WannaCry (or WannaCrypt or Wanna Decryptor)
WannCry is a piece of RansomWare targeting Microsoft Windows machines which encrypts (locks) files on the machines it infects and demand payments for decrypting (unlocking) the files.
Unlike most RansomWare, WannaCry is spreading as a worm using a vulnerability in Windows, this means users don’t have to click anything for the machine to be infected, in fact machines can be infected while no is using the machine.
The weakness was identified in March when hacking tools used by the NSA in the U.S. were obtained by a hacker group. Microsoft released the Patch MS17-010 on the 14th of March to patch the vulnerability. MS17-010 link https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
The patch was only released for supported operated systems, meaning Windows XP, Server 2003 and Windows 8 had no patch available. The group made the hacking tools available online on the 14th April and on Friday the 12th of May WannCry started to spread and infect machines with over 230,000 machines said to be infected by Sunday the 14th of May.
Microsoft released patches on Friday the 12th May for Windows XP, Server 2003 and Windows 8, link: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
On Friday evening the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com was registered by a security researcher who spotted the domain in the code of WannCry and this inadvertently turned out to be a kill switch to stop the worm spreading.
However some ISPs have mistakenly blocked that domain and now researchers are saying they are seeing a version of WannaCry without this kill switch which spreading in the wild.
What actions should users take?
Any systems that have not being patched yet should be updated immediately and restarted once updates complete. How to enable Windows Updates: https://support.microsoft.com/en-us/help/306525/how-to-configure-and-use-automatic-updates-in-windows
Any systems that can’t be patched for whatever reason should have the SMB V1 feature disabled see https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012?utm_content=bufferf993c&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
If you have a number of systems that can’t quickly be patched or have SMB V1 disabled then you should lock down firewalls in front of those machines, blocking TCP Ports 445 and 139 from External access. If you don’t need SMB access outside your local network this should remain in place going forward.
Backups are crucial for many reasons, including as a way to recover from RansomWare, so if you have been hit by WannaCry the best course of action is to restore from backups to systems which are isolated on the network, patch the systems and then restore network access while reviewing firewall policies.
If you have no backups then you will need to rebuild systems and start again, it is not advisable to pay the ransom as there is no guarantee your files will be restored and you are allowing criminals to profit from their actions which encourages more of these types of attacks.
As always users should be educated to know what to look out for in emails and links sent as many forms of RansomWare rely on users to click on a link, this can include emails which are masked to look like they are coming from a colleague, boss or supplier. If ever in any doubt, DO NOT click on any links or open any attachments, consult with your colleagues first.
Any systems running Windows XP or Server 2003 should be replaced by supported operating systems. Any Windows 8 systems should be upgraded to 8.1 as per https://support.microsoft.com/en-ie/help/15288/windows-8-update-to-windows-8-1
Ensure you have anti-virus installed and up to date.
Update the version 2 that has been seen without the killswitch is not spreading as it doesn’t contain that feature.