WannaCry, which spanned more than 150 countries, leveraged some of the leaked NSA tools. In May, the ransomware targeted businesses running outdated Windows software and locked down computer systems.
The hackers behind WannaCry demanded money to unlock files. More than 300,000 machines were hit across numerous industries, including health care and car companies.
Why WannaCry ransomware took down so many businesses? – running “legacy software,” or old, outdated technology that no longer receives software updates
The vulnerability WannaCry exploits lies in the Windows implementation of the Server Message Block (SMB) protocol. The SMB protocol helps various nodes on a network communicate, and Microsoft’s implementation could be tricked by specially crafted packets into executing arbitrary code.
Even if a PC has been successfully infected, WannaCry won’t necessarily begin encrypting files. That’s because, as noted above, it first tries to access a very long, gibberish URL before going to work. If it can access that domain, WannaCry shuts itself down. It’s not entirely clear what the purpose of this functionality is. Some researchers believed this was supposed to be a means for the malware’s creators to pull the plug on the attack. However, Marcus Hutchins, the British security researcher who discovered that WannaCry was attempting to contact this URL, believes it was meant to make analysis of the code more difficult.
Ironically, the patch needed to prevent WannaCry infections was actually available before the attack began: Microsoft Security Bulletin MS17-010, released on March 14, 2017, updated the Windows implementation of the SMB protocol to prevent infection via EternalBlue. However, despite the fact that Microsoft had flagged the patch as critical, many systems were still unpatched as of May of 2017 when WannaCry began its rapid spread.