If you woke up on May 12 and turned on your computer, only to face a notice that your data was being held for ransom, you are not alone. You and many more like you have fallen victim to the WannaCry Virus, a cyberattack of a ransomware cryptoworm that specifically targeted users of Windows operating systems by Microsoft. The attack encrypted both data and graphics files and demanded a ransom of various amounts payable in Bitcoin cryptocurrency. Ignoring the demand for payment, the message warned, would result in a permanent freezing of all the files affected in a user’s system.
Within a day of releasing the attack, more than 230,000 computers in more than 150 countries had been affected. Some of those whose systems were attacked included such prominent organizations as Fed Ex, Deutsche Bahn, Spain’s Teleflorica, and parts of Great Britian’s National Health Service (NHS). These are in addition to many companies and organizations in many other countries.
The WannaCry program works in the same manner that most modern ransomware does. It finds and encrypts different types of data files, most commonly documents and graphics, then displays a ransom note informing the user and demanding a payment in bitcoin. This virus is considered a network worm because it also includes a “transport” mechanism that automatically spreads itself. This code scans for vulnerable systems then uses EternalBlue protocol to gain access to them, and finally uses DoublePulsar to install and execute a copy of it.
Interestingly, the WannaCry virus works using EternalBlue, a protocol of Windows Server Message Board, which propagates the virus. Further, the virus was not only discovered prior to the attacks, but the discovery was initially made by the National Security Agency, which discovered its vulnerability, but also learned how to use it for their own offensive purposes. Another coincidence that occurred was when a a 22 year-old web security researcher named Marcus Hutchins, in North Devon in England accidentally discovered the kill switch for the virus while he was doing research on the virus.
Stopping The Spread
These coincidences effectively halted the spread of the virus by May 15, but additional versions of the virus were discovered after this time that did not include the kill switch. Researchers also discovered that in some cases they could save some data that had been encrypted by the virus.
Shortly after the WannaCry virus was introduced, a hacker group called the Shadow Brothers revealed the existence of the virus to the public and let Microsoft know of its existence. It also introduced a patch that eliminated the vulnerability of computers to the virus on March 14, although many organizations have, as of this date, still not installed the patch.
At particular risk of the virus are those who are running older versions of Windows software. This includes Windows XP and Windows Server 2000. Microsoft quickly introduced a security patch soon after they learned of the virus. It should be noted that almost all computers that were affected by the virus were running Windows 7 at the time, which caused some security researchers to dismiss the threat to those running XP and other platforms, calling the threat to latter users “insignificant” compared to others.
Fortunately, within only days of the initial WannaCry attack, the spread of the virus slowed to a trickle when organizations applied for and used the security patch.Several organizations have issued detailed reports about the virus, including Microsoft, McAfee, Cisco, Malwarebytes, Norton and Symantec.
Origins of The Attack
Most experts agree that the origin of the attack seems to have been in Asia, specifically through a vulnerble SMB port.
The protocol seems to work as follows: when the WannaCry virus is first executed, it checks the “kill switch,” which, if not found, is then encrypts the computer’s data then exploits the SMB vulnerability to spread to random computers on the Internet as well as laterally to computers on the same network as the first computer. Just as is the case with most ransomware, a ransom note is then displayed that demands a bitcoin payment of between $300 within three days or $600 within seven days. the note further instructs victims that they can use one of three addresses or “wallets” to receive payment from victims. Just as is the case with all such wallets, transactions and balances are all publicly accessible even though the wallet owners remain anonymous. As of June 14 at 00:18, only 327 payments totaling $130,634.77 has been transferred.
As stated previously, organizations that had not installed the security patch provided by Microsoft were affected by the attack. Those still running older versions of Windows XP were considered to be at exceptionally high risk of attack since no patches had been introduced since April 2014. An out-of-band security patch was introduced for Windows XP and Server 2003. Fortunately, one study showed that less than .01 percent of all affected computers were running Windows XP. Further, about 98 percent of the computers were running Windows 7.
The Aftermath of The WannaCry Virus
Within days of the WannaCry virus attack, several researchers had discovered system methods to break the WannaCry virus as well as other types of ransomware. As a result, most organizations had received a copy of the patch and the infection rate slowed to a trickle. On the downside, it was also discovered that unless the required key is overwritten or cleared from memory, it is conceivable that the virus can be retrieved and reintroduced to the system.
Microsoft did take the lessons of WannaCry to heart by introducing several new security updates for older versions of their software. This was done to not only deal with WannaCry, but ransomware attacks in the future that might have characteristics similar to WannaCry.
What Should You Do?
Most experts agree that paying a ransom only makes the situation worse for everyone. First, there are no reports of anyone who paid a ransom getting their data back. Further, payment of ransom only sends the message to those instigating the attacks that their methods work.
