The recent Ransomware attack is big and it has affected more than hundreds of countries. Microsoft has released a security patch to fix the known bug that had been exploited to spread this ransomware. Many countries have released the emergency alert and advised their banking institutions to be safe.
The ransomware attacks have majorly hit Russia, Ukraine, Spain, UK, and India. But it has infected systems across 130 countries and still counting. This insanely fast-spreading ransomware has already infected over 200,000 Windows PCs this weekend and the list is increasing. If you are still reading this guide safely, you are lucky and I hope you will not get into trouble now.
A few days back, I explained Ransomware and the purpose of this security threat. You can read our previous article to know more about Ransomware.
These are the Windows OS versions that have bee affected till now:
- Windows Server 2008 for 32-bit systems
- Windows Server 2008 for 32-bit systems service pack 2
- Windows Server 2008 for Itanium-based systems
- Windows Server 2008 for Itanium-based systems service pack 2
- Windows Server 2008 for x64-based systems
- Windows Server 2008 for x64-based systems service pack 2
- Windows Vista
- Windows Vista service pack 1
- Windows Vista service pack 2
- Windows Vista x64 Edition
- Windows Vista x64 Edition service pack 1
- Windows Vista x64 Edition service pack 2
- Windows 7
- Windows 8.1
- Windows RT 8.1
- Windows Server 2012 and R2
- Windows 10
- Windows Server 2016
Most of the recent versions in use have bee attacked already. So, you must think about it seriously.
Does WannaCry affect my Mac, iPhone or Android?
As of now, this ransomware is affecting the systems powered by Microsoft Windows. Microsoft released a patch to fix the but many people are still running the vulnerable version of Windows. I have already listed the infected Windows versions in a list above.
There is no reported incident of infection on Mac, iPhone or Android.
What is WannaCry ransomware?
WannaCry ransomware also known as Wanna Decryptor is similar to other ransomware. It leverages a Windows SMB exploit, EternalBlue, that allows the attacker to hijack a computer. This ransomware searches for unpatched PCs vulnerable to EternalBlue infects it and then searches scans for other unpatched PCs connected to the same local network. This is the reason it spreads too fast.
Here you must know that Microsoft issued a patch to fix EternalBlue back in March, but people ignored that update just like other Windows Updates.
Why are they infecting thousands of computers?
If you know about ransomware, you already know that it is used to extort money by blackmailing infected users. There is a chance of earning huge money if you are doing it at this level. You have hundreds of thousands computer and possibility that few thousands will pay.
Who is behind the WannaCry ransomware attack?
This is one of the biggest cyberattacks in the history but there is no known name has been found behind this attack. It is still a mystery. I hope different countries will try from their level to find out the real culprit.
The only thing we know is that NSA discovered “EternalBlue” exploit that was leaked on the Internet through the Shadowbrokers dump on April 14th, 2017 and now hackers are using it to spread WannaCry ransomware.
What exactly does WannaCry do?
WannaCry is a Ransomware that encrypts most of the data and files on a computer. It also installs a software that demands the ransom and ways to pay the ransom to get the decrypted files. See the snapshot of the tool below. This is how it looks after infecting a computer.
The ransom amount is not the same across the globe. The software that displays the WannCry message also shows a counter. After the counter is done, it increases the ransom and starts the counter again. In most of the cases, the basic amount if $300 and counter is set to 72 hours. The payment mode is Bitcoins.
