Note: This article was first published on 15th May 2017.
Wana Decrypt0r (or WannaCrypt, WCry) was originally derived from an exploit created by the U.S.’s National Security Agency (NSA). Previously codenamed as EternalBlue, it was designed as a weapons-grade cyber weapon that targeted Microsoft’s vulnerable implementation of the Server Message Block (SMB) protocol. It was especially effective on computers using Microsoft Windows XP through Windows Server 2012. Windows 10 is not vulnerable to the exploit.
As with all things on the Internet, the flaw was leaked to the public in mid-April 2017 by a hacker group called The Shadow Brokers. Microsoft actually patched the vulnerability a month before the leak, but that wasn’t enough, because the patch did not reach the users and their respective operating systems in a timely manner. Microsoft also initially did not release security patches for OSes that were no longer supported (this was rectified a day after WCry had propagated).
In essence, what WCry does is to hold your computer ransom (hence the term ransomware) until the victim pays up the ransom fee to regain access. Ransomware comes in many variants, with nastier ones that do not hesitate to wipe an entire hard drive if the ransom isn’t paid. Ideally, the ransom should never be entertained, but the scale of attack left little room for negotiation – especially for workstations in time-sensitive environments (such as hospitals).
Currently, there are about 150 countries affected by WCry – more than 200,000 computers have already been infected, according to Reuters’ estimates. Cybersecurity firms such as Cyence also believe that the attack will induce economic losses of up to US$4 billion. A Twitter bot has been set up to track the total number of payments made to the WCry makers - as of writing, 131 payments have been made, totaling US$37,736.09.
Known WCry attacks in Singapore are limited to shopping malls – Tiong Bahru Plaza and Orchard Central. Other countries are not as fortunate – the first instances of WCry occurred in UK hospitals on the evening of 12th May 2017. So far, it has also affected Russian banks, French car manufacturer Renault, and Spain’s telco, Telefonica.
Stopping the WCry ransomware is a morbid game of cat-and-mouse between cybersecurity experts and malicious coders. In the case of the WCry ransomware, a researcher at Malwaretech found that the code apparently pings a particular hardcoded domain to see if it exists; if the malware can’t connect to this domain, the ransomware executes, but if it’s able to make a successful connection, the malware exits and doesn't start the encryption. So it seems that a “kill-switch” was embedded in the code, perhaps as a sandbox test as hypothesized by the researcher. And so Malwaretech registered this domain name to stop this malware from spreading and executing further.
This, however, does not alter the ransomware itself nor for the fact that you can still be affected should the domain go down or be under attack (DDOS). Refer to our further notes below on how to stay safe and tools to help disinfect affected systems.
However, a new variant is on the loose. Confirmed by Kaspersky Labs, WCry 2.0 is a variant that doesn’t have a kill-switch, but it’s currently corrupted and therefore not active. The bad news: the new variant was likely developed by an attacker unaffiliated with the original WCry ransomware, and it’s only a matter of time before another infectious wave begins.
A list of Windows OS security patches has been put together by Imgur user ibuiltamurderbot, who allegedly works in the IT and cybersecurity research industry. You can choose the relevant patch for your operating system.
The Cyber Security Agency of Singapore (CSA) put up an advisory on Singapore Computer Emergency Response Team (SingCERT)’s website with the following recommendations:
Other recommendations include:
Read Next: How to defend yourself from being hacked