WannaCry Ransomware: What You Need to Know
Grow Your Business, Not Your Inbox
Hundreds of thousands of PCs were attacked by ransomware known as WannaCry on Friday, throwing government agencies and private businesses around the globe into disarray. If you've been wondering what actually happened, here's the lowdown.
What is WannaCry?
WannaCry is the name of a serious strain of ransomware that hit Windows PCs worldwide, starting on Friday. Those who were infected found their computers locked, with hackers demanding a $300 ransom to unlock the device and its files.
How were people infected?
Like many malware infections, it appears that human error is to blame. According to The Financial Times, someone in Europe downloaded a compressed zip file that was attached to an email, releasing WannaCry on to that person's PC. Many others did the same, and when all was said and done, at least 300,000 devices were affected globally.
That sucks, but it's their problem, right?
Not exactly. Among the affected PCs were those used by the U.K.'s National Health System (NHS). With computers locked, staff were unable to access patient records and other basic services. Appointments and surgeries were cancelled and medical facilities were shut down as NHS tried to stop the spread of WannaCry. Also affected: Germany's rail system, Renault and Nissan factories, FedEx, Spanish telecom Telefonica and even Russia's central bank.
During a Monday press briefing, Homeland Security Advisor Tom Bossert said WannaCry had not hit any U.S. government systems.
Is my PC at risk?
If you're running other, supported versions of Windows (Vista, Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016), a patch that Microsoft released in March addressed the vulnerability that WannaCry targets. So hopefully you or your office's IT department installed that update.
There are some people, however, who are still running aging versions of Windows; 7 percent still run Windows XP despite the fact that Redmond no longer issues security updates for it. So Microsoft took the unusual step of releasing a WannaCry patch for old versions of Windows it no longer supports, including Windows XP, Windows 8 and Windows Server 2003.
Regardless of which version of Windows you have, make sure you're up to date with your security patches.
Ransomware isn't new. Why is this such a big deal?
WannaCry uses an exploit known as EternalBlue developed by the U.S. National Security Agency (NSA), which used it to go after targets of its own. Unfortunately, EternalBlue and other NSA hacking tools were leaked online last year by a group known as the Shadow Brokers, putting these powerful tools in the hands of anyone able to use them.
Is this still an issue?
Quite by accident, a U.K. researcher known as MalwareTech managed to hobble the spread of WannaCry over the weekend. He acquired a sample of the malware on Friday and ran it a virtual environment. He noticed it pinged an unregistered domain, so he registered it himself, as he often does in these types of situations. Lucky for him (and countless victims), WannaCry only locked PCs if it couldn't connect to the domain in question. Before MalwareTech registered the domain, it didn't exist, so WannaCry couldn't connect and systems were ransomed. With the domain set up, WannaCry connected and essentially died, protecting PCs.
Great, so we're done here?
Not so fast. Reports of new WannaCry variants are emerging, so stay alert and watch where you click.
What if my PC was ransomed?
While it appears that many people have paid the ransom demanded by the hackers, security experts warn against handing over your cash.
"As of this writing, the 3 bitcoin accounts associated with the WannaCry ransomware have accumulated more than $33,000 between them. Despite that, not a single case has been reported of anyone receiving their files back," Check Point warned in a Sunday blog post. "WannaCry doesn't seem to have a way of associating a payment to the person making it."
Bossert echoed that today, saying that approximately $70,000 had been paid out since Friday, but there's no evidence of data recovery.
If you've been hit, your best bet is to restore from backup. Reputable security firms also have ransomware decryption tools. You can also use a tool like the FixMeStick -- just insert the device, boot to its Linux-based environment and let it take care of the problem. It won't restore files, but it will (hopefully) clean out the malware. When your PC is back up and running, make sure you have a robust antivirus program and the best ransomware protection.
For more, see How to Protect and Recover Your Business from Ransomware.
How can we stop this from happening again?
Pay attention to emails with attachments or links. Even if the message appears to be from someone you know, double-check the email address and be on the lookout for any odd wording or attachments you weren't expecting from that person. When in doubt, message the person separately to ask if they did indeed send you an email that requires you to download an attachment.
More broadly, meanwhile, Microsoft took the NSA to task for "stockpiling" these vulnerabilities.
"This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," Microsoft's president and chief legal officer, Brad Smith, wrote in a blog post that likened the leaks to the U.S. military "having some of its Tomahawk missiles stolen."