise of ransomware as a service. Friday&#8217;s attack was unusual in how quickly the infection spread, but it also reminded us of an age-old life lesson: It&#8217;s really important to keep your systems patched and up to date. Prevention is the best cure The security world has been saying it for years, but now it has another true-to-life case in point: Update your machine when it tells you to. The attack on Friday took advantage of a zero-day vulnerability in all Microsoft systems before Windows 10. Microsoft had released a patch for it back in March (even issuing a rare patch for the now-unsupported Windows XP systems), but most people treat system updates the way they treat pre-cancer screenings: &#8220;I&#8217;m fine now, so why should I worry about it?&#8221; Well, just like you don&#8217;t want cancer when you&#8217;re older, you don&#8217;t want ransomware, either&#8230;.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[48],"tags":[],"other_category":[],"class_list":["post-3220","post","type-post","status-publish","format-standard","hentry","category-cybersecurity"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Breaking down the WannaCry ransomware attack | OTAVA<\/title>\n<meta name=\"description\" content=\"Wannacry ransomware took down tens of thousands of machines on Friday, so we break down what happened and how you can protect yourself moving forward.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Breaking down the WannaCry ransomware attack\" \/>\n<meta property=\"og:description\" content=\"Wannacry ransomware took down tens of thousands of machines on Friday, so we break down what happened and how you can protect yourself moving forward.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2017-05-16T00:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-28T20:44:27+00:00\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"Breaking down the WannaCry ransomware attack\",\"datePublished\":\"2017-05-16T00:00:00+00:00\",\"dateModified\":\"2025-05-28T20:44:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/\"},\"wordCount\":744,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/\",\"url\":\"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/\",\"name\":\"Breaking down the WannaCry ransomware attack | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"datePublished\":\"2017-05-16T00:00:00+00:00\",\"dateModified\":\"2025-05-28T20:44:27+00:00\",\"description\":\"Wannacry ransomware took down tens of thousands of machines on Friday, so we break down what happened and how you can protect yourself moving forward.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Breaking down the WannaCry ransomware attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Breaking down the WannaCry ransomware attack | OTAVA","description":"Wannacry ransomware took down tens of thousands of machines on Friday, so we break down what happened and how you can protect yourself moving forward.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/","og_locale":"en_US","og_type":"article","og_title":"Breaking down the WannaCry ransomware attack","og_description":"Wannacry ransomware took down tens of thousands of machines on Friday, so we break down what happened and how you can protect yourself moving forward.","og_url":"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/","og_site_name":"OTAVA","article_published_time":"2017-05-16T00:00:00+00:00","article_modified_time":"2025-05-28T20:44:27+00:00","author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"Breaking down the WannaCry ransomware attack","datePublished":"2017-05-16T00:00:00+00:00","dateModified":"2025-05-28T20:44:27+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/"},"wordCount":744,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"articleSection":["Cybersecurity"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/","url":"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/","name":"Breaking down the WannaCry ransomware attack | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"datePublished":"2017-05-16T00:00:00+00:00","dateModified":"2025-05-28T20:44:27+00:00","description":"Wannacry ransomware took down tens of thousands of machines on Friday, so we break down what happened and how you can protect yourself moving forward.","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/breaking-down-the-wannacry-ransomware-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"Breaking down the WannaCry ransomware attack"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/3220","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=3220"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/3220\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=3220"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=3220"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=3220"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=3220"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}