The WannaCry Virus: What It Is and How to Remove It

This ransomware worm holds Windows computers hostage

A conceptual illustration of the WannaCry virus destroying a laptop.

Don't cry: If you've installed Microsoft Windows updates, you're considered safe from an attack by the infamous WannaCry virus. But if you haven't been vigilant, you might need to worry.

A variant of WannaCry is known as WannaCrypt.

WannaCry affects Windows computers, specifically  Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016.

What Is the WannaCry Virus?

This ransomware exploits vulnerabilities in Microsoft Windows Server Message Block (SMB) protocol. SMB helps different parts of a computer network communicate and WannaCry took advantage of some security problems in it. Victims of WannaCry couldn't open files unless they paid a $300 ransom in Bitcoin.

What makes this ransomware more interesting than others is the widely-held suspicion that the U.S. National Security Agency discovered the vulnerability in 2017 and tried to exploit it with code called EternalBlue months before the virus went rogue. EternalBlue was then apparently stolen by hackers, who released it on Medium, a popular blogging website, where WannaCry laced with EternalBlue began to wreak havoc on unsuspecting computer users. In fact, Microsoft angrily slammed the U.S. government for supposedly creating a dangerous situation that potentially impacted millions of Windows users when updates to patch the flaw had already been put in place by the company.

Later, American and British governments proclaimed that North Korea was the source of the virus.

How Does the WannaCry Virus Work?

WannaCry infects computers through a dropper, a kind of Trojan that installs key components to a targeted system:

  • An application to encrypt and decrypt data
  • Files holding the encryption keys
  • A copy of Tor 

Once launched, WannaCry attempts to access a specific URL. If it can't access it for any reason, it then searches for and encrypts files in all kinds of formats making them inaccessible to the user. After that, it displays the ransom notice, demanding payment in Bitcoin in return for decrypting the files.

Never pay the ransom! It won't actually remove the virus and it doesn't decrypt your files, either. The only thing it will do is let the hackers know you are susceptible to blackmail and coercive threats.

How Do I Know I Have the WannaCry Virus?

Typical signs of infection include a PC that runs slower than usual or the inability to access files. The virus is busy encrypting files, which takes a lot of time and system resources. You'll also see an increase in the number of files suddenly renamed on your network, excessive SMB activity on TCP port 445 on Windows Servers, and an increase in SMBv1 connection attempts.

Other indications include the file name extensions .WNCRY or .WNRY appended to your files, as well as files including but not limited to these on your system:

  • 00000000.eky
  • 00000000.pky
  • 00000000.res
  • 274901494632976.bat
  • @Please_Read_Me@.txt
  • @WanaDecryptor@.bmp
  • @WanaDecryptor@.exe
  • m.vbs
  • msg\m_english.wnry

The biggest tip-off, however, is a large pop up window that appears on your screen and says something to the effect of, 'Ooooops, your files have been encrypted!' and then goes on to demand a Bitcoin payment in a certain timeframe.

How Did I Get This Virus?

The virus typically attacks computers in organizations but individuals can contract it through email scams or links to malicious websites. You can also be infected by clicking on nefarious pop up ads and banners or downloading software from sites that aren't safe.

How Do I Get Rid of WannaCry?

While you might never get back any files that were encrypted by the virus, there are ways to find and eradicate it from your computer.

  1. The most effective approach is to use antivirus software along with a malware removal tool to guarantee the virus is completely gone. This process can take up to several hours but it's worth the time and effort to get your system back.

  2. You can use System Restore to return to an earlier point on your computer before you picked up the WannaCry virus, but this probably won't decrypt any impacted files. Be sure to choose a time period where you know you didn't already have the ransomware on your computer. 

  3. You can also choose to reformat your computer's hard drive to guarantee you've deleted the WannaCry virus. This method isn't easy and you really need to be sure you know what you're doing before you start since all the files and applications on your system will be erased.

How Can I Avoid Getting the WannaCry Virus Again?

There are several key ways to avoid contracting a virus but for this specific ransomware, the most important step is to ensure your computer or server is always updated with Microsoft's security patches.

In Windows, most patches, fixes, and hotfixes are made available via Windows Update. Microsoft typically releases their security-related patches once per month on Patch Tuesday. If you've been avoiding these updates, it's time to bite the bullet and install them.

Next, always use antivirus software and keep it updated. Be sure to select the option to remove PUPs (potentially unwanted software) so that tiny malicious files don't slip by unnoticed when you download software.

From there, follow smart online safety practices: Don't open suspicious attachments, files or links; never download software from a site you're not sure of; and don't download illegal software.