The WannaCry ransomware spread quickly last week and has infected over 200,000 users in 150 different countries. Like most ransomware, once infected, WannaCry will encrypt a user’s files and demand payment to unlock them. What is strange, however, is how quickly WannaCry has spread from system to system.
Most ransomware relies on social engineering tricks to get users to infect themselves with the malware. Campaigns usually spread through phishing emails or malicious links shared unintentionally on social media websites. In either of these cases, infection can generally be avoided as long as a user is careful about opening links or downloading files from unknown destinations. When researchers looked into WannCry, however, they discovered that very few cases were linked to the typical propagation methods.
WannaCry is different in that the current version of the malware spreads primarily through a vulnerability in the Windows operating system itself. The vulnerability known as EternalBlue, was a software exploit originally developed by the NSA for intelligence operations. The source code for EternalBlue was leaked publically back in April, which is probably how it ended up in the WannaCry ransomware.
The EternalBlue exploit should be of special concern for business users because it leverages a flaw in Microsoft’s Server Message Block (SMB) protocol. This means that once one computer on a business network is infected with the ransomware, it will eventually (and quite rapidly) spread to every other computer on the network. This also means that once a system in the network is infected, most security measures will not be sufficient to block the spread of infection.
The WannaCry ransomware in its current state is primarily a threat to older operating systems. While this may change with the introduction of variants, the ransomware currently targets Windows 8, Windows XP and Windows Server 2003. Windows XP is out of the current cycle for patch support, but given the severity of the exploit, Microsoft has actually released a security fix just to address this exploit. That means that everyone has access to prevention and should take the steps to update immediately. Newer versions of Windows should already be protected, but this is a good reminder to run your system updates if you haven’t done so in a while.
If you have already become infected, your options are limited. Certain security firms have had success with partial file recoveries, but the results are unreliable. If you find yourself infected you should consult with your IT provider before taking any action. Security researchers have noted that despite the sophistication of its propagation methods, the ransomware itself is quite primitive. This means that even if a user gives into the demands and pays the ransom, there is a good chance that their files cannot be recovered. This points to the idea that this ransomware was not designed with the intent of making money, instead it was made to cause as much destruction as possible.