About “WannaCry”

About “WannaCry”


What is WannaCry?

It’s a ransomware attack with the ability to self-propagate. It also uses exploits from the April Shadow Brokers dump of NSA hacking tools. The WannaCry attack began on Friday, May 12th and spread rapidly through Europe and the rest of the world. Most reports indicate it has infected at least 200,000 computers to date.

All information in italics below is from the website Tom’s Guide, which has two concise posts about the ransomware attack.

Has WannaCry been stopped?

Amazingly, the initial WannaCry outbreak ended by accident on Friday. While he analyzed the ransomware's code, a 22-year-old information-security professional in England who goes by the pseudonym MalwareTech noticed a web address in the code.

Following standard procedure, he investigated the address and discovered that no one had registered it. Once he set up a server at that address, he noticed that the WannaCry samples he and other researchers were analyzing suddenly stopped infecting machines. It turns out that the domain name functioned as a kill-switch, which may have been designed to stop detection of WannaCry by researchers using "sandboxed" virtual machines.

Is WannaCry coming back?

It almost certainly will. Several new variants and copycats have already been spotted. One used a different web address as a kill switch, and was quickly shut down; another had no kill switch, but had a faulty payload that failed to encrypt any files. But other variants will not repeat those mistakes.

Is WannaCry going to attack my computer?

It certainly will try. We've yet to see accounts of WannaCry hitting home Windows machines, and the lack of such reports indicates that the malware may have an easier time infecting workplace computer networks that are more likely than home machines to have the Microsoft SMB file-sharing protocol open to the internet. But that doesn't mean home machines aren't being infected, and it would be easy for cybercriminals to repurpose the ransomware so that it attacked machines via phishing emails or corrupted websites.

What can you do to prevent infection by WannaCry?

The most important thing you can do is install the system updates marked as important in Windows Update. To do so, open the start menu, type "windows update" into the text prompt, and select Windows Update from the results. Then, follow the on-screen instructions to install updates.

As mentioned above, Microsoft has also released patches for Windows XP and Windows 8, but it's possible that Windows Update on those machines may not have access to the patches. If so, you can download the patches manually using the links at the bottom of this Microsoft security advisory.

More That You Can Do (From RoundTable)

  1. Have a good backup system for your important information and test it regularly. Backups are always your last and most critical line of defense against ransomware.
  2. Keep systems up-to-date with current patches. In this case, especially Microsoft Windows systems.
  3. Use a firewall with UTM (Unified Threat Management). Most firewalls with active UTM subscriptions can protect against WannaCry.
  4. Maintain up-to-date Antivirus (especially on Windows systems). Most Antivirus products can protect against WannaCry if they are up-to-date.
  5. Educate your staff about phishing to decrease the chance of them clicking on untrusted links and/or opening untrusted attachments.

Contact RoundTable if you want more support