According to Europol, the WannaCry ransomware attack was unprecedented in its scale, estimating that approximately, 200,000 computers were infected in 150 countries, most notably Russia, Ukraine, India, and Taiwan. Experts agree, however, that the attack could have been far worse.
Experts also emphasize that this proves the need for good, regular, good cybersecurity, secure backups including isolating critical networks, use of appropriate software, and having the latest security patches installed.
Protecting Yourself From the WannaCry Ransomware Attacks
The idea behind ransomware, including the WannaCry viruses, is nothing new. This type of malicious software has been generated for years, hijacking hundreds of thousands of computers around the world. Making matters worse, even with the threat presented to unprotected data, most organizations have either no security measures in place to protect their systems, and their employees are not trained to use countermeasures effectively. This is especially disconcerting when you consider that by exercising a small amount of caution in online activities, most of the threats presented by ransomware can be prevented in the first place.
So what do security professionals advise when companies try to prevent being affected by the WannaCry virus and others like it?
Keep your Software Updated. The primary method of introducing the WannaCry software virus into a computer system is via email. Unfortunately, after this method has introduced the virus into a given system, it can spread rapidly throughout a given network. Any system built around a Windows file-sharing system is very vulnerable and can spread the virus quickly. Those built around a non-Windows system or on Macs are not at risk.
The most distressing of all the news related to the WannaCry virus is that prior to the attack, there were effective countermeasures available. As a result had users taken the time and effort to keep their security software updated, they would not have been affected. Unfortunately, computer security is one of those things that many people like to say they are vigilant of, but they are most often not. Instead, people tend to get complacent about their security and measures to make sure that it stays updated. Even more troubling in this situation is the fact that Windows can be configured to update security software automatically.
It should be noted that even if a user has a Mac or a Linux system does not mean that they are off the hook for the future since it is almost a sure thing that malware yet unknown is still lurking somewhere in the world just waiting for a chance to make an appearance. As a result, whatever your computer type is you should make sure that security is a top priority.
Uppermost on the minds of most computer users, especially in light of the WannaCry Virus attack is how to prevent these occurrences in the future. Fortunately, there are a few, primary among these is antivirus software that is produced by reputable firms. These include Kaspersky Lab, Bitdefender or Malwarebytes.
The Best Defense: Caution
The last time you got an email, especially one with an attachment, what did you do with it? If you are like most people you probably opened it, with unpleasant results. Unfortunately, this is what most virus makers count on. Instead, whenever you get an email that arouses your suspicion, don’t open it. This goes for links that some emails have as well.
What do we mean by dubious? That can mean a lot of things, of course, but primary among these are a look to them. Also, does an email have an address that looks like it comes from a legitimate source? Also, does the email itself have typos and grammatical errors in the text? You can also hover over the hyperlinks (don’t click on them) inside any emails to see if they direct you to any suspicious websites. Even if an email comes from what appears to be your ISP, bank or other financial institution, be careful, since such organizations never ask for personal information such as your social security number. Instead, these might be phishing attempts.
Another technique that is often used by ransomware makers are popup windows that promote software that is specifically designed to “fix” the problem that malware has created on your computer. Don’t click on anything that appears through these types of popups. Just close the windows.
Backing Up Your Data
Despite the best of efforts, sad to say, that sometimes viruses do get through to infect your system. In these cases, you can rescue yourself by having an effective program of backing up your data. You should have this any way to prevent loss in the event that you lose your data in the course of your work. This keeps you safe from hackers too.
Keeping Your Business Safe
Of course, keeping the computers in your business safe can be a difficult undertaking, especially if there are a large number of users on a network. This is especially true if even one computer of many is allowed to slip up on its security precautions. This can lead to any or all computers on that network being infected with the malware.
If there is a lesson to be learned from the WannaCry virus it’s the fact that there should be a strict schedule of updating all security systems within a network, even if the computer is a small one being used by an individual. Make sure that your security software is kept up to date and that you observe caution when working on your computer.
If your computer is already infected with the WannaCry virus the first thing you should do is to disconnect your computer from the network to make sure that other computers are not infected. Next, you should contact law enforcement, although it should be noted that the chances of any results taking place is minimal. You should also check with a computer security professional to see what you can do, but don’t lose hope if there isn’t anything that can be done. New security tools are created all of the time, so chances are pretty good that there will soon be tools that will unlock your files soon.
Many security professionals are advising their clients that the best way to respond to the WannaCry virus, especially since it was created with a very high level of encryption, is to pay the ransom, especially when you have no backups of your data, and it might be valuable. Unfortunately, the latest news is that apparently hackers have been overwhelmed with the success of their efforts and have not gotten back to everyone who has paid the ransom and requested that their files be released. Advice: save your money and buy a security package that will protect you in the future.