Goes by: WannaCry, WannaCrypt, WCry, Wana Decrypt0r 2.0, WanaCrypt0r
Dates active: May 12 – May 15, 2017
Way of entry: via email or loaded link into firewall ports 445 and 139
Number of victims: estimated 200,000 machines worldwide
Approximate profit: ~$140,000 in bitcoins
Major victims: Telefónica – Spanish telecommunications provider, Deutsche Bahn – German railway company, FedEx, National Health Service in England and Scotland
How to avoid: Don’t open attachments in fishy emails (like “Resume” or “0895314587245”) and avoid clicking on random links (including ads on trusted websites and for trusted brands); accommodate your IT provider when it comes to patching and allow them to secure all ports on your firewall. Removing any Windows version older than Windows 7 from your environment is also a best practice.
What to do in case of infection: unplug your computer and call your IT provider; plan for a downtime of at least 8h.
WannaCry, like all crypto locker viruses, involved unknowingly downloading a software (“wcry.exe”) that encrypted all the files in its path by adding the file extensions .wcry or .wnry or. wncry or .wncryt resulting in a name similar to “Important Document.docx.wncry”
To develop WannaCry, hackers took advantage of a Windows vulnerability to create a virus that Microsoft was not expecting. Usually, if a computer is up to date, it can detect a virus, but with zero-day attacks, infection passes completely unnoticed. In the case of WannaCry, researchers managed to develop a decryption tool within a week of the initial release. They called this solution “Wanakiwi.” Wanakiwi successfully resolved the WannaCry encryption only in some cases, since it could only perform in specific conditions, i.e. it had to be applied before any reboot of the infected machine. However, generally speaking, once downloaded, a crypto locker virus cannot be removed from the system. Instead, the machine has to be reformatted – this means erasing all data. Software can be reinstalled and documents and other data restored from back-ups.
There is speculation that WannaCry was a disorganized attack initiated by inexperienced hackers. Here’s why:
- The payment process looks to have been manual, with only 3 possible accounts to deposit into.
- The amount of victims hit was far too massive for the hackers to stay on top of who paid and which decryption code to send.
This means that the attack is that much more dangerous; completely untargeted attacks of this type spread like a forest fire. It’s in the hands of the user to avoid infection and have a solid back-up plan (pun intended). Although WannaCry seems to have receded as users patched their machines, many other viruses like WannaCry are being developed. Educating users, applying patches or accommodating the IT provider to apply the patches, and securing all firewall ports are three of the most important and most effective best practices.
Contact us with comments or concerns about this article or the information provided.