Ransomware, or those dirty little digital things that lock out your data to ask for a sum of money, has been around for a long time already.
However, this may be the first time in internet history that a ransomware outbreak is reported with such level of severity. We are talking about none other than the WannyCry, or WannaCrypt/Wanna Decryptor. This notorious ransomware is the very thing that wreaked havoc over computer networks across the entire world over the last few days. Granted, 200,000 spread out over 150 countries may not seem much, but infrastructure-wise it stretched its infectious influence very far. In fact, so far, that even the most important databases of the highest security priority, such as that of the British National Health Service (NHS), was compromised.
Now, don’t panic just yet. If you’re still not within the loop, we have laid out all of the basic information that you will need to arm yourself against this potential PC killer.
What is WannaCry?
WannaCry is a type of ransomware computer worm. Function-wise, it does not differ much from your typical ransomware: it encrypts all files of the infected computer, and then extorts money from the user via bitcoin in order to deliver the decryption key. Unlike ransomware such CryptoLocker however, there is no guarantee that WannaCry would indeed deliver the key even if the user pays the 300 bitcoin ransom money. Because the files are encrypted, removing the malicious software does almost nothing to solve the situation, rendering the data within the computer completely lost.
What makes WannaCry far, far worse than any other ransomware before it, is that it uses a very old exploit that is still within Windows operating systems today (from Windows XP to Windows 10). In simple terms, the ransomware only has to directly (via phishing, executable, etc.) infect a single computer within a network. The worm will then work its way through all of the computers within the network, and proceed to infect each and every one of them, even if the ransomware wasn’t directly executed from any of these stations.
Where did it Came From?
It came from the NSA. We are not kidding. The original exploit was codenamed “Eternal Blue”, and it was specifically designed to tunnel through networks via the Sever Message Block version 1 (SMBv1). Eternal Blue was technically designed to spy on key target points that the NSA deems necessary to.
The debacle first came when the hacker group Shadow Brokers was able to extract the original exploit (among many other exploits) from the NSA databases. The hacker group then proceeded to leak the exploits into the internet, with April 2017 as the month that the group dumped the largest amount, about 1 GB worth of weaponized exploits. After that, they proceeded to further weaponize Eternal Blue, recoding it to instead become a ransomware, unleashing it to the entire world on May 12th, 2017.
Due to the objective and nature of Eternal Blue, the exploit was never revealed to the public, nor was it even disclosed with Microsoft, since its development around 2013. The discovery of this fact sparked a public outrage, denouncing the supposed security organization of their actions that have now instead created even more security problems for the entire world.
How to Tell If You’re Infected
When a unit is infected by WannaCry, the first thing that you will see is an altered wallpaper that says “Ooops! Your important files are encrpyted!”. As the ransomware runs, each file in your computer turns into an unrecognizable file type, and a window will shortly pop up exactly like that one that you see above.
At this point, there is no saving your files. As mentioned earlier, even if the malware was subsequently removed via antivirus programs, the files are still encrypted. Without a decryption key, they are completely lost to the user.
How to Prevent Being Infected
Completely preventing the initial attack can be as simple as being much, much more vigilant against potential sources. First are phishing sources. As always, be very wary of any message that might come attached with an infected file. Stay away from unfamiliar websites for now, and even if you need to access such sites, do some proper background checks first to see if the website is legit.
Additionally, Microsoft has provided official updates for Windows Vista and above, which users need to download in order to block off the SMBv1 exploit. As for Windows XP users, you can also try updating for the security patch, but if it doesn’t work (for various reasons), it is recommended that the unit is taken offline, and if possible, completely shut down.
This is to prevent the ransomware from using the unprotected Windows XP unit as a gateway. (refer to updated information below)
Finally, backup your data. With your data properly backed up, even in the event that your unit gets infected, all you have to do is to wipe the system clean, reinstall the OS, and bring back all of the data lost via backup.
UPDATE: It turns out that the biggest threat was not in Windows XP after all, but in Windows 7. Within the last few days after the initial attack, an analysis report submitted by Kaspersky Labs last week showed that almost 97% of all WannaCry victims were using units installed with Windows 7. Still no need to panic however, if you have properly followed all of the precautionary measures required.