This weekend, the internet has been turned upside down by WannaCrypt, a ransomware attack that has infected thousands of PCs and caused disturbances around the world, even reaching a hospital. Here’s all you need to know about this malware: its origins, its spread and how to protect yourself in the future.
IT security is paramount at a time when our files and (most sincerely) our lives are now stored on our electronic devices. Getting your files stolen can be fatal: from simple holiday memories to online identity theft, there is only one step that few hackers will hesitate to cross.
In 2017, the trend is to ransomware attacks , malware that encrypt your data and ask you for a ransom to recover them. A kind of blackmail version 2.0 that affects both individuals and professionals .
This weekend, a particular malware was illustrated. Named WannaCry (or WannaCrypt, WanaCrypt0r, WCrypt etc etc), it has spread to record speed and has managed to immobilize many infrastructure around the world. Back on the case.
WannaCry and ransomware: what is it?
As we said before, WannaCry is a ransomware. The principle of these malware is very simple: once installed, through an infected program installer for example, this one will take place on your hard disk.
Its goal ? Recover all your files and encrypt them using one or more keys. As a result, all your files are now inaccessible to you. A small message appears, inviting you to pay a ransom within a few days to recover the key to “unlock” them. If you do not pay in time, your computer is erased.
The amounts requested are multiple, but generally relatively low. The purpose of these attacks is not to make a big hit on a particular target, but to hit several people at once to multiply its chances of payment.
WannaCry works the same way, and asks “only” 300 dollars to recover its files. However, the amount requested doubled after three days of waiting to force your hand. After six, your files are permanently lost.
What’s more, if you’re connected to a local network, the malware will take advantage of it to spread to all other devices on that network automatically. To prevent a system restore from erasing it, it will also infect your restore points.
What happened this weekend with WannaCry?
The ransomware are far from new to the world of computer security, and it is also the case for WannaCry. But on Friday, May 12, 2017, it spread at a crazy speed in the world to the point of touching a hundred countries: Great Britain, Spain, Portugal, Mexico, Australia, Russia but also … France. In total, at least 95,000 PCs were affected.
This Saturday, the Renault group admitted being hit by this attack and was thus forced to shut down several of its factories on the territory. For other countries , the consequences were much more serious .
In Great Britain, for example, the computer parks of several hospitals have been affected, forcing the immobilization of many services. Fortunately, because the power grid was not cut off, the damage from this attack was minor.
Be aware: without a computer system, it is impossible to consult a patient’s history and therefore his allergies or his previous problems. In a major crisis, it would be impossible for a doctor to guarantee the care of his patients.
But this is not all: in Spain, networks of water and gas have also been blocked by this ransomware.
Where does the WannaCry attack come from and who does it benefit from?
Although ransomwares are not recent, an attack of such magnitude tends to suggest that it was orchestrated by a much larger actor. The trail of a criminal operation or a state attack (or at least a state- sponsored attack ) is not ruled out.
For the moment, we do not know more. However, the origin of WannaCry can be traced back at least February 2017, while a first version named WeCry had already been spotted and was, in all likelihood, created by the same individuals.
The NSA, responsible for WannaCry?
While this security crisis on the Internet has broken out, you may have seen the information passed alongside the NSA. But why the American organization is quoted? Simply because it is seen as partly responsible.
See, to spread, WannaCry uses a patched security flaw on March 14, 2017 only by Microsoft and found only by the NSA. The intelligence agency used it in its intelligence and espionage operations, and had therefore not made it public.
The March 14 patch was mostly aimed at the latest versions of Windows, because Windows XP is no longer maintained by the publisher. This is why it is the version most affected by ransomware.
Was WannaCry stopped?
Ransomware quickly saw its progression be dammed, which does not necessarily mean that this threat is behind us. This first version had indeed a remarkable fault which will have caused its loss.
It’s a young 22-year-old Englishman, who identifies himself as MalwareTech, who discovered it … by chance. The young man got a copy of this virus to analyze his code, and fell on a web address not registered in his code: “IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWEA.COM”.
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.
— MalwareTech (@MalwareTechBlog) May 13, 2017
So he bought the domain name in the monitoring mode on this attack before realizing that the connections to this newly created site were falling one after the other.
It was actually the “kill switch” of this attack: during its installation, WannaCry sent a ping to this address. If he did not receive an answer, the attack progressed. But since the domain was activated and returned a response, the encryption did not take place.
However, do not rejoice too much: versions 2.0 of WannaCry are already deployed around the world, using different domain names or having simply removed any kill switch. Nothing is finished yet.
How to protect yourself from WannaCry?
As said before, WannaCry touches Windows that have not received the security update of March 14th. This implies that older versions of Windows are no longer tracked, but also those that have disabled Windows Update updates.
Let this story serve as a lesson: that’s why you need to keep your computer up-to-date! In the future, it will be better not to use Windows XP, NT4, 2000 and 2003. Exceptionally, Microsoft has implemented a security patch to protect older versions of Windows, available here .
If you have already installed the update, an additional step to ensure your security is to disable the SMB1.0 / CFS file sharing that will ensure that a computer on your local network does not infect you. For it :
- Go to the Windows settings
- Click Programs
- On the right, click on “Programs and Features”
- On the left, click “Enable or Disable Windows Features”
- In the list, uncheck “SMB 1.0 / CIFS File Share Support”
Special and free software , like RansomFree , also specifically protect you from this. If you already have an antivirus, these are gradually updated to take this attack into account. Note that Windows Defender has also been updated.
But do not forget the basic rules of your security on the internet: exercise caution when browsing the internet or receiving emails.
What to do if you are infected with WannaCry?
As the name says, you can … cry. More seriously, if your files are encrypted by malware, it will be extremely difficult to recover them. Your only real solution to recovering your machine is to completely reset it.
Hence the importance of making copies of your files, on the cloud or on a dedicated disk for example. It may be interesting, however, if you get infected, to keep a copy of your encrypted files. Indeed, antivirus vendors often offer tools to decipher its data after this type of attack, once the key is found.