WannaCry ransomware, also known as “WanaCrypt0r”, “WeCry”, “WanaCrypt” or “WeCrypt0r”, is a particularly nasty type of malware that blocks access to a computer or its data and demands money to release it. The ransomware uses a vulnerability first revealed to the public as part of a leaked stash of NSA-related documents in order to infect Windows PCs and encrypt their contents, before demanding payments of hundreds of dollars for the key to decrypt files by a group of hackers called “shadow brokers”.
WannaCry is their second attempt at cyber-extortion. An earlier version, named WeCry, was discovered back in February this year: it asked users for 0.1 bitcoin (currently worth $177) to unlock files and programs.
This present malicious software “wannaCry” was first spotted in the wild by security researchers MalwareHunterTeam, at 9.45am on 12 May.
But less than four hours later, the ransomware had infected Britain’s National Health Service “NHS” computers, albeit originally only in Lancashire, and spread laterally throughout its internal network, some of Spain’s largest companies including Telefónica, as well as computers across Russia, the Ukraine and Taiwan, leading to PCs were also affected with their data being locked up and held for ransom.
How it works?
When a computer is infected, the ransomware typically contacts a central server for the information it needs to activate, and then begins encrypting files on the infected computer with that information. Once all the files are encrypted, it posts a message asking for payment to decrypt the files – and threatens to destroy the information if it doesn’t get paid, often with a timer attached to ramp up the pressure.
How it spreads?
Most ransomware is spread hidden within Word documents, PDFs and other files normally sent via email, or through a secondary infection on computers already affected by viruses that offer a back door for further attacks.
How much are they asking for?
After a system has been hit with the wannaCry Ransomeware, its developer then demands a $300 worth of the cryptocurrency Bitcoin to unlock the contents of the computer.
Was there any defence?
Yes. Shortly before the Shadow Brokers released their files, Microsoft issued a patch for affected versions of Windows, ensuring that the vulnerability couldn’t be used to spread malware between fully updated versions of its operating system. But for many reasons, from lack of resources to a desire to fully test new updates before pushing them out more widely, organisations are often slow to install such security updates on a wide scale.
Will paying the ransom really unlock the files?
Sometimes paying the ransom will work, but sometimes it won’t. For the Cryptolocker ransomware that hit a few years ago, some users reported that they really did get their data back after paying the ransom, which was typically around £300. But there’s no guarantee paying will work, because cybercriminals aren’t exactly the most trustworthy group of people.
There are also a collection of viruses that go out of their way to look like ransomware such as Cryptolocker, but which won’t hand back the data if victims pay. Plus, there’s the ethical issue: paying the ransom funds more crime.
What else can I do?
Once ransomware has encrypted your files there’s not a lot you can do. If you have a backup of the files you should be able to restore them after cleaning the computer, but if not your files could be gone for good.
Some badly designed ransomware, however, has been itself hacked by security researchers, allowing recovery of data. But such situations are rare, and tend not to apply in the case of widescale professional hits like the WannaCry attack.
How long will this attack last?
Most Ransomware attacks rare stay long as anti-virus vendors often modify new versions to counter the attacks, they are able to prevent infections originating and spreading, leading to developers attempting “Big Bang” introductions like the one currently under way.
Will they get away with it?
Bitcoin, the payment medium through which the hackers are demanding payment, is difficult to trace, but not impossible, and the sheer scale of the attack means that law enforcement in multiple countries will be looking to see if they can follow the money back to the culprits.
How to defend against the ransomware
- The vulnerability does not exist within Windows 10, the latest version of the software, but is present in all versions of Windows prior to that, dating back to Windows XP.
- As a result of Microsoft’s first patch, users of Windows Vista, Windows 7, and Windows 8.1 can easily protect themselves against the main route of infection by running Windows Update on their systems. In fact, fully updated systems were largely protected from WanaCrypt0r even before Friday, with many of those infected having chosen to delay installing the security updates.
- Users of Windows XP, Windows Server 2003 and Windows 8 can defend against the ransomware by downloading the new patch from Windows.
- All users can further protect themselves by being wary of malicious email attachments, another major way through which the ransomware was spread.
Microsoft’s security response team, Phillip Misner, wrote: “We know that some of our customers are running versions of Windows that no longer receive mainstream support.
“That means those customers will not have received the … Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download.”
Although the malware’s main infection vector was through the vulnerability in Windows, it also spread in other ways which require changes in user behaviour to protect against. Phishing attacks with malicious attachments are the main way the malware ends up on corporate networks, meaning that users should be wary of opening such attachments if they seem unusual, as well as keeping all Microsoft Office applications up to date.
More and more antivirus platforms, including Microsoft’s own Windows Defender, are now recognising and blocking the malware, but relying on a purely technical fix means that a new variant of the software could sneak past the defences. Variations of the malware have already been seen in the wild, but they have lacked the capacity to spread themselves, which has vastly limited their proliferation.
For those who have been infected, paying the ransom may seem a tempting way out of trouble. But experts recommend against doing so, arguing that not only does it not guarantee restoration of any files, but it also funds future crime. And, for now, it appears that victims agree: fewer than 100 have actually paid up.
If you enjoyed this post, please kindly use the share button to get this to your social contacts, you doing this actually helps us grow. Also bookmark our site and like our Facebook page in order not to miss any updates from us.