What is WannaCry Malware or Ransomware?
The WannaCry ransomware has made news already. More than 150 countries have been affected so far and the infection is probably only the beginning. If you have been wondering what it is and how to protect yourself, please read on.
What is ransomware?
Ransomware is a type of software that prevents you from accessing or using your data till a ransom is paid. These payments are typically done using cryptocurrencies like Bitcoin. There have been several ransomware attacks and WannaCry is the most popular and newest kid so far.
Who does it affect?
As of now, WannaCry ransomware has targeted the Microsoft Windows Operating System. It typically exploits vulnerabilities in the Microsoft Server Message Block 1.0 (SMBv1) server. Microsoft has since released a patch for it. In fact, they did that in mid-March itself. But many users and corporate networks must have been slow to roll them to their systems exposing them to the attack. In fact, Microsoft actually unprecedentedly released patches for unsupported Operating systems like up to Windows XP as well.
Currently only Windows machines have been reported to have been compromised. So if you are a Mac or Linux user (or BSD), you should be safe.
What makes it worse is that the code was actually based on the exploits designed by the NSA to spy on ‘persons of interest’. This ‘spy tool’ was leaked online and it has been repackaged in the form of a worm to spread itself on the Internet. Besides being a ransomware, it being a worm makes it far more infectious. You can track a rather real-time tracking of the spread of the infection worldwide here.
Microsoft itself has cried hoarse over the ‘hoarding of exploits’ by several Government agencies as the main culprit.
How much damage has the WannaCry ransomware caused?
Moderately put, the damage done so far has been considerable. Though the money earned has not been enormous yet. But apparently, it is only getting started. The developers have since also made updates to their own malicious code to make it even more foolproof after a security expert bumped on to a possible ‘kill switch’ that deactivates the program.
The damage has been spreading since Friday. By now the latest major agency to get hit in India has been the Andhra Pradesh police. CERT-In, India’s digital security agency released a red alert on this and even is supposed to hold a webcast to make people aware of the threat and how best to combat/prevent it.
Infection Methodology of WannaCry ransomware
It is not entirely clear how the infection spread exactly. But it does require an executable to run. It may cloak itself to look legitimate. The possible sources of getting it can be from spoofed mails as attachments or macros in documents. Once you are infected, WannaCry proceeds quickly by encrypting most of the filesystem.
- It will run scripts to encrypt your file-system using a (possibly) RSA 2048 algorithm. It is practically useless to try to brute-force and crack this code. It will take you at least a thousand years to get them back.
- WannaCry runs processes in the background to first encrypt files on your desktop and then proceeds to other drives and directories.
- As it self-replicates, it will set a new wallpaper with the threatening message first.
- It then opens up a dialog box with a timer, the message in detail and the option to pay the amount in Bitcoin.
- In the background, the child processes will keep scanning all your files and selectively encrypt most of the filesystem including doc, docx, mp3, etc.
- It will skip several directories of your Windows Installation just to prevent destabilizing it! During its scans it will skip “Content.IE5”, “Temporary Internet Files”, “\Local Settings\Temp”, “\AppData\Local\Temp”, “\Program Files (x86)”, “\Program Files”, “\WINDOWS”, “\ProgramData” and so on.
Should you pay the ransom?
Absolutely not. Even if you think that $300 is not much of an amount to bother in the long run, keep in mind that you have no guarantee that you will get a private key to unlock your files anyway. To put it simply, your files are history. In case you pay, you may end up losing both your money and data.
Unless, you have kept them backed up. System Restore alone will not work as encrypted files will not be decrypted back. If you use a cloud backup solution, that is okay as well.
How to recover from an attack?
Fortunately, you can remove WannaCry ransomware from your system without doing a full reset. I recommend doing a reset anyway. But in case you wish not to do that, check this exhaustive guide from bleeping computer.
NOTE: Do not attempt backups before completely disinfecting your system.
Unfortunately, recovering from the attack is not possible at the moment. I don’t think it is even possible. Your files are most likely lost, unless the key generator for the private keys itself is replicated by security experts. That is very unlikely. So backups are your only hope. And those backups should be on a different device or a hard disk. If it is connected to your infected system, even they will be gone.
How to protect and prevent yourself from WannaCry ransomware?
- If you are using Microsoft Windows operating system on your personal network and have Automatic Updates on, you should have nothing to worry. If you using Windows 10, the updates are on anyway. On corporate networks, you can check with your network admin if the SMB patches are applied (mentioned in the beginning of this post).
- Take backups of all your important files online or on any external device. This is not a time to be choosy. Back them up on your phone if need be. If you have to back them up on your own machine, zip them to a file and rename the extension to anything that is not on the list of extensions targeted by the ransomware. You need to remember that it keeps getting updated, so this should be your last option.
- Do not download any attachment from unverified sources. In fact, I will suggest you not to download any attachment on your Windows Machine for the next few days. Download them on Android or iOS mobile devices to check once instead.
- Install MalwareBytes. The free version is good enough for removing the worm if you are infected. Your files will remain inaccessible though.
- Ditch Windows and switch to Linux, Mac or FreeBSD etc. This is not an ideal choice for many. But when you are using Windows, peace of mind is not always guaranteed when it comes to security. Windows is not inherently under-protected. It’s just that with the reach Windows has, it makes a more profitable target.
To check how the WannaCry ransomware affects a system check out this video on YouTube. Please keep in mind that the test systems are virtual machines. If you have the intention of trying something similar, please do create a virtual machine before doing anything similar.
If you like this post, please consider sharing this with your friends.