Protect Your Computer From the Wanna Cry Ransomware Cyberattack
A cyber attack in June targeted airlines, banks and utilities in Europe. Back in May, portions of the UK NHS system were stalled and paralyzed thanks to ransomware. Whether you call it WannaCrypt, WCry, or even WannaCry, this ransomware also attacked ATMs and train stations, and just wreaked havoc across the globe.
When ransomware strikes a computer or network, it locks down the files, which become inaccessible. The computer then will inform the user that in order to use the computer again, they have to pay a ransom for a cyber key. Generally, this fee is requested in bitcoins, as they cannot be traced.
A cyberattack often starts when a person is lured into clicking a link in an email, which downloads malware onto the computer. Hackers are very skilled at getting victims to click on these links, and in many cases, the victims don’t even realize they are doing anything wrong. This emailed link might take the form of your bank, a company you do regular business with, or even someone you know.
These links look innocent enough, but are very harmful, just like these last major cyberattacks were harmful, too. In fact, last May, this ransomware attack was a big enough issue that Microsoft even created a patch for its users on Windows XP, something that they have not done in several years because that OS is obsolete. How could a single piece of malware cause such a headache?
Understanding This Particular Malware
To get to the answer of that question, it’s important to understand what the WannaCry malware is. This particular piece of malware has the ability to search for, and then encrypt, a total of 176 different types of files. It then asks for a $300 bitcoin ransom. If you don’t pay that $300, the ransom message says the payment will be doubled every three days. If, after seven days, the ransom payment is not made, the file is deleted.
Should You Pay the Ransom?
One of the most common questions people have when becoming a victim of malware attacks is if they should pay the ransom or if there is a way to decrypt the files. Fortunately, decryption of these files may be possible (see this link here: “wannacry decryptor”). And researchers are still working on new decryptors. It’s best to make a backup of all of your files beforehand, which means you can restore them. It’s best NOT to pay the ransom if possible.
There are some cases where files can be recovered even if you don’t have a backup, but files saved on a removable drive, on the Desktop, or on My Documents are not recoverable. Those that might be recoverable might be able to be recovered with an undelete tool.
How Has Ransomware Affected the US?
Back in May, this particular malware affected the UK, and made its way to the US, too. However, a British researcher, who goes by the name “MalwareTech,” was able to temporarily stop it while on vacation. This, however, is problematic as it shows that the global information security industry is scattered, and relying on one person is quite insufficient.
MalwareTech noticed that the domain name that the malware was directed to didn’t exist. If it would have been active, the malware program would believe that it was a false positive from having its code disassembled. To stop this, WannaCrypt designed the malware to shut itself down. So what does this say about our levels of global cyber preparedness?
First, this shows that our information security industry looks at cyberattacks as more of a business opportunity than as a way to work together to eliminate any threats. Though there are certainly pros out there who don’t, like MalwareTech did, the events surrounding the UK malware incident show that as an industry, greater collectiveness is required. We can’t count on lazy coding in the next cyberattack.
Second, we have to look at whether or not WannaCrypt was a simple test of readiness. It’s possible that the ease of stopping the attack was not an act of laziness at all, but an act to see how long it would take to shut the program down.
It is also possible that those who developed this malware did it in order to gather intelligence on which systems could be affected by this malware, such as Windows XP systems. Remember, this operating system is no longer supported by Microsoft.
There is also the possibility that WannaCrypt intended to show that governments catalogue vulnerabilities in the software they use, but don’t share that information with developers. This could show what might happen if these vulnerabilities are used by the wrong people.
WannaCrypt has since generated a lot of debate about state-sponsored cyberattacks. The inclusion of backdoors in applications or OS that are government mandated is extremely dangerous, and definitely misguided. However, if we learned anything from the 2016 election, it is that we now live in a world where we need both offensive and defensive capabilities.
