WannaCry is a ransomware attack that has infected more than 200,000 computers in over 150 countries since Friday, May 12th, 2017. Spear phishing emails may be the malware’s means of distribution, but as yet, no one has been able to confirm this. The program uses the EternalBlue exploit and it will attempt to spread to other computers on the same network as the infected computer.
What does WannaCry do?
WannaCry encrypts files on the infected computer to render them unusable. It attacks a wide array of commonly used file types, meaning it can encrypt most or even all files on the system. It then displays a prompt informing the user what has happened and allows them to decrypt some of their files, but only offers to decrypt all files for $300 worth of bitcoins. It threatens to double the price if the user does not pay within three days and to delete the encrypted files altogether if the user does not pay within seven days. As of this exact moment, no one has discovered alternate means of decrypting WannaCry-affected files.
Why does this matter?
WannaCry essentially shuts down a computer’s functionality when it encrypts the computer’s files, and unfortunately, removing the ransomware program isn’t enough to restore those files. Numerous organizations, including banks, hospitals, and government agencies, have ground to a halt as a result of this ransomware. Because the program attempts to infect all computers it finds on a particular network, the final cost of an infection can be astronomical.
Marcus Hutchins, an ethical hacker in the United Kingdom who runs the blog MalwareTech, discovered that the program stops its execution if it successfully pings a specific domain name that previously did not exist. The most likely reason for this is to avoid analysis in a sandbox environment, where the computer can ping any domain successfully including this one that the program assumes does not exist. Marcus registered the domain name with a sinkhole server which is stopping some executions of the ransomware. However, it is still easy for the developers of WannaCry to work around this fix, and vulnerable systems are still at risk. Yikes.
How can this be prevented?
Microsoft actually released a fix for the vulnerability for their supported systems on March 14th 2017, two months before the recent attack took place. Since the attack, Microsoft has also pushed out an update for some of their operating systems that they no longer support, including Windows XP, Windows 8, and Windows Server 2003. WannaCry-infected systems were vulnerable because they had either been running unsupported versions of Windows or they had not applied system updates in the last two months.
Additionally, regular system backups are lifesavers for this kind of attack. Ransomware causes its damage by encrypting and deleting files, so restoring a system to a previous state will undo this. That said, WannaCry does specifically include backup files in its list of targetss, so keeping backups on an external drive is a good additional safety measure for this case.
Another good step is to use an anti-malware program such as Emsisoft or MalwareBytes. These programs have free versions which can be used to remove WannaCry from a computer (though, as mentioned, this does not automatically restore the encrypted files). If you pay for premium versions of these programs, they offer real time protection and can detect and stop ransomware before it even attacks.
Want to chat about how you can enhance your data security, backup, and disaster prevention? Give us a call.