Obsessed with technology?
Subscribe to the latest tech news as well as exciting promotions from us and our partners!
By subscribing, you indicate that you have read & understood the SPH's Privacy Policy and PDPA Statement.
Feature Articles
What you need to know about WCry ransomware
By Liu Hongzuo - 20 May 2017,4:08pm

What you need to know about WCry ransomware

Note: This article was first published on 15th May 2017.

What is WCry?

Wana Decrypt0r (or WannaCrypt, WCry) was originally derived from an exploit created by the U.S.’s National Security Agency (NSA). Previously codenamed as EternalBlue, it was designed as a weapons-grade cyber weapon that targeted Microsoft’s vulnerable implementation of the Server Message Block (SMB) protocol. It was especially effective on computers using Microsoft Windows XP through Windows Server 2012. Windows 10 is not vulnerable to the exploit.

As with all things on the Internet, the flaw was leaked to the public in mid-April 2017 by a hacker group called The Shadow Brokers. Microsoft actually patched the vulnerability a month before the leak, but that wasn’t enough, because the patch did not reach the users and their respective operating systems in a timely manner. Microsoft also initially did not release security patches for OSes that were no longer supported (this was rectified a day after WCry had propagated).

In essence, what WCry does is to hold your computer ransom (hence the term ransomware) until the victim pays up the ransom fee to regain access. Ransomware comes in many variants, with nastier ones that do not hesitate to wipe an entire hard drive if the ransom isn’t paid. Ideally, the ransom should never be entertained, but the scale of attack left little room for negotiation – especially for workstations in time-sensitive environments (such as hospitals).


How many has WCry affected so far?

Tiong Bahru Plaza's mall directory. Source: Reddit.

Currently, there are about 150 countries affected by WCry – more than 200,000 computers have already been infected, according to Reuters’ estimates. Cybersecurity firms such as Cyence also believe that the attack will induce economic losses of up to US$4 billion. A Twitter bot has been set up to track the total number of payments made to the WCry makers - as of writing, 131 payments have been made, totaling US$37,736.09.

Known WCry attacks in Singapore are limited to shopping malls – Tiong Bahru Plaza and Orchard Central. Other countries are not as fortunate – the first instances of WCry occurred in UK hospitals on the evening of 12th May 2017. So far, it has also affected Russian banks, French car manufacturer Renault, and Spain’s telco, Telefonica.


How one researcher stopped WCry 1.0

Stopping the WCry ransomware is a morbid game of cat-and-mouse between cybersecurity experts and malicious coders. In the case of the WCry ransomware, a researcher at Malwaretech found that the code apparently pings a particular hardcoded domain to see if it exists; if the malware can’t connect to this domain, the ransomware executes, but if it’s able to make a successful connection, the malware exits and doesn't start the encryption. So it seems that a “kill-switch” was embedded in the code, perhaps as a sandbox test as hypothesized by the researcher. And so Malwaretech registered this domain name to stop this malware from spreading and executing further.

This, however, does not alter the ransomware itself nor for the fact that you can still be affected should the domain go down or be under attack (DDOS). Refer to our further notes below on how to stay safe and tools to help disinfect affected systems.

However, a new variant is on the loose. Confirmed by Kaspersky Labs, WCry 2.0 is a variant that doesn’t have a kill-switch, but it’s currently corrupted and therefore not active. The bad news: the new variant was likely developed by an attacker unaffiliated with the original WCry ransomware, and it’s only a matter of time before another infectious wave begins.


How can I protect myself?

A list of Windows OS security patches has been put together by Imgur user ibuiltamurderbot, who allegedly works in the IT and cybersecurity research industry. You can choose the relevant patch for your operating system.

The Cyber Security Agency of Singapore (CSA) put up an advisory on Singapore Computer Emergency Response Team (SingCERT)’s website with the following recommendations:

  • SingCERT advises all users and companies with affected systems listed above to ensure that their Windows-based systems are fully patched. In particular, Microsoft Security bulletin (MS17-010-Critical) should be applied.
  • Users should ensure that their anti-virus software is updated with the latest malware definitions.
  • Users should perform file backups and store them offline in case they need to restore their systems following an attack.

Other recommendations include:

  • Keep your firewall software updated at all times, so you remain safe from any recent forms of malware.
  • Don’t pay the ransom.

As a last resort, most of the popular anti-virus firms have free tools to help remove WCry – this link goes to Kaspersky Labs, and these other links are Trend Micro tools you can employ (1, 2).

Read Next: How to defend yourself from being hacked

Obsessed with technology?
Subscribe to the latest tech news as well as exciting promotions from us and our partners!
By subscribing, you indicate that you have read & understood the SPH's Privacy Policy and PDPA Statement.