WannaCry has become the worst case of ransomware in history, holding hundreds of thousands of computers hostage all over the world. In this article, we reveal the most important information about this virus and provide a step-by-step guide for preventing WannaCry ransomware attacks against your network.
What is WannaCry ransomware?
WannaCry (also known as WannaCrypt, WannaDecrypt, WCry and WanaCryptOr 2.0) is the latest ransomware to spread around the world. As of 12 May 2017, it had infected more than 230,000 computers in 150 countries, inflicting the most harm on Russia, Ukraine, India, Taiwan and Spain. This cyber-attack has been described as being unprecedented in scale, and it has affected individuals, small and large businesses (e.g., Deutsche Bahn and Renault), and public organizations such as health care providers and federal agencies (e.g., Great Britain’s National Health Service and the Russian Federation’s Ministry of Internal Affairs).
How does it work?
WannaCry uses ETERNALBLUE, an exploit allegedly developed by the NSA, which was leaked a month ago by a group called Shadow Brokers. According to researchers such as Brian Krebs, the WannaCry ransomware leverages the Microsoft Windows file-sharing vulnerability to remotely target computers that are running on unpatched or unsupported versions of Windows. After infecting one computer, WannaCry scans for other vulnerable computers connected to the same network so that it can spread more quickly. The extremely large number of infected organizations forced Microsoft to release a WannaCry patch for Windows XP, Windows 8 and Windows Server 2003, in addition to the MS17-010 patch that was released in March 2017. Although the attacks have been contained, on 15 May 2017, researchers reported finding a modified version (WannaCry 2.0) that came without a kill switch.
What is the ransom amount?
WannaCry ransomware encrypts the user’s files until the victim pays a ransom (starting at $300 worth of bitcoins) to receive a decryption key. WannaCry gives victims 3 days to pay the ransom; otherwise, the ransom amount doubles; after 7 days, the files are permanently deleted. The criminals have managed to raise less than $70,000 to date.
What is the purpose?
Neither the creator nor the purpose of WannaCry is known; some researchers believe that it might not have been done for the sake of money and that it is an attempt to test a new ransomware virus to see how much impact it can make. If this is true, then new modifications of the ransomware will certainly emerge in future. These modified versions would continue to exploit various vulnerabilities but would have more far-reaching consequences.
How can a WannaCry ransomware attack be prevented?
Follow these steps to mitigate the risk:
- Disable SMBv1 on your Windows servers by running this powershell cmdlet:
Note: A restart will be required after executing this command.
- Make sure that you have applied the MS patch (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) to your infrastructure.
- Add rules on your AV to prevent the creation of .wnry file extensions.
- Block TCP ports 139 and 445 from allowing inbound Internet connections.
- Whitelist these domains (as WannaCry checks them) to stop the attack:
Note: This only works for direct connections; if using a proxy (as on enterprise networks), it won’t work.
- Educate users about the WannaCry ransomware threat and explain how not to fall victim to phishing attacks.
- Set up alerts for WannaCry threat patterns (http://get.netwrix.com/how_to_detect_wannacry_in_early_stages_lf/).
Experts have warned that the recent WannaCry attacks are only the beginning; more massive ransomware attacks are coming. Join cybersecurity experts in our upcoming webinar to learn how to spot ransomware in its early stages and how to stop it from spreading through your network.
- PowerShell script to check your network for the missing patches
- PowerShell script to check locally to see if the updates are installed
- Patches for XP, 2003, 2008 and Win 8