Undoubtedly you’ve heard of the most recent ransomware attack plaguing the globe. It started late last week and so far has infected machines across 150 countries.
As the name suggests, the virus in effect holds the infected computer hostage and demands that the victim pay a ransom in order to regain access to the files on his or her computer. You can learn more about ransomware in this previous blog post.
But let’s get down to what you need to know. Here are the latest facts about WannaCry that you need to be aware of to make sure your systems are not at risk.
How does it spread? Reports indicate WannaCry started somewhere in Europe through a phishing email with a zip attachment. An unsuspecting user opened the zip file and the malware spread from there.
What it does: WannaCry encrypts most or even all of the files on a user’s computer. Then, the software demands that a $300 bitcoin ransom be paid in order to have the files decrypted. If the user doesn’t pay the ransom within three days, the amount doubles to $600. After seven days without payment, WannaCry will delete all of the encrypted files and all data on the infected system will be lost.
How it works: WannaCry exploits Windows operating systems using the DoublePulsar and EternalBlue vulnerabilities. These vulnerabilities were part of an exploit dump that occurred a few weeks ago by a group calling themselves "The Shadow Brokers."
Currently the malware is spreading by acting as a worm. A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer.
Who’s at risk? This vulnerability affects SMBv1, SMBv2, SMBv3 in Windows Versions XP, 2003, 7, 2008 and 2008r2 and Windows 10.
What if I’m infected? Can I get my files back?: Short answer: No. Information security firms are getting better at decrypting files from ransomware attacks, but there are as yet no reputable decryptors (tools for removing ransomware) for WannaCry. But people are already working on a fix for that. In the meantime, don't get attacked a second time.
Hackers could even use the promise of a WannaCry fix as bait for further infections, so be extremely skeptical. Also, according to McAfee researchers, WannaCry deletes so-called "Volume Shadow" backups that can sometimes be used to restore files.
There are also rumors circulating on the net that even if you pay the ransom, your files are still left encrypted.
How to stop it: Simple answer. Patch your systems. Due to the seriousness of the WannaCry attack, on May 13, 2017, Microsoft provided a security update for Windows XP, Windows 8, and Windows Server 2003, despite these versions being past their support cycles. Users can download the patch from the Microsoft Update Catalog.
But I’m air gapped so I have nothing to worry about: Wrong. Patch your systems. An unpatched system is like an unlocked front door. Attackers are just waiting for someone to copy a file over to your system from an infected thumb drive or some other attack vector (remember the Stuxnet virus).
Always keep your systems patched and updated.
You can learn more about security for automation, process control, and IIoT applications in the security blog post below.