wannacry ransomware

By now most people have heard of the latest security exploit named WannaCry. In mere hours, this worm has infected hundreds of thousands of computers, as well as affected thousands of organizations, such as hospitals and banks, across the world. What is WannaCry and how do you stop it?

What is WannaCry?

WannaCry is ransomware. While malicious programs often attempt to remain undetected to transmit private information, ransomware does the exact opposite, explicitly notifying you that it has hacked your system. Ransomware claims to not destroy the files it attacks, instead encrypting them in a method that supposedly only it knows how to reverse. Thus, personal files and business files are rendered unusable unless the ransomware decides otherwise. The ransomware will usually claim that it will undo this damage if you pay a certain amount of money. Whether the ransomware is telling the truth is often unknown. Paying the ransom may or may not decrypt your files, however it is guaranteed to benefit your attacker and encourage their criminal efforts. The ransom is often in the form of Bitcoin, an unofficial currency that cannot be tracked. Bitcoin does not have the backing of a government behind it so it is much more unstable than currency such as the US Dollar, but avoids many types of built-in tracking.

In the case of WannaCry, the ransom is between $300 and $600, and security researchers do not recommend paying, as they believe so far that it will not decrypt your files. Some security researchers do not even believe a method to decrypt your files is even built into WannaCry. This may be surprising as WannaCry does offer a demo unlock that will unlock 10 files for you. However, these security researchers claim that the 10 files are encrypted using a different method that is easy to decrypt. Security researchers are attempting to find methods to decrypt the rest of the files that have been encrypted by WannaCry, but encryption is a powerful tool and this may prove to be impossible.

WannaCry is considered a worm. Most people think of viruses when they think of security exploits, which usually require running a malevolent executable file. These infected files can look harmless, in which case they are sometimes called Trojans. Training individuals to not download suspect files as well as blocking known malevolent executable files can offer protection against viruses and Trojans. However, worms do not need the assistance of an infected file. Instead, to spread, they take advantage of vulnerabilities of subsystems that transport information. This allows worms to spread extremely quickly. WannaCry uses the vulnerability known as the EternalBlue exploit, which is a vulnerability in the Microsoft Server Message Block protocol.

The United States’ National Security Agency first discovered the EternalBlue exploit. However, they kept its existence secret, so that they could leverage the exploit against international enemies of the United States. This practice of agencies keeping exploits secret for their own use is very controversial, as it can lead to attacks that could have been prevented. Security researchers’ worst fears about this practice were confirmed when the National Security Agency was hacked and details of these exploits were stolen. This allowed people with malicious intent to have a head start with using this exploit as Microsoft hurried to fix it. Fortunately, Microsoft patched the exploit on March 14, 2017, which was well ahead of the WannaCry attack on May 12, 2017. Unfortunately, many administrators do not update their computers in a timely manner, allowing WannaCry to infect hundreds of thousands of unpatched computers in a matter of hours.

How can I protect myself?

There are two methods to protect yourself against WannaCry and computer administrators should be doing both regularly. First, you should update your computers so that they have the latest patches installed. Second, you should make sure your data is backed up. For data backup, the 3-2-1 backup strategy is recommended: at least three copies of your data should exist on two different storage types with at least one copy offsite. This ensures that if your data is attacked, you can wipe the affected computer and reload your backup, with relatively little is lost. Sometimes prevention is the best medicine.

Michael Lombardi

By: Michael Lombardi, Developer at Tricerat

 

 

 

Relevant sources:
https://en.wikipedia.org/wiki/EternalBlue

https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

https://en.wikipedia.org/wiki/Bitcoin

https://www.theverge.com/2017/5/14/15637888/authorities-wannacry-ransomware-attack-spread-150-countries

https://www.theguardian.com/technology/2017/may/15/dont-pay-ransomware-demands-cybersecurity-experts-say-wannacry

http://blog.checkpoint.com/2017/05/14/wannacry-paid-time-off

http://www.cisco.com/c/en/us/about/security-center/virus-differences.html

https://support.symantec.com/en_US/article.TECH98539.html

https://www.carbonite.com/en/cloud-backup/business/resources/carbonite-blog/what-is-3-2-1-backup/