We also cannot deny that we should expect more from software giants such as Microsoft. We live in a time where big data is king, and software is tracked. With software vulnerabilities, it could literally stop the world on its feet.
When we have critical systems that rely on software that is at risk, it is a reasonable belief that software developers would notify those whom are at-risk. They should also quickly get a patch released. Long-winded emails and notifications are not sufficient because many customers don’t realize that they have a system that is vulnerable, nor do they get mainstream support.
It has been more than three years since Microsoft stopped supporting its Windows XP operating system, but organizations across the globe still use it, which means groups behind WannaCrypt are going to hone right in.
If we don’t start to be more efficient in our methods to combat these threats, and if we keep using software that is not secure, it should be no surprise when these threats hit. These threats have a big potential to cause significant damage, both digitally and physically…and the next time, we might not have this type of luck.
Who Is Impacted By This?
Any person who uses a Windows computer is susceptible to the WannaCry cyberattack. Companies are more at risk because they are connected to networks, and this looks better to cybercriminals. However, remain vigilant, because individuals are also at risk.
Is the WannaCry Attack Targeted?
Currently, we do not believe that WannaCry activity is part of any targeted attack.
Why Is WannaCry Causing So Many Problems?
WannaCry is causing so many issues because it has the ability to spread itself throughout networks without any user interaction. It exploits the vulnerabilities in Windows systems, so any computer that hasn’t been updated to the latest Windows Update security patch is at risk of becoming infected.
How Does WannaCry Spread?
WannaCry can spread through a network by exploiting its vulnerability, but this is not how it initially infects the network. How the first computer in any organization is infected by WannaCry is not known. One researcher points out “it spread via an operation that hunts down vulnerable public facing SMB ports and then uses the alleged NSA-leaked EternalBlue exploit to get on the network” There have been a few cases of WannaCry that have been found being hosted on known malicious websites, but it is believe that these are not related to the original WannaCry attacks.
Instead, they are copycats.
How Does the Ransom Work With WannaCry?
As you know, the attackers associated with WannaCry ask that the ransom be paid by using Bitcoins. In fact, WannaCry has generated a unique bitcoin address for each computer that the file affects. However, it was also found that there is a bug in the code, which causes it to not execute as it should. This then causes WannaCry to default to three Bitcoin addresses for payments. This is problematic, however, because the attackers are now unable to properly identify the victims who have paid and who hasn’t, which means the victims, even if they have paid, are not likely get their files back.
The WannaCry attackers realized all of this, and then released a new version of the malicious software that fixed this, but it has not been as successful as the original cyberattack.
Most recently, on May 18, computers that were infected with this malware displayed another message, which told victims that their files would only be decrypted if a ransom is paid.
What to Do If You Are Infected
Here are some steps that you should take if your computer is infected:
- Report the instance to the police. Though they likely can’t help, it is always good practice to record it.
- Disconnect the computer from the network. This helps to prevent the cyber infection from spreading to other networks.
- Remove the ransomware from the computer. Just remember, removing the ransomware won’t give you access to your files, as they are encrypted.
- If you have a data backup (you should), there is no reason that you will need to pay the ransom. You still want to remove the ransomware, even if you have a backup.
- What if you have important files you absolutely need that were not backed up? Start saving your bitcoins. Check out this site on how to make payments using this method.
- Remember. The bad guys are going to be impossible to trace, and you will have to make the payments on the Tor network, which offers anonymous browsing.
- Finally, even though it’s a gamble, you shouldn’t be shocked if you pay and actually get a decryption key. Most cyber thieves will follow through and give you the code because they want to be taken seriously. If it is common knowledge that you don’t get the code, what’s the point of paying?
The best thing that you can possibly do is to prevent a cyberattack in the first place. This means that you should look for all the clues that might imply phishing scams or malware attacks. Don’t allow a threatening email to push you into clicking a bad link. Also, make sure to back up all of your data online and on an external hard drive. This way, even if you are the victim of a malware attack, you won’t have to pay a ransom.