What to do about WannaCry if you’re infected or if you’re not
- 16 May, 2017 02:46
Today is likely to be painful for many organizations all over the world that took the weekend off and are returning to the work-week to find hundreds or thousands of computers on their networks encrypted by WannaCry ransomware, which surfaced Friday and has been propagating ever since.
Estimates by law enforcement agency Europol estimated yesterday that more than 200,000 computers in 150 countries were infected, but with the worm continuing to spread to vulnerable Windows machines, that number will surely rise.
For those whose machines have not been infected, here’s what you need to do right away:
- Apply the Microsoft patch that will thwart the attack. It’s available here.
- If you can’t do that because you haven’t tested whether the patch will affect your software build, disable Server Message Block 1 (SMB1) network file sharing. That’s where the flaw is that it attacks.
- Consider closing firewall port 139, 445 or both because these are the ports SMB uses.
Longer term, to guard against similar future attacks you should:
- Consider segmenting networks so if an infection gets in, its spread can be restricted.
- Set up programs to patch as quickly as possible.
For those already infected:
- Go to your backups, wipe affected machines and rebuild them, making sure you patch them before putting them online.
- Consider paying the ransom, depending on how important the encrypted data is. It’s a judgement call.
Here are some questions and answers about WannaCry:
Who is doing this?
So far nobody knows, but it could be anyone who took advantage of vulnerabilities discovered by the NSA and released publicly along with an attack that exploits it known as ETERNALBLUE.
What do they want?
Money, or more precisely, $300 worth of Bitcoin.
How successful are they?
If measured by machines infected and geographic range, pretty successful: 200,000 machines in 150 countries. If measured by ransom collected, not so successful: $26,000 total.
Why is it so successful?
Rather than relying solely on users clicking on malicious attachments or links, WannaCry can slip in without user action, then use the infected machine to spread the ransomware further. This has led some to call it a ransomworm. There are also reports of phishing attacks to get it started.
Is there a way to stop it?
WannaCry has a kill switch so the people behind it can stop its spread if they want to. The switch is an unregistered domain and so long as it remains unregistered, the infection will keep trying to spread. If the worm successfully connects to the domain, meaning it has become registered, then it stops trying to spread.
Great! Why not register the domain?
One researcher has but the attackers created a new WannaCry version that uses a different domain for the kill switch. So the malware is being actively monitored and maintained.
So will it be around forever?
Yes, probably, but it will decline in its effectiveness. “It will persist for some time because there are thousands of vulnerable internet-connected systems,” according to a Splunk spokesperson. “Also, there may be copycat attacks that are proxy-aware or don't rely on hard-coded domain name checks.”
What machines are vulnerable?
A range of Windows client machines from Windows Vista through 10 to and Windows Server 2008, 2012 and 2016. The complete list for which there are Microsoft patches are here.
What’s with the NSA, hoarding a vulnerability like this?
They do this routinely and use the vulnerabilities and exploits they create to get into computer systems for intelligence purposes. The agency got compromised somehow and a group called Shadow Brokers has been posting the exploits online. This one was posted after Microsoft had issued a patch for it.
What does Microsoft think about that?
It is not happy. "This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," says Microsoft President Brad Smith.