WannaCrypt, also referred to as WannaCry or WCry, holds data files hostage and demands a $300 USD ransom in Bitcoin. The ransom message warns that the payment will double after three days. If payment isn’t received within seven days, the encrypted files are permanently deleted.
A key feature of WannaCrypt is its ability to self-propagate within company networks without any user intervention. This is achieved by exploiting a known weakness in the Microsoft Windows operating system.
Early on May 12, 2017 (US time), Microsoft identified the WannaCrypt ransomware attack, as reported in their blog. At the time of this article, this ransomware, a new strain of the Ransom.CryptXXX family, had spread to over 100 countries, including Singapore, Indonesia, and India.
“We identified a new ransomware that spreads like a worm. It takes advantage of vulnerabilities that we had previously released fixes for. Although most computers receive automatic security updates, some individuals and organizations might postpone installing these patches. It appears that this malware, known as WannaCrypt, has impacted computers that haven’t installed the patch for these vulnerabilities. As this attack is ongoing, we are reminding all users to install MS17-010 if they haven’t already done so,” the blog post explained.
In an unprecedented move, Microsoft has even released a patch for unsupported Windows versions, as detailed in another blog post.
“Witnessing businesses and individuals impacted by cyberattacks like the ones reported today was distressing. Throughout the day, Microsoft has been working diligently to fully understand this attack and take all necessary steps to protect our customers. This blog outlines the measures every individual and business should take to safeguard themselves. Furthermore, we are taking the unusual step of providing a security update for all customers to protect Windows platforms that are only under custom support, this includes Windows XP, Windows 8, and Windows Server 2003. It’s important to note that customers using Windows 10 were not targets in today’s attack,” the post stated.
“Considering the potential impact on customers and their businesses, we decided to make the Security Update broadly available for download. This update covers platforms in custom support only, specifically Windows XP, Windows 8, and Windows Server 2003.”
Security firm Acronis has observed that many organizations are finally realizing that ransomware isn’t just a threat to others.
The attacks over this past weekend highlight that businesses worldwide need to have protection against ransomware, the company emphasized.
Acronis’ VP of Engineering, Nikolay Grebennikov, said, “People, and businesses, hear the word ‘ransomware’ and believe they are immune to such an attack. The reality is, they aren’t…47% of businesses faced ransomware attacks last year, and this number is increasing.”
Grebennikov emphasized that the crucial question businesses, hospitals, and telecommunications companies should ask is how to protect themselves from what appears to be an unavoidable ransomware attack. “The answer lies in a dependable backup solution that incorporates active protection against ransomware attacks.”
He added that simply shutting down computers is a temporary fix that won’t solve the problem. “Only an integrated solution that merges backup (passive) and proactive security (active) technologies, functioning seamlessly within a single product, can ensure data recovery in any situation. With such advanced ransomware, there can be no limitations on the size or number of files.”
Source: Symantec blog post. The Wcry display screen.
Symantec has assured its customers that both Symantec and Norton users are protected from the WannaCrypt malware. “To ensure they have the most current protection, customers should run LiveUpdate and confirm that they have definition versions 20170512.009 or later installed,” the company stated in a blog post.
Nick Savvides, Security Advocate for Symantec Asia Pacific and Japan, offered the following advice for users:
Once the encryption begins, users have very limited options because it happens so rapidly.
“It’s improbable that a user would notice the ransomware is encrypting their files until it’s too late. If a user realizes what’s happening within seconds of the malware running, they might try to shut down their computer. Then, using an external boot disk, they could boot the machine and run a cleaner tool like Norton Power Eraser. This might stop the ransomware from encrypting all the files,” Savvides explained.
Treat any computer that has been infected with caution.
Security tools such as Norton Power Eraser or Norton Internet Security might be able to remove the infection, but the files will remain encrypted. “The best course of action is to restore the computer using a backup or reset it to factory settings using a recovery disk. After that, immediately update the system and install all patches,” Savvides advised.
“These are crucial steps because we’ve seen cases where ransomware not only holds user files hostage but also installs banking Trojans. These Trojans aim to steal funds from users’ bank accounts, typically by capturing their banking credentials when they log in to pay the ransom. If the ransomware didn’t encrypt the backups, it’s unlikely the files themselves were infected.”
Symantec strongly advises affected users not to pay any ransom.
“Paying criminals is never the recommended course of action because it only empowers them and rewards their criminal behavior. Furthermore, there is no guarantee that your files will be released back to you,” Savvides warned.
Here are some other best practices for guarding against ransomware:
- Maintain up-to-date security software at all times.
- Ensure your operating system and other software are regularly updated. Software updates often include patches for recently discovered security flaws that ransomware attackers could exploit.
- Exercise caution with unexpected emails, particularly those containing links and/or attachments.
- Be extremely cautious of any Microsoft Office email attachments that instruct you to enable macros to view content. Unless you are absolutely certain the email is legitimate and from a trusted source, do not enable macros. Instead, delete the email immediately.
- Backing up important data is the single most effective way to combat ransomware infections. Organizations must ensure that backups are properly secured or stored offline to prevent attackers from deleting them.
- Utilizing cloud services could help mitigate ransomware infections. Many cloud services keep previous versions of files, which allows users to “roll back” to the unencrypted versions of their files.
In 2016, Singapore ranked 8th regionally for ransomware, the same position it held in 2015. Globally, it was the 24th most targeted country for ransomware in 2016, a significant jump from 42nd in 2015. This means Singapore accounted for 0.5% of ransomware infections on unique machines. According to the Symantec Internet Security Threat Report, Volume 22:
- The average ransom demanded per victim rose to US$1,077 in 2016, a substantial increase from US$294 in 2015 – a 266% surge.
- The number of ransomware attacks climbed to 463,841 in 2016, up from 340,665 attacks in 2015, marking a 36% increase.
- In 2016, one in every 131 emails contained a malicious link or attachment, representing the highest rate in five years.
- Throughout 2016, there was a doubling in attempted attacks targeting IoT devices. At peak activity, an average device was subjected to an attack every two minutes.
Interested?
Download the patch for Windows XP, Windows 8, and Windows Server 2003
Read the Microsoft blog post about how the ransomware spread
Read the MalwareTech blog post on how registering a command and control domain name unintentionally halted the ransomware’s progress. Editor’s note: While this was a fortunate accident, there’s no assurance that similar tactics will stop future ransomware attacks.
Read the TechTrade Asia blog post about Kaspersky Lab identifying ransomware as its security story of the year for 2016.