You can watch this video to know how it works
These are the known file formats that are found to be encrypted by WannaCry
.123, .3dm, .3ds, .3g2, .3gp, .602, .7z, .ARC, .PAQ, .accdb, .aes, .ai, .asc, .asf, .asm, .asp, .avi, .backup, .bak, .bat, .bmp, .brd, .bz2, .cgm, .class, .cmd, .cpp, .crt, .cs, .csr, .csv, .db, .dbf, .dch, .der, .dif, .dip, .djvu, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .edb, .eml, .fla, .flv, .frm, .gif, .gpg, .gz, .hwp, .ibd, .iso, .jar, .java, .jpeg, .jpg, .js, .jsp, .key, .lay, .lay6, .ldf, .m3u, .m4u, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .msg, .myd, .myi, .nef, .odb, .odg, .odp, .ods, .odt, .onetoc2, .ost, .otg, .otp, .ots, .ott, .p12, .pas, .pdf, .pem, .pfx, .php, .pl, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .ps1, .psd, .pst, .rar, .raw, .rb, .rtf, .sch, .sh, .sldm, .sldx, .slk, .sln, .snt, .sql, .sqlite3, .sqlitedb, .stc, .std, .sti, .stw, .suo, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vb, .vbs, .vcd, .vdi, .vmdk, .vmx, .vob, .vsd, .vsdx, .wav, .wb2, .wk1, .wks, .wma, .wmv, .xlc, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .zip
How did domain registration suspend infection?
Recently, it was reported that a researcher Malwaretech managed to suspend the infection by registering a domain name being used in spreading the infection. The malware had a code that tries to open the domain. As the domain was not yet registered, it returned no positive response and the execution was on going by installing the encryptor. If there was a reply, the malware would stop its activities.
Researcher found this kill switch and registered the domain. After this, it suspended the attack.
But there have been many variants of this Ransomware attack and not all depends on this domain response thing. So, domain registration only suspended a specific type of WannCry. Yesterday, security researchers have discovered some new versions of this ransomware, dubbed as WannaCry 2.0. Kill switch for this has not been found yet.
How to protect yourself from WannaCry Ransomware attack?
here are some important tips you must follow to keep your system safe from WannaCry.
1. Patch SMB Vulnerability
If you are using the Windows version that has SMB vulnerability, do not forget to install the patch. Microsoft released the pack in the month of March. You must download and install the security patch to fix the issue.
The good thing is that Microsoft has also issued the patch for unsupported versions of Windows as well. So you can also install the patch in Windows XP, Vista, 8, Server 2003 and 2008 as well. But I recommend you to ditch these older versions of Windows versions as soon as possible.
2. Disable SMB
Even if you have already patched SMB vulnerability, you are advised to disable Server Message Block version 1 (SMBv1). By default, it is enabled on Windows.
To disable SMB v1, follow these steps: Open Control Panel and look for ‘Features’ under Programs. Here click ‘Turn Windows Features on and off.’ scroll down to find ‘SMB 1.0/CIFS File Sharing Support’ and uncheck it. Now click ok followed by a restart.
3. Always install all future security updates
This attack became so widespread because people generally ignore security updates. So, I advise you all to turn on security updates and never miss if there is any. Security updates keep your system safe from known vulnerabilities.
4. Use Google Antivirus
Antivirus software can help you a lot in avoiding these kinds of security threats. So, you are advised to install one of the best Antivirus available for Windows. If you can afford, you need to buy the premium one to get better security.
5. Backup your Files and start taking regular backups
Ransomware encrypts import files of the system and then asks for ransom. If you have a backup of your data, you can easily avoid giving the ransom and install fresh OS again to completely wipe the infection.
So, you should start taking backup of your important files regularly. You can also start using Cloud Storage services to keep a backup of your important files.
What can I do if my computer is infected with WannaCry?
Sadly, there is no fix if your file has been hijacked. cyber security experts are trying their best to look for ways to decrypt files but we are still waiting to get success.
If your files have been encrypted, we recommend you not to pay the ransom. There is no guarantee of getting the decrypted files even after paying the ransom but your payment will encourage attackers.
There are many people who tried their best to prevent WannaCry and block it. Even if they didn’t get proper success, they saved lots of computers. Here, I want to mention MalwareTech, a 22-year-old researcher who discovered the kill switch. The Matthieu Suiche is another notable person who discovered the second kill switch. Costin Raiu from Kaspersky Lab discovered different variants of WannaCry and issued an alert. There have been many more cyber security experts and security companies that are trying their best to block this attack and find the ways to decrypt the files from infected computers.
WannaCry exploited the known bug and the patch was already available. But people didn’t take security seriously and avoided the patch. This is a lesson for all Internet users and organizations to take the security seriously and always install security updates on time.