The WannaCry Ransomware Attack

Cyber-thieves get dirtier, year after year. And, while infecting your computer system with a nasty virus is still on their radar, there has been a rising trend in a type of malware that is even more sinister — ransomware. Just like it sounds, ransomware holds your system, and all if its contents, hostage until a payment is made or until you reboot your system.

What is the WannaCry Ransomware Attack

While ransomware is on the rise, the biggest worldwide hit, to-date, was The WannaCry ransomware attack. It started Friday, May 12, 2017 and targeted computers running Microsoft Windows by encrypting data and demanding a ransom payment in the form of bitcoin, a type of cryptocurrency.

The WannaCry virus is technically considered a network worm, due to its “transport” mechanism used to automatically spread itself. It starts when a transport code scans for vulnerable systems. Then a network infection vector, called EternalBlue, enters and exploits the vulnerable system to gain access. This then installs DoublePulsar (a backdoor implant tool), which in turn installs and copies itself, while also transferring and running the WannaCry ransomware package.

How the WannaCry Virus Spread

Microsoft Windows users were specifically affected by the WannaCry virus, as this cyber attack took advantage of a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. This, and evidence that points to initial infection through an exposed vulnerable SMB port, is the reason the WannaCry virus was concluded not to be an email phishing virus, as originally thought. In fact, the WannaCry ransomware virus spread through the internet to random computers, and then continued to spread laterally to computers on the infected users’ same network.

Who Was Affected by WannaCry

Due to the Microsoft-targeted nature of the attack, the most vulnerable users were those running older, unsupported versions of Microsoft Windows (i.e. Windows XP and Windows Server 2003). However, it’s important to note that almost all of the victims were running Windows 7.

Within a day (May 13, 2017), it was reported that more than 250,000 computers in over 150 countries, were infected with the WannaCry ransomware virus. Along with individual users and countries, a series of worldwide companies were hit, including: parts of Britain’s National Health Service, Spain’s Telefónica, FedEx, Renault, Nissan, and Deutsche Bahn.

As of May 25, 2017, a total of 302 payments, totaling $126,742.48, had been transferred via bitcoin wallets to release computers encrypted by the ransomware.

Response to the WannaCry Virus

Shortly after exposure of the virus, an expert from Malware Tech discovered a kill switch — a specific domain name, that when registered, could stop the worm from spreading — in the virus’ code. Initiated on May 15, 2017, the kill switch greatly slowed the spread of the WannaCry virus — keeping the spread to 300,000 computers in over 150 countries, as of May 15, 2017. Microsoft also released emergency security patches for affected platforms. By May 16, 2017, the virus’ rate of transmission greatly slowed, as security experts said that most companies and organizations had applied updates.

Are Users Still At Risk?

It has been reported that new versions of the virus — ones with different kill switches or ones that lack them completely — have been discovered. Experts are working to stay ahead of such variations, but there’s always a risk that someone will change the malware enough to start something unexpected.

How to Protect Yourself from Ransomware

The best way to protect yourself is to update your software regularly, backup your files to the cloud or to a drive not connected to your computer, use antivirus software, keep your computer’s software up-to-date, and never open attachments in emails from someone you don’t know. To spot and avoid potentially malicious files, consider enabling the “show file extension” feature in Windows (stay away from file extension like “.exe,” “.vbs,” and “.scr”). Finally, if you ever find a problem, immediately disconnect your system from the internet, network connection, or your Wi-Fi.

If you’d ever like help protecting your system or company from cyber threats, security breaches, or data compromise, including backing up your files on the cloud, give Integracon a call. Our multi-tiered approach to security can greatly enhance your existing security program, infrastructure, and personnel, all while relieving the burden of information and compliance on your part.

Stay tuned as we continue to cover ransomware topics, or check out our other blogs on ransomware.