"WannaCry" Ransomware - Global Epedemic

WannaCry Ransomware

By now you will have read or at least heard about the global epidemic of ransomware attacks on computer systems. The attack is typically delivered as an attachment that you are urged or convinced to open and execute to see the contents… these can take the form of word or excel macros, or be made out to look like some kind of invoice or shipping notice or bank statement. All these confidence schemes rely on your belief that the attachment is valid and you need to follow whatever prompts stand between you and the contents of the attachment. In some cases the attachment seems to be a photo or video but is actually an executable file, that on newer systems, will prompt you for permission to run (which should immediately trigger your suspicions). Do not execute or run attachments or their payloads unless you are absolutely certain of their contents and why you are receiving them. You cannot simply trust the sender since the sender can be faked or spoofed and infected systems will send out the infection to people who are on the infected machine’s contact lists, appearing to come from a valid and trusted source.

In the vast number of infected machines with the WannaCry Trojan, they were older operating systems with well-known exploitable security holes that were either unpatched or not fully patched before Microsoft pulled their support for the products. Newer operating systems are not invincible and even windows versions as recent as Windows 10 have exploitable code that Trojans attempt to use to install the data-encrypting ransomware. Ensuring that you have all the recent Microsoft updates and security patches applied is critical.

The first step is always to get a user to begin the process of installing the downloader that ultimately downloads the encrypting software and begins encrypting your files in the background. It will not stop there. It will attempt to encrypt any writable media it can connect to, including thumb drives, USB backup drives, network shares and cloud file systems. Your only hope of recovery from this kind of attack are backups of your data that are not online or accessible to the infected computer at the time of infection. Keeping your backups offline or on discs that area not constantly connected to the computer or network is very important. Equally important is versioning where more than one set of recent backups are stored so that you can restore from the most recent clean, unencrypted, backups of your data.

Once infected (in this case encrypted), your machine’s normal processes will continue to run in the background but you will be unable to access any of the data. So, if your machine gets encrypted overnight after you opened the attachment sometime earlier that day, your backup process will store the encrypted data to your backup device or backup service. This is why it is important to have more than one recent backup.

Incremental backups (more than one day’s worth of backed up data) or offline backups (keep a copy disconnected from your machine or network) are important for a recovery without paying the ransom.

If you have been a victim of ransomware, you should report it to police. Police cannot recover your data but can document the attack and help build the file of victims if suspects are identified. Paying a ransom is discouraged but regardless of how you choose to deal with the situation, police should be notified.

Ironically, the proliferation of this event, which will only grow in popularity, along with the media exposure, will cause an increase in phishing attacks that purport to offer easy and safe protection from ransomware. Consult a trusted source of computer expertise rather than rely on click-bait ads and social media promises of protection or easy fixes.

Backup your data or risk it being held hostage or simply lost due to inevitable causes such as hardware failure, loss or theft and more profitable causes like ransomware. The patch for Microsoft computers can be found here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx