WannaCry ransomeware was all over the cyberspace as we speak. Triggered by unknowing individuals using unpatched Windows systems accessing a compromised link or files from unknown sources. As of this posting, several institutions are already comprised like UK’s NHS (National Health Service), Deutsche Bahn Train Station and FedEx in the US. Here in the Philippines, I haven’t heard of any similar incidents were big companies are involved. But I have seen some Facebook users from one of the group I joined gets infected by this ransomware.
WannaCry spreads on Windows systems especially the old Windows XP OS. Again, here in the Philippines this is commonly found in the majority of computer shops. Specifically, this OS variant have the ETERNALBLUE as their weak spot. An SMB (use in file sharing) vulnerability that was already addressed by Microsoft via its MS17-010 patch. If you can’t connect to the internet to update your system using this patch, just turn SMB off. Alternatively, you can block ports 139 and 445 on all computers that you have to stop the infection from spreading. If you have an internet connection, make sure Windows Update isn’t turned off.
Update: May 25, 2017 According to a security firm Rapid7, Samba a similar file sharing technology used by Linux and Unix OSes was also found to be vulnerable. In their recent findings, they have discovered that about 100,000+ computers across the globe are using the vulnerable version. Vulnerable computers came from big companies and organizations but majority are said to be home users. While some versions of Samba can be patch, some especially the old ones cannot. Having said this the only solution left is to disable the said feature. If left “open”, criminals can use it for malicious intent knowing that the researchers were able to create a malware in just 15 minutes that can exploit this weakness.
Windows 10 systems are #WannaCry proof already but it won’t hurt if you will be paranoid and block the said ports just in case. Who knows? To add another layer of security keep your anti-virus always up-to-date and make backups of your files.
If this type of ransomware gets into your system, it will scan for all drive letters available, shared folders as well as those network share mounted locally. Then it will decrypt all the files it will found based on a specific list of file extension. Based on one of the analysis I have read, encryption and infection happens in parallel. Having said this, if you have lots of files (and you are brave enough to do this) maybe you can try turning the power off immediately or shutting down the entire network to minimize the damage. This is not recommended but it might work allowing you to save some of your files.
No backups? Don’t worry. If you are not in a hurry maybe you can wait for Kaspersky to come up with a FREE ransomware Decryptors that can reverse the damage. So make sure you don’t do anything nasty with your drives. Keep it in a safe place until a fix is found.
Malware developers are asking its victims to pay via Bitcoins, an encrypted form of payment that is untraceable allowing them to evade police investigations. As of yesterday, a total of 43 BTC payment was made from 265 individuals totalling to an equivalent amount of US$76K. Please note that there isn’t a guarantee that the ransomware will decrypt all your files or if it will decrypt any files at all after the payment is made so be careful.
Here’s a tip. The next time you hear someone say “Why fix a thing that is not broken” just look back in the history of damages caused by virus and malware – now you know what to do.