What You Need to Know about the Latest WannaCrypt Ranswomware Attack
WannaCrypt (also known as WannaCry) is the latest in ransomware that not only encrypts data but replicates to other unpatched systems. Its main code was built on the leaked NSA exploits named EternalBlue and DoublePulsar, which make it extremely good at replication and infection. The malware has spread to over a hundred countries in a week, and the malware’s author has made over $70,000 in its first week of propagation.
How Does It Work?
WannaCrypt takes advantage of an exploit available in a protocol called Windows Server Message Block (SMB). System administrators for Linux servers have also reported successful attacks, so all servers that offer file sharing should be patched.
If a machine responds to an SMB request, WannaCrypt replicates to the share. This feature is why the ransomware spread so quickly across the Internet. After infection, the malware sends requests to other machines, and several servers were vulnerable since they had not been patched.
WannaCrypt requests access to common drive letters including C and D drives, but it also infects removable drive shares. If you have a removable drive connected to your machine, the malware copies to it and even encrypts its files.
Once your PC is infected, the malware scans your system for specific file extensions. The files are then encrypted using 2048-bit RSA. Because the malware uses SMB, even PCs behind a firewall are not protected. The ransomware starts the ransom at $300, but if you take too long to pay the ransom is doubled to $600.
The malware contains code that researchers believe is a kill switch. It attempts to contact the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. If unsuccessful, the malware would proceed to encrypt data and ask for a ransom.
One researcher as MalwareTech was able to stop the malware from spreading by registering the domain. Domain names can contain up to 255 characters, so this name was used to avoid the possibility of the domain being accidentally registered. It’s believed that the long domain name was intended to stop the malware should the authors determine that they need to stop it from working.
How Do You Protect Your Files?
If you haven’t already patched your system, it’s time to update your Windows software. The malware has spread so severely that Microsoft even released patches for Windows 2003, Windows 8, and Windows XP. Microsoft no longer supports patches for these systems, but it was necessary to stop the ransomware from spreading.
Servers are the most susceptible, because they are accessible on the Internet. You can use the Windows Update service to update your computer. Microsoft also released signatures for its Windows Defender software, so you should be protected from the current version of WannaCrypt.
The only operating system unaffected by WannaCrypt is Windows 10, but you should still ensure that your system is patched. Malware writers create new versions of ransomware to overcome the hurdles created by patching and antivirus systems. The next version could target Windows 10 machines.
You can’t stop malware writers, but you can keep your machine protected. Always keep your operating system updated with the latest patch. Keep antivirus software updated, and avoid downloading executable files from emails or unknown sources.