Ransomware that will make you WannaCry and what you can do about it

May 14, 2017

As a public service, I gathered some background information about the “WannaCry” worm flying around the Internet and put together a Q and A discussion:

First, a link to some background info here:

Next, a link to the Microsoft patch that fixes the vulnerability that lets the ransomware in:

But do a full Windows Update – only apply this patch by itself if a full Windows Update is not feasible.

Brian Krebs always has great writeups on these attacks.  Here’s the krebsonsecurity.com article.

And a technical writeup:

WannaCry screen capture; taken from the KrebsOnSecurity article

WannaCry screen capture; taken from the KrebsOnSecurity article

WannaCry Q and A:

Q: What’s ransomware?
A: Ransomware is the name we’ve given to malicious software that scrambles all data to which your computer has access, and offers to decrypt all of it in return for an extortion payment.

Q: What happened with the WannaCry attack?
A: Apparently, the US National Security Agency found a Windows vulnerability at an unspecified time in the past and kept it a secret. Somebody penetrated the NSA earlier this year and stole more secrets, including this vulnerability, and a group that calls themselves Shadow Brokers published it. Somebody looked at what Shadow Brokers published and built a malicious software package around this vulnerability to scramble documents, emails, databases, and pretty much everything useful it can find. The malicious software also searches the network to which it’s connected for other vulnerable systems, copies itself to those systems, and exploits the vulnerability to launch a copy of itself on the new system. Once unleashed, it spread fast, shutting down a large telecom carrier in Spain and several hospital chains in England. Apparently, the Russian Interior Ministry and several universities in China were also victims. It’s come to be known as the WannaCry worm.

Much of the Internet would be crippled today if not for the fast work of a security researcher who calls himself Malware Tech. He looked at the source code and found that this strain of WannaCry kills itself if it finds a domain name registration for a particular domain name. Malware Tech registered that domain name and many of the copies in the wild killed themselves.

This variant of WannaCry only compromised 76,000 computers, shut down a hospital system for one country, and the telecom infrastructure for another country. All in as few hours. Next time, we won’t be so lucky.

Q: What’s the vulnerability?
A: Send a specially formatted string to a Windows server using SMB V1, an old version of the file sharing protocol, to force that system to remotely execute your evil program. Unfortunately, most Windows systems still allow SMB V1. Also note that all desktop and laptop Windows computers have the ability to serve files and databases to other computers.

Q: You just said the WannaCry outbreak is contained. What’s the big deal?
A: This specific outbreak is contained. But it’s trivial to introduce another strain without a kill switch, or that checks for a different domain name registration. Just like biological viruses mutate, WannaCry will too.

Q: How do we defend ourselves?
A: For this specific WannaCry attack – number one – update all your Windows systems. Right now. Microsoft patched this vulnerability in March, 2017, and patched all its operating systems back to Windows XP and 2003 after the outbreak on May 12. Do a Windows Update and apply all the latest patches to everything you have. If not feasible to do a full Windows Update right away, at minimum go to the Microsoft link above and apply that patch.

To defend against ransomware attacks in general, you need two tactical things: Vigilance and good backups.

Vigilance includes all the things we’ve heard over the years; don’t open email attachments, be careful about browsing websites, don’t fall for scams, keep antivirus signatures up to date. All that advice still applies. But despite all that, all it takes is one lapse for an attacker to win.

Some people think that backing up to an external hard drive or maybe a cloud service will take care of it. Just ask the Tewksbury, MA. Police Department how well that worked out. Always remember – if your computer can access it, so can malicious software inside your computer. Plan your backups accordingly.

One method – keep a rotation of external disks and change them once or twice per week. If one is scrambled, you’ll have another one still good. Clean the malicious software off your computer before reconnecting it.

Another method for people who like the cloud – buy a second computer. It has one job, to run backups. Share everything on your work computer with the backup system. The backup system reaches across your home/small business network to your work computer and copies everything to the cloud. Your work computer doesn’t have any access to this cloud service, so if somebody compromises it, it can’t destroy your cloud backups.

Q: Isn’t there a free service that can restore my files?
A: Some people came up with a way to do this with earlier ransomware attacks. The attackers are more sophisticated now. So, no, not anymore.

Q: Should I pay the ransom?
A: Law enforcement, including the FBI, says no. You’re putting money into criminals’ hands and making them stronger. On the other hand, if they’ve scrambled everything useful inside your computer, your backups are no good, and you’re looking at bankruptcy because your business can’t operate, then you don’t have a choice. Do what you have to to survive, and then make your mission in life to take down these clowns. You’re won’t be the first.  Despite law enforcement’s official advice,  police departments across the United States have also paid.  Next time, do a better job protecting yourself because now you’re marked.

Q: I’m a business owner and my company has an IT Department. I have more important things to think about than all this tech stuff and I don’t have time to play with patches.
A: I hope you enjoy Russian Roulette.

Q: I’m just a home computer user and I only play games and browse websites. I’m not tech savvy. Do I need to mess around with all this?
A: See my answer to the business owner above. If a missile is flying at your head and you put a hood over your eyes, that missile is still flying at your head.

Q: Why doesn’t the government or big business or somebody do something about all this malicious activity flying around the Internet?
A: Believe me, lots of people and organizations are trying.  But nobody can do it alone. There’s no universal way to tell good Internet traffic from bad Internet traffic, software packages will always have bugs, people can be gullible, and creative bad guys will find ways to exploit both.  The Internet freedom we all value so highly comes with a cost.  There will never be a substitute for old-fashioned vigilance.  It’s not up to government or big business or somebody else to keep the Internet safe; it’s up to us.

Q: How do I find out more about how to protect myself from WannaCry and other cyber attacks?
A: Right here is a great place to start. Take a look at Resources and the growing library of mini-seminars I put together.  I hope to do one soon on ransomware in general.  Read my first book, Bullseye Breach, about how a typical large scale cyber attack might unfold. And watch for book #2, coming soon.