WannaCry Ransomware – Slowed Down but Still Dangerous |
Rumours of the death of WannaCry are greatly exaggerated — unfortunately. An early version of what law enforcement has called the biggest ransomware attack in history came to an abrupt halt early in its career, largely by luck. Other variants of it are still spreading.
WannaCry is a new type of ransomware. It makes files unreadable by encrypting them, and then it demands a Bitcoin payment to restore them. It gets its name from the WCRY extension, which it applies to encrypted files. The encryption method it uses is very strong, so it’s impractical to reverse it without the key.
The most prevalent version of it when it appeared on May 12 had a kind of kill switch. It checked for the existence of an Internet domain and went dormant if it found it. A researcher noticed this domain while analysing the code and registered it out of curiosity; this had the effect of shutting down that version of WannaCry. Other versions don’t have that kill switch, and the one that does still runs on computers that access the Net through a proxy server.
The Scope of the Attack
The US government has reported that more than 300,000 computers have been affected. So far the worst damage has fallen on Russian systems. Britain’s National Health Service was seriously hit, and many procedures were postponed or cancelled because of the unavailability of computer services.
This malware spreads rapidly because it operates as a “worm,” propagating itself directly from computer to computer over the Internet and even more rapidly on local networks. No one has to receive phishing email or click on a malicious link.
Its spread has slowed down some, since halting the first version gave people time to patch their systems and improve their firewalls, but it could pick up speed again or shift its distribution at any time.
How it Works
WannaCry is based on code stolen from the National Security Agency, which had discovered a vulnerability but didn’t report it. The flaw is in version 1 of Microsoft’s SMB (server message block) network file sharing protocol. Microsoft had independently found the flaw and patched it in March for currently supported versions of Windows.
Many systems didn’t install the patch, and the older Windows XP, which Microsoft no longer supports, didn’t have a patch. XP is still popular in many places. Since WannaCry’s appearance, Microsoft has issued a special security update for XP.
Infected computers not only encrypt files and post a demand for payment but attempt to spread the malware. They scan for other computers within their LAN, and then for random IP addresses on the Internet. Once any computer in a LAN is hit, the whole network can quickly fall victim.
Methods of Defence
An important defence against any form of ransomware is a backup. All important files should be backed up offline so that the malware can’t scramble the backup along with the primary files. If there’s an up-to-date backup, then it’s only necessary to remove the ransomware, prevent re-infection, and restore the files.
For protection against WannaCry and many other forms of malware, it’s essential to install all security patches that have been released. Owners of XP systems need to get and install the new patch, even though they may have fallen out of the habit of expecting patches.
Upgrading from XP to a currently supported version of Windows is really a good idea. Yes, it was a great operating system in its time, but its risks are too great now.
There’s usually no reason to allow SMB access over the public Internet. Security experts recommend blocking SMB ports 139 and 145 in the firewall, along with UDP ports 137 and 138.
Paying the ransomware fee should be a last resort. It helps to finance the attacks, and there’s no guarantee of getting your files back.
Ransomware is a steadily growing risk, and WannaCry just emphasises the well-established trend. System managers need to stay constantly up to date on the latest risks.