July 10, 2017
On May 12, 2017, a new ransomware program was discovered known as WannaCry, WCry, or Wanna Decryptor. As of May 16, there are over 374,000 unique addresses infected – and growing every minute.
WannaCry attacks by encrypting and holding data for ransom, currently set at 0.1781 bitcoins (approximately $300 USD). According to the FBI Cyber Division, WannaCry is primarily attacking enterprise systems through two known avenues: Remote Desktop Protocol (RDP) and Windows SMB (or CIFS). There are also reports of infections received through phishing emails.
What is ransomware?
Ransomware is a form of malware designed to hold a system’s data (anything you save on your computer or server) for ransom. How does it do this? Most commonly, ransomware encrypts the information on your system and prevents you from accessing it until the ransom is paid.
The attackers then demand payment in order to retrieve the data – often under threat of deleting it forever. (That payment is usually requested via bitcoins, a form of crypto currency which is difficult to track.) After payment is made the attacker will claim to send a key for decrypting the system’s data.
How can I protect my data?
Always be aware of suspicious websites, emails, or messages. When updating Windows systems, allow all security updates. If you use SMB, ensure you receive security updates from Microsoft; if not, you may disable it.
Additional steps to prevent infections:
- Block SMB and RDP from leaving or entering you network
- Update Windows systems
- Don’t open suspicious emails
What should I do if I’m infected?
Paying ransom is unlikely to get your data back. In fact, those who do pay ransom may be specifically targeted again in different campaigns. It is also common, if ransom is paid, for the attackers to ask for more than the original ransom.
What to do if you are infected:
- Remove the infected system from the network immediately
- Turn the system off
- Isolate your backups by taking them offline
Download the full WannaCry Ransomware memo here.