By Trevor Dierdorff
In case you have been living in a cave the last two weeks…
WannaCry is the latest ransomware attack that has kept IT professionals hopping. It spreads by leveraging a Microsoft Windows Server Message Block exploit to remotely access and infect computers running on unpatched or unsupported versions of Windows. It infects the targeted computer then moves on to others on the network and those it can find on the open internet. The ransomware took control of computers around the world and forced owners to pay hundreds of dollars in Bitcoin to get their files back. It exploited a Microsoft Windows vulnerability that Microsoft patched in March this year. Those who were not diligent in updating their software remained vulnerable.
Hundreds of thousands of computers have been hit so far in more than 150 countries, creating havoc and work stoppages in hospitals, banks, colleges and even gas stations.
A 22-year-old British security researcher who goes by the name MalwareTech has stopped the WannaCry ransomware plague.
He found a URL “kill switch” in the code of WannaCry that will keep the first strain of WannaCry from infecting computers.
Here’s the problem: Now there are multiple new strains of WannaCry cropping up around the world.
Some with a different URL “kill switch” and potentially at least one strain with no “kill switch” at all. This “no kill switch” variant is not believed to have been created by the criminals who developed the first WannaCry code.
Whatever the final number of WannaCry strains, the truth is that we aren’t even close to being done with WannaCry. And the criminals in control of this cyber-WMD aren’t done with causing us pain.
Yes, the infection rate has slowed, but that lull is likely only the calm before the second wave of the storm, according to industry experts.
Where did Wanna Cry come from?
There is no public information on the criminals behind WannaCry, but the SMB exploit they are utilizing is believed to be part of a hacking toolset that the National Security Agency allegedly created and lost control of when a group of hackers called “The Shadow Brokers” stole it and dumped it onto the Dark Web in April 2017.
Currently, the predominant strains of WannaCry are being thwarted before they infect computers by utilizing the method discovered by MalwareTech.
He discovered that by registering a domain name that was buried in the ransomware’s code, he was able to create a “sinkhole” that didn’t allow the virus to infect the computer.
The problem is that if the connection to this “sinkhole” domain is lost, WannaCry will move into “infect” mode.
As stated above, there are now several strains of WannaCry out there with a “kill switch” domain name in their code. Each unique domain name must be registered so that a “sinkhole” is created for that strain.
Even with these domain name “sinkholes,” we aren’t out of the woods.
MalwareTech, stated that “WannaCrypt (or WannaCry) ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant.”
There are some scenarios that will allow your unpatched computer to be infected — even with the kill switch in place. Here they are:
- If WannaCry comes to you via an email, a malicious torrent or other vectors (instead of SMB protocol).
- If your internet service provider or antivirus or firewall revokes access to the “sinkhole.”
- If your system requires a proxy to access the internet — common in corporate networks.
- If someone utilizes a DDoS (distributed denial of service) attack to makes the sinkhole domain inaccessible.
What to do…
The cyber-security experts at Amnet, a Colorado Springs based IT support firm, advise you to:
- patch your computers;
- replace systems running Windows XP or Vista;
- run a decent (not free) anti-virus; and
- make sure your backups are Image based backups with frequent snapshots that are current and secure.
Because of the high-profile nature of this ransomware attack, there will be copycats that make WannaCry even more virulent and destructive.
WannaCry 2.0 is inevitable.
Does it make you mad, or do you just wanna cry?
Trevor Dierdorff is CEO of Amnet, a Colorado Springs-based IT support company. He can be reached at firstname.lastname@example.org.