WCry Infection Map

Today marks one of, if not THE biggest malware attacks in history. Hackers have successfully spread a new piece of ransomware, holding a portion of the world’s computers ransom.

UPDATE (5-15-2017)

In an unprecendented move, Microsoft has released security patches for Windows 8, Server 2003, and…Windows XP! Wow wow wow. Yep, WCry was THAT serious. Microsoft tends to prefer to force people to their newer versions, but considering that so many businesses are still using XP, they had to issue a patch.

What is it?

WCry ransom screen

It’s got various names: WCry, WannaCry, Wanna Decrypt just to name a few. It works like any other ransomware – it encrypts your data (whether they’re on hard drives, network drives, flash drives) and forces you to pay a fee to decrypt. In WCry’s case, they initially charge you $300 in bitcoins and then it doubles the fee after a certain amount of time. Eventually you lose the option to decrypt.

News initially spread as the UK’s National Health System (NHS) and affected over 40 hospitals and health care facilities across the country. Afflicted locations were unable to access vital patient information, schedules and communications. The attack was so damaging that officials asked the public to stay at home unless they were having a medical emergency and many patients had to be rerouted to other facilities. Also hit hard were Spain and Russia, where telecommunications companies and public utilities were disrupted. Telefónica, a Spanish telecom company had employees disconnect their computers from the network and shut down. Since then the outbreak has spread to at least 99 countries across the globe.

Primarily affecting Windows computers, businesses are especially vulnerable to the attack, if they’re not being patched regularly or if they’re still using Windows XP which Microsoft no longer supports. The malware code affects ALL versions of Windows, including Windows 10 and Server 2016. At home, you should turn autoupdates on, as a recent patch released by Microsoft addressed one of the key attack vectors used by WCry.

How does it spread?

As with most malware, it can spread a variety of ways, usually email with infected attachments or phishing attacks that redirect you to a bogus (but legitimate looking) website where you download the malware directly to your computer. Unfortunately, this isn’t just like any other ransomware. This one can spread itself using one of the NSA hacker tools (code named “Eternal Blue”) recently exposed by the hacking group “Shadow Brokers”.

What that means is that once it’s on your organization’s network, it can quickly spread itself directly, without relying on human input. According to some security experts, the malware includes some hunter code that actively seeks out uninfected computers on the local network.

What can I do?

Well, if you’re talking about your home PC, hopefully your system has been autoupdating. If it hasn’t been, make sure to turn autoupdates in the settings for Windows Update. The critical patch you need to install was released back in March and is titled “Microsoft Security Bulletin MS17-010 – Critical: Security Update for Microsoft Windows SMB Server (4013389)” (I’m not posting the link since you should always go to the source directly)

Microsoft Bulletin MS17-010

 

If you have a business, it’s a little trickier. Normally it’s not recommended to autoupdate Windows in a business environment, as patches sometimes break things, which can have dire consequences especially for large installations. In these cases, make sure you manually install MS17-010, which you can grab directly from the Microsoft website.

In either case, BACK UP YOUR DATA offsite! There are a ton of free or cheap options to back up to the cloud and you can always back up to an external drive or tape (make sure you take your backups offsite though).

OK, what happens if you got infected? Sigh. Well there’s not a whole lot of choices. As with other ransomware, if you have critical data on your system, you can always PAY the hackers. Or if you have a good backup, just format your computer and reinstall the operating system. That’s pretty much it.

Here’s an excerpt from the hacker’s FAQ, just for a laugh:

Q: How can I trust?

[code language=”plain”]A: Don’t worry about decryption.We will decrypt your files surely because nobody will trust us if we cheat users.[/code]

 

 

* If you need our assistance, send a message by clicking on the decryptor window.

Nobody will trust us if we cheat users. Well, have to give them props for being “honest” crooks and providing customer service I suppose.