WannaCry Ransomware Worm: What You Need to Know

John Lister's picture

Beginning Friday, May 12, 2017, reports surfaced of a new Internet worm capable of infecting Windows machines instantaneously. The worm has been dubbed "WCRY" or "WannaCry" because of its malicious intent to install ransomware on the target machine. The Internet worm was made possible because of a leaked NSA (national security agency) document which essentially explained how to carry out the exploit.

In this case, the malicious software locks computers such that their files are encrypted and cannot be accessed unless the victim pays a ransom (and the culprits then stand by their word). In this case, the ransomware spreads from machine to machine on internal networks as well as the Internet.

What's significant about this ransomware case?

WannaCry spread extremely quickly and has already infected an estimated 230,000 computers in 150 countries around the world. It made headlines as it infected several organizational networks, in particular putting computer systems in British hospitals out of action.

It's estimated that the cyber criminals responsible for releasing the malware have generated close to $500,000 USD in only a few days in paid ransoms. That number is expected to grow much larger over the next few weeks as the ransomware and new variants continue to spread.

How do I know if I'm at risk?

Early accounts suggested many of the machines infected were running Windows XP. This turns out not to be entirely true.

The specific problem is that the ransomware was able to spread through a known security bug in Microsoft's SMB (Server Message Block) network protocol, which is typically enabled by default and appears in virtually every version and edition of Windows. Microsoft issued an emergency patch in March, 2017.

It's people who have not yet applied this patch who are at risk, such as those who manually apply updates. This was a particular problem with organizations and businesses that delay applying updates because it could disrupt staff.

Also at risk are those with a broken Windows Update mechanism. Some examples include: when Windows Update constantly scans for updates but never downloads any, or updates attempt to download but an error message is reported instead, or if a "failure configuring Windows Updates, reverting changes" error appears every time Windows Updates attempts to update on reboot.

Microsoft Releases Legacy Patches for Older Systems

The original patch update didn't include Windows XP, as Microsoft no longer supports this operating system. This meant that all Windows XP users were immediately vulnerable.

However, due to the mass disruption, Microsoft has taken the rare step of issuing dedicated patches for Windows XP, Windows 8, and Server 2003 even though these machines are technically no longer supported. Note that "Windows 8" means exactly that: not Windows 8.1, which is still supported by Microsoft and which also receives security updates regularly.

Is it true a security researcher blocked WannaCry?

Yes, but only temporarily. The creators of WannaCry had set it to attempt to contact an extremely lengthy and random-looking website but forgot to register the web address. A researcher spotted this mistake and registered the address to see if that would reveal more information about the ransomware. In fact, doing so caused WannaCry to disable part of its code that tells it to spread to other computers. It's most likely the creators had set this domain up such that they could block the software if they needed to. (Source: bbc.co.uk)

However, it appears new variants have already been created and released in a way that means they can't be stopped like this again.

How can I reduce the risk of being infected?

The key is to check Windows Updates to make sure you have all the latest patches installed. The specific patch to look for with this issue is numbered MS17-010 and is part of the March, 2017 updates. (Source: microsoft.com)

You can access Windows Updates through the Control Panel -> Windows Update for Windows Vista, and 7, or by clicking Start, then type in "Windows updates" in Windows 8 and 10.

Another excellent way to reduce the risk of getting infected is to make disk image backups of your PCs on a regular basis. If you ever become infected, you can literally roll back your machine to the way it was when you last backed up, and Windows will work as if nothing ever happened - plus your personal files will also be restored. This is the ultimate insurance plan.

What if I get infected?

The ransom is reportedly around $300 USD if paid within the first 3 days, then the price goes up to $600 within 7 days. If no payment has been received after this point, the malware threatens to start deleting files.

Most security experts say you shouldn't pay the ransom, for three reasons: there's no guarantee the people responsible will actually unlock files when paid; it's unclear whether this particular variant is written in a way that would allow them to unlock the files anyway; and, paying up encourages the culprits and gives them more motivation to unleash similar attacks.

Some reports suggest that it's possible to decrypt files encrypted by WannaCry - however, a recent report carried out by Symantec suggests otherwise. By far the easiest approach would be to restore a disk image backup as previously mentioned. If that is not an option, one could reformat the hard drive and reinstall Windows to get rid of the infection.

Additional Support: From Dennis

The WannaCry worm is not something you should ignore - so please patch your systems immediately and keep regular backups on hand and in a safe place! If anyone reading this article has a broken Windows Update or would like a proper backup plan put in place, I can help using my remote desktop support service. Simply contact me briefly describing the issue and I will get back to you as soon as possible.

What's Your Opinion?

Have you or anyone you know been hit by ransomware? Would you take the risk of paying the ransom if it was the only way to get files back? If your hard drive was completely encrypted by ransomware right now, which files would you restore from backups and which would be lost??

Rate this article: 
Average: 5 (5 votes)

Comments

Dennis Faas's picture

From the article over at troyhunt.com (RE: "Payments" heading), I understand that bitcoin transactions have journal information to show where money is going - which is also how we know how much money criminals are making off this scam. That said, I don't understand why law enforcement can't stop the bitcoins from being deposited into the cybercriminal's bank account. If that were possible, I suppose that most of this ransomware nonsense would come to a halt.

brigadand's picture

It has been reported that the countries that have the most bootlegs of Windows in use have been the hardest hit. Makes sense because they are not update able. If you are running an unpatchable copy of any version of windows, beware.

dave_9226's picture

I've looked at the list of installed updates under the Win 7 control panel, and see lots of "KB#######" entries, but nothing that looks like "MS17-010". The fact that you can't search the page or copy and past the list into a text editor doesn't help any.

Is there any utility that can tell you if the necessary patch is actually installed?

Thanks

Dennis Faas's picture

To search hotfixes, launch an administrative command prompt and highlight this line:

wmic qfe list brief /format:texttablewsys > "%USERPROFILE%\desktop\hotfix.txt"
echo this is a dummy line

Right click over the above text and select "Copy", then go to the administrative command prompt and right click in the middle window and select "Paste". The list of hotfixes will be output to a file called "hotfix" on the desktop, where you can use a text editor to search for the KB number.

That said, based on my experience this doesn't always show every installed update. Also, the hotfix isn't MS17-010 - this is the security bulletin number. The KB # is listed according to the operating system on this page.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

For example, for Windows 10 64 bit, the KB # 4012606, though this update is cumulative if you are running the latest version of Windows 10 (Creators Update).

Another option is this:

wmic /output:stdout qfe get hotfixid | find "KB99999"

... where KB99999 is the hotfix number you're searching for. This will output to the command line if it finds a corresponding hotfix.

Gregg's picture

Another GREAT article, thanks.
XP users ( likely virtual machines ) can find patch download info here:
https://www.engadget.com/2017/05/13/microsoft-windowsxp-wannacrypt-nhs-patch/

You will need to update XP to SP3, before the patch can be applied; as it is NO longer available from MSoft here is a trustworthy link. Make sure you follow instructions on "What to do before installing SP3" As virtually all installs of XP were 32 bit. this is 32 bit.
http://www.majorgeeks.com/mg/getmirror/microsoft_windows_xp_service_pack_3,1.html

Video originally from Major Geeks site:
https://www.youtube.com/watch?v=JC0oT_2ddtw&feature=youtu.be