WannaCry ransomware Outbreak: What your business needs to know

Genesis Business Systems Blog

Here’s a full debrief on the WannaCry ransomware that is still a threat to businesses around the world.

What is WannaCry?

Also known as Wcry, WannaCrypt, Wana DeCryptor, WannaCry is a ransomware threat that started to spread rapidly on Friday May 12 2017. The ransomware has been around for a number of weeks but the attackers tweaked the WannaCry code and then released it into the wild late last week. 

Brian Krebs reported that Lawrence Abrams, owner of the tech-help forum BleepingComputer, said WannaCry wasn’t a big player in the ransomware space until “something caused it to be spread far and wide very quickly.”

“Today, it just went nuts,” continued Abrams. “This is by far the biggest outbreak we have seen to date.”

The refreshed ransomware worm is now designed to exploit a critical Microsoft vulnerability, referred to as Microsoft Security Bulletin MS17-010, first made available in mid March 2017.

It is believed that the new WannaCry variant was spammed out with a malicious link or attachment. When the user clicked on the item, the ransomware attempted to infect the Windows computer and encrypt files on the machine, promising to release them if $300 USD of Bitcoin is paid.

WannaCry Ransomware Screenshot

 

If there are no up-to-date backups from which to restore, paying the ransom may be the only way for a business to retrieve its files.

File types that could be encrypted by the WannaCry ransomware include pictures, movies, scripts, Microsoft Office file types, databases, and archived files:  

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc

While WannaCry is infecting the victims machine, it also searches for vulnerable unpatched Windows systems and tries to infect those too. This is why WannaCry has spread at such speed.

 

What is ransomware and what makes WannaCry different?

Ransomware is a kind of cyber-attack that involves hackers taking control of a computer system and blocking access to it until a ransom is paid. For cyber criminals to gain access to the system they need to download a type of malicious software onto a device within the network. This is often done by getting a victim to click on a link or download it by mistake.

Once the software is on a victim's computer the hackers can launch an attack that locks all files it can find within a network. This tends to be a gradual process with files being encrypted one after another. 

Cyber criminals often demand payment in return for unlocking the files. This is normally in the form of bitcoin, the online cryptocurrency.

The original version of WannaCry was in every way just like the standard ransomware campaigns, the main difference being the “.wcry” extension it added to files it had encrypted.  However, what makes the outbreak of second version of WannaCry such big news is the way that it spreads. The main deployment method is via the MS17-010 vulnerability in SMB.

 

Is your business vulnerable?

All Windows computers that have not installed the Critical Microsoft Security Bulletin MS17-010, issued in March 2017, are vulnerable.

MS17-010 Security Update Screenshot

How do I avoid infection?

  • Apply patch Windows Patch MS17-010 immediately. Always apply operating system security patches as soon as possible.
  • Run the latest version of the operating system. Later versions have more inherent security features, many of which are turned on by default.
  • Review your business backup strategy and strengthen where possible.
  • Review and restrict access to network resources to an as-needed basis.
  • Block unnecessary ports (ensure that SMB is NOT externally accessible)

 

Contact Us & Cyber Security Events

If you have any questions, queries or have been hit by ransomware such as WannaCry, please contact us via email [email protected] or call 01482 210999.

Don’t forget to join us on one of our Cyber Security events next week on May 25th in Leeds and on the 9th June in Hull.