Ransomware is a malware that locks your computer making it inaccessible or it encrypts your data. It then demands you to pay a ransom for unlocking the computer or decrypting the data. This post talks about the file encrypting ransomware called WannaCry – the biggest ransomware attack in history!
1. What is WannaCry and why is it being called a global phenomenon?
The WannaCry Ransomware attack begun on 12th May 2017 (Fri) and within a day it managed to infect over 200,000 computers in 150 countries making it the biggest ransomware attack in history. After this malware encrypts the victim’s files, it demands a ransom of $300 in bitcoins. If the ransom is not paid within 3 days, the price doubles to $600. And if the payment is not paid within 7 days, the malware threatens to delete all the encrypted data permanently.
2. How did WannaCry come into being?
The U.S. National Security Agency (NSA) reportedly discovered an underlying vulnerability (MS17-010) in Microsoft’s Sever Message Block (SMB) protocol (“used by Windows machines to communicate with file systems over a network.”). The NSA chose not to inform Microsoft about this vulnerability and instead built an exploit called EternalBlue which could be used for intelligence-gathering purpose. A hacking group called Shadow Broker stole the details of this exploit and leaked them in public which ultimately went on to trigger the WannaCry outbreak worldwide. Microsoft had already released a security update to patch this vulnerability in March 2017, but many users and organizations failed to apply this update, exposing their systems to the attack.
3. Did WannaCry spread via emails?
Initially, it was thought so. But, the latest reports stated that the attackers behind this malware targeted systems running vulnerable SMB ports (SMB v1, in this case). When these systems were traced, the leaked EternalBlue exploit was used to launch the attack.
4. What makes WannaCry so scary?
The WannaCry ransomware is a self-propagating worm. This means, after it infects one computer, it searches for other computers in the network with the same vulnerability. If found, it can spread on its own without any user action.
5. Is the WannaCry attack over?
No. While the attack that occurred on 12th May 2017 was slowed down by a security researcher, it hasn’t stopped and is still active on the Internet. What’s even worse, some newer variants of this ransomware have been detected in the wild. The chances of a second wave of attack are really high.
6. How to stay protected against WannaCry?
- First and foremost, install any and all available security updates immediately on your computer – specifically the update for MS17-010
- Disable Server Message Block version 1 (SMBv1). You can seek help from our Technical Support for this or follow the steps listed below:
- Go to Control Panel > Programs > Features
- Click Turn Windows Features on and off
- Scroll down to find SMB 1.0/CIFS File Sharing Support and uncheck
- Click OK and restart the computer
- Keep your antivirus software updated and ensure you are using the latest version.
- Always keep a secure backup of your important data
- Beware of emails that ask you to enable ‘macros’ to view the content
- This incident should be a glaring reminder for us to keep our OS and software up-to-date. Ensure that your computer’s Automatic Updates are enabled
- Do not click on links or download attachments received in unwanted or unexpected emails