Home Blog Don’t let the WannaCry Ransomware bring you to tears

Don’t let the WannaCry Ransomware bring you to tears

Published on May 15, 2017 in Blog

Over the weekend, a lot of reports have come to light about the WannaCry ransomware malware.  This is also known as “Wanna”, “WanaCrypt0r 2.0” and “Wcry”.

This ransomware threat has reportedly hit over 150 countries, over 200,000 systems, and infected large and small organisations alike.  WannaCry appears to be entering organisations via email primarily, using infected PDF files (amongst other alternatives).

IF YOU ARE NOT EXPECTING AN EMAIL WITH AN ATTACHMENT – BE VERY CAREFUL AND DO NOT TRUST IT!

WannaCry Ransomware Alert Image

What does it do?

WannaCry incorporates two behaviours:

  1. Crypto – Once executed it encrypts important files on the local system and any USB or network drives connected to it.
  1. Worm – The worm ability allows this threat to seek out vulnerable computers on your network, infect them and then encrypt the files on them also.

The combination of these two behaviours makes this threat a very dangerous one, and one that requires your immediate action.

 

Very important items that provide some level of protection against WannaCry

  1. There is a Microsoft patch that was released in March 2017. This patch resolved the vulnerability that WannaCry exploits.
  2. Disabling SMB 1.0. The SMB 1.0 protocol is an older file sharing protocol, which is what gives WannaCry its worm capabilities.  It is not used by most modern software and technology, and should be disabled.

Microsoft have blogged previously about disabling SMB 1.0, as the protocol itself is old (30 years), and there are potential risks with it.  The only instances they believe may require SMB 1.0 are:

  • You’re still running Windows XP or Server 2003 under a custom support agreement.
  • You have some decrepit management software that demands admins browse via the ‘network neighborhood’ master browser list.
  • You run old multi-function printers with antique firmware in order to “scan to share”.
  1. Ensuring your anti-virus is patched and up to date.
  2. If you are running Windows XP or Server 2003 still, these machines need to be replaced ASAP. However, as a minimum, there has been a patch released for these operating systems (the first patch in over 2 years, this shows how serious Microsoft is taking this threat)

Ensure you engage the services of a professional IT support company to help you:

  • Regularly patch your computers
  • Ensure your Anti-Virus software is kept up-to-date
  • Ensure your backups are automatically taken offsite and tested regularly
  • Provide advice and assistance on upgrading from older systems

If you need our assistance then please contact us to discuss how we can help.


A temporary reprieve – THE KILL SWITCH

Another item that was reported overnight was that a security researcher discovered and registered what is believed to be a kill switch for WannaCry.

It appears this is true IN THIS INSTANCE.  The origina version of WannaCry does appear to have slowed significantly, as the kill switch has been registered.

However, there are also new variants of WannaCry that have been released, and definitely more to come, that will bypass that kill switch.  As of this morning, there were 2 variants released already, one of which used a different domain name as the kill switch, and the other that had no such kill switch.  These are just the tip of the iceberg.

 

Other Information:

  1. https://www.itnews.com.au/news/wannacrypt-ransomware-what-you-need-to-know-461717
  2. https://www.webroot.com/blog/2017/05/13/wannacry-ransomware-webroot/

 

Like us on Facebook and Twitter to keep up to date.

 

 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn

3 Responses

  1. novait

    Reports are coming in that Eight Australian businesses have been hit by WannaCry.

  2. novait

    Governments turned their attention to a possible new wave of cyber threats on Tuesday after the group that leaked US hacking tools used to launch the global WannaCry “ransomware” attack warned it would release more malicious code.

    The fast-spreading cyber extortion campaign, which has infected more than 300,000 computers worldwide since Friday, eased for second day on Tuesday, but the identity and motive of its creators remain unknown.

  3. novait

    Attackers have been quietly infiltrating vulnerable Windows machines for weeks using the same exploits employed by the WannaCrypt perpetrators in order to mine cryptocurrency, according to a security firm.

    https://www.itnews.com.au/news/bigger-than-wannacrypt-attackers-use-same-nsa-exploits-to-mine-cryptocurrency-461932

You must be logged in to post a comment.