virulent new strain of ransomware known as WannaCry has infected hundreds of thousands of computers worldwide since its emergence on Friday, 12 May. WannaCry is far more dangerous than other common ransomware types because of its ability to spread itself across an organisation’s network by exploiting a critical vulnerability in Windows computers, which was patched by Microsoft in March 2017 (MS17-010).

WannaCry comes in two parts. The purpose of the first of the exploits is infection and propagation. The second part is an encryptor (ransomware) that is downloaded to a computer after it has been infected. The first part is the main difference between WannaCry and the majority of previous encryptors. To infect a computer with a common encryptor (ransomware), a user has to make a mistake, by clicking on a suspicious link, for example, allowing Word to run a malicious macro, or downloading a suspicious attachment from an e-mail message.

A system, which does not have Microsoft Security Patch (MS17-010), can be infected with WannaCry automatically without user intervention. Once the system gets infected, WannaCry attempts to spread itself over the local network onto other computers in the manner of a computer worm. The encryptor scans other computers for the same vulnerability that can be exploited with the help of EternalBlue, and when WannaCry finds a vulnerable machine, it attacks the machine and encrypts files on it. Thus, by infecting one computer, WannaCry can infect an entire local area network and encrypt all of the computers on the network. That’s why large companies suffered the most from the WannaCry attack — the more computers on the network, the greater the damage.

WannaCry searches for and encrypts 176 different file types and appends [dot]WCRY to the end of the file name. The Trojan changes the desktop wallpaper to a picture that contains information about the infection and actions that the user supposedly has to perform to recover the files. WannaCry spreads notifications as text files with the same information across folders on the computer to ensure that the user receives the message that says they will decrypt all of the files if the user transfers $300 in bitcoins. It is such a call for ransom that gives viruses of the type the name ransomware.

Screenshot of the ransom note left on an infected system

In this case, the malefactors also try to intimidate victims by stating that the ransom amount will be increased in 3 days and, moreover, that after 7 days the files will be impossible to decrypt and the data will be wiped out.

Once the system is infected and files are decrypted, decryption of encrypted files is not possible at present. If you have backup copies of the affected files, you may be able to restore them. सिर्फ़ News does not recommend paying the ransom.

In some cases, the files may be recovered without backups. Files saved on the Desktop, My Documents or on a removable drive — if infected and encrypted and their original copies are wiped/overwritten — these files cannot be recovered. If the files stored elsewhere on a computer are encrypted and their original copies are simply deleted, these could be recovered using an undelete tool.

To be safe, you have to update your Microsoft Windows OS and install the Microsoft Security Patch. Then you are no longer vulnerable, and attempts to hack the computer remotely through the vulnerability will fail. Microsoft Patch for unsupported versions such as Windows XP, Vista, Server 2003, Server 2008 etc.

To prevent data loss, users and organisations are advised to take a backup of the critical data. Block SMB ports on Enterprise Edge/perimeter network devices [UDP 137, 138 and TCP 139, 445] or Disable SMBv1. You get it here.

NB: Patching the vulnerability will not deter the encryptor entirely. If you launch WannaCry accidentally, the patch won’t stop it and your files will get encrypted.

About Sourav Mishra

Country Head at Panda Security, past life regression therapist