WannaCry: a Ransomware or Ransomworm?

May 17, 2017

Earlier this month, we a massive campaign, that affected tens of thousands of businesses and organizations in over 100 countries around the world. And, just like every other attack, encrypted the machines of its victims demanding an initial ransom of $300 in and more than double that amount after the initial 72 hours had passed.

The unprecedented attack, which began on Friday, May 12th was unique in that it enabled the vulnerability to spread rapidly and infect other machines, becoming the largest worldwide cyber extortion scheme in history.

or Randsomworm?

works in the following way; it scans each victim’s computer for interesting files and encrypts them, making them essentially meaningless. It has come to light, that the vulnerability is connected to the latest NSA (U.S. National Security Agency) dump and actually a part of its homegrown exploits. It appears that it is implementing a version of the notorious exploit (which exploits a vulnerability (CVE-2017-0144) in Microsoft Server’s Message Block (SMB) protocol.)

As a worm, it scans the internet for publicly available machines that qualify for exploitation using the exploit. When such machines are found, the to infect them with the exploit as well. This means that instead of triggering a limited attack, affecting only the infected machine (and its network drives if available), a single infected machine can potentially infect thousands of other machines, creating a massive infection loop that knows no boundaries.

For example, let’s say that each infected machine infects only 10 other exploitable machines and that each of those machines infects only 10 other exploitable machines and so on. After just 5 rounds and a few seconds – we can end up with thousands of infected machines!

Now, imagine you’re part of an organization where one machine is infected. In a ‘normal’ attack, the machine and all of its connected network drives would also become infected.

However​ if the same organization was to be infected with , the machine and its drives would also become infected, along with the other machines in the organization and their drives.

The reason, WannaCry attack was eventually able to be contained, is because the authors applied a “kill-switch” to prevent an endless infection loop from occurring.

The logic is quite simple: Upon infection, the malware tries to connect to a domain online. If it fails, the infection process begins. If not, the malware stops all .

When the campaign started last weekend, @MalwareTech, a security researcher, analyzed the malicious sample and noticed it tried to access a certain domain. Looking into that domain, he discovered that it was not, in fact, an active domain so he decided to buy the domain and sinkhole it, meaning he would activate it but arrange for it to send empty responses. This action, in fact, prevented thousands of infections and sent researchers on the hunt for further kill-switches to prevent further waves of infection-loops.


Microsoft issued a Windows security patch MS17-1-010 to resolve the SMB protocol vulnerability before the attack. However, hit organizations that did not install this critical patch or had reached End-of-life (Like Windows XP).

In addition, machines that were publicly available on the internet and had not applied this patch were left at risk of being infected by , unknown machines which had been infected and were spreading the campaign.

Even with this patch applied, users who accidentally opened a attachment or clicked on a link leading to a malicious file, soon found that their computers had been infected.

Fortunately, using our Advanced CDR solution, any attachments can be carefully examined and essentially “re-built” from scratch, eliminating any nonstandard attributes, values, and objects without requiring any signature, thus rendering this attack vector, useless.

Advanced CDR technology

CDR or Content Disarm and Reconstruction is designed to be a solution to this problem, along with many other security threats that hackers can take advantage of. CDR involves disarming potential exploits by dissecting files (like Microsoft Word or Adobe PDF) and performing a thorough analysis of them. The system is able to determine the modifications made to a file, whether it was written with a specific design in mind, whether the files need to be patched, etc. Once analyzed and vetted for proper form and safety, the file is reconstructed and passed onto the system, keeping all functionality intact, while disarming any malicious, suspicious or potentially harmful content.

With Votiro’s Advanced CDR technology, the solution moves away from detection, with a focus on prevention. Instead of tracking down problems and retroactively solving them, Advanced CDR puts the onus on files to “prove” that the code is proper—and, without that proof, CDR simply blocks the file, giving it no opportunity to cause the type of chaos that resulted from the exploit.

While we don’t know exactly how the vulnerability was carried out– security firms haven’t connected all the dots yet–it may soon come to light that malicious files such as Word or PDF documents put these companies at a major risk – but for companies that have a CDR system in place, it won’t make a difference how widespread the vulnerability is; they’ll be able to sleep at night, knowing their data is safe and secure.