We’ve covered ransomware, such as the cryptolocker virus, on this blog before, and even taken a look at the new marketplace that makes it a snap to make a quick buck on the misery of others, but while the Cryptolocker is a vexing beast that has left its mark on the internet, its impact is limited to those who pick it up. It’s unable to encrypt anything that the infected user doesn’t have write access to. Because of this, it’s rarely able to break the confines of a single network.
Yet it was perhaps only a matter of time before someone figured out how to fit the ransomware payload onto a new method of delivery, and now, thanks to an exploit in unpatched versions of Windows, it has actually happened. The new beast is named WannaCry, also known as WannaCrypt or Wcry, and it exploded onto the scene in a big way.
DO THE WORM
Beginning on Friday, the recent outbreak of Wannacry was first identified when it brought hospitals in the UK to their knees. From there, it was then reported in countries such as Spain and Portugal. By the time the weekend ended, it was estimated to have effected systems in around 150 countries worldwide, including Canada. It became clear that this wasn’t another isolated case of the Crypto virus.
Like the Cryptolocker virus, WannaCry is believe to be picked up through an email phishing scam and quickly goes through system files, encrypting documents with a 2048-bit RSA encryption. It then prompts the user to pay a ransom amount (in this case $300) to get their files back. If the Cryptolocker was to infect that many systems in such a wide area, it would require that the user who opened the phishing scam would have to have had quite the privileged access, as a standard crypto can only infect files that the user has write access to. What makes this Wannacry different, is its ability to act like a worm.
A worm virus is a pretty insidious clump of code. It works by exploiting unpatched holes in the security of operating systems and uses them to move from system to system unchecked. This allows it to effectively “worm” its way through entire networks unchecked, self-propagating and spreading as far as it can reach.
THE FALL AND REBIRTH OF WANNACRY
In a bizarre turn of events, it was discovered that the virus was set to call in to a randomly typed-in domain, and if it could actually reach that domain, the virus wouldn’t execute. In order to stop this, a tech blog registered the domain and activated what was believed to be a killswitch. Once the switch was triggered, propagation of the virus stopped. Infected machines are still infected and the files didn’t magically decrypt themselves, but no new systems could catch the worm.
Yet, as with Cryptolocker, it’s certain that copycats will arise to take its place almost immediately. In fact, new variants are already appearing in the wild. Thus far, they all contain the same killswitches as the original (or are broken right out of the gate), which limits their success. Since the virus is still under analysis, the function of the killswitch is unknown, so it’s possible that it will be edited out of future versions of the virus.
PREVENTING A CASE OF THE WORMS
Sounds scary enough, right? So, how do you prevent yourself and your business from coming down with a case of the worms? It’s easy; update your operating systems. The Wannacrypt takes advantage of an exploitable weakness in Windows, but it’s one that has been patched out since March. Anyone with Windows automatic updates, or anyone who updates regularly, will already have been inoculated against the virus. Since this was done back in March, protection even extends to the recently deep-sixed Windows Vista.
If you’re on an antiquated OS that Microsoft has dropped support for, such as Windows XP or Server 2003, you’re not entirely left to the dogs. Microsoft released a patch in response to the issues, which can be downloaded here. With that said, if you are on one of these aging OS’s, this should be a wake-up call to upgrade to something currently under support. Otherwise, your business could be the next one to be hit by a virus such as this.