3 min read

WannaCry Ransomware

By Simon Rose on 19-May-2017 15:04:04

Simon Rose.jpg

Celerity Limited Technical Expert Simon Rose explains the biggest cyber attack infection of 2017 so far - WannaCry Ransomware - and how to prevent it affecting your business.

WannaCry is a ransomware program that began targeting older versions of Microsoft Windows on 12th May 2017. It was first reported as affecting PCs in UK's NHS and quickly spread to other countries and organisations. Over 230,000 PCs are thought to have been affected in 150 countries - this number is growing and more variants are expected.

 

 

 

WannaCry infects by encrypting data on the PC and demanding a $300 ransom to decrypt the files. After 3 days the ransom increases and after 1 week the data will not be recoverable.

WannaCry attacks PCs running Windows Operating System (OS) that are not kept up-to-date with recent patches. Microsoft released a patch MS17-010 on 14 March 2017 which would have prevented this attack. Windows XP did not have this patch as this OS is not supported anymore. Windows XP was released in 2001, mainstream support ended in 2009 and extended support ended in 2014. On 13th May 2017, Microsoft released an emergency patch for Windows XP.

A "kill switch" was found, which stopped the spread of the WannaCry ransomware. WannaCry checks for a website and if it is not found then it will encrypt the PC's data. Registering this domain stopped the ransomware spreading. Different variants of WannaCry have been seen with a different website and WannaCry 2.0 has been seen without this website check, so no "kill switch".

WannaCry transmits to other PCs through ports 139 (NetBIOS Session Service) and 445 (Microsoft-DS Active Directory, Windows shares). Organisations should have these ports blocked on their external firewalls. But if a PC has been affected and then connects to an organisation's network, then it will start scanning and trying to affect other unpatched vulnerable Windows PCs on the network.

To prevent against the WannaCry attack: -

  • Ensure all Windows PCs and servers have the latest patches applied
  • Install the Microsoft security update MS17-010
  • Ensure antivirus software is kept up-to-date - Windows Defender Antivirus detects this threat as Ransom:Win32/WannaCrypt as of the 1.243.297.0 update
  • Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547
  • Ensure ports 139 and 445 are disabled on your corporate firewall
  • Where possible upgrade to the latest versions of Windows 10 and avoid running Windows XP and other unsupported OS

More information from Microsoft can be found on the following links: -

Microsoft's response to WannaCry

Microsoft details WannaCry ransomware

Simon Rose

Written by Simon Rose

Technical Expert at Celerity Limited