WannaCry: Enter the Ransomworm

The first wave may have been beaten, but the second WannaCry will be much worse.

If it is not yet in the Oxford Dictionary, surely this is the year for Ransomware. We have - and will continue to - yell it from the rooftops. Those rooftops specifically include this blog and our Facebook page. If you are just joining us, we defined Ransomware in this way in our first blog post on the topic in May, 2016:

Aptly named, ransomware is malicious software (malware) that is designed to hold your computer ransom. It does this by encrypting your files and denying you access to them until you pay the ransom.

Now, we have been graced with WannaCry (WannaCrypt, Win32/WannaCrypt, WannaCrypt0r, etc.) with a little help from our friends at the National Security Agency (NSA), Microsoft, and a Worm. It has been the case in Information Technology Security for many years, and it is still true; the bad guys seem to be one step ahead of the good guys. We also have a new term: Ransomworm.

As we now know, WannaCry exploits a Microsoft vulnerability that was previously uncovered by the NSA. That NSA information was recently leaked. After the leak, some enterprising individuals began writing a ransomware program to exploit it for money by holding infected computers for ransom. The attack launched on Friday, May 12th and initially took hold in Europe and Asia. Over the weekend, a security specialist in the UK discovered a kill switch in the program. He enabled the kill switch by registering an Internet domain that could be detected by the program’s code. Once the malicious program began reaching the new domain, the first version of the ransomware began shutting itself down.

Yay!..but, it will be - and most likely has already been - fixed.

The images above and below are from Intel's MalwareTech Botnet Tracker for the WCRYPT botnet. Here is a link to it (click the link and then let it run and populate on your screen):

All of this being said, this ransomware is similar to other strains, but it also includes a Worm program that seeks out other targets on the network. Specifically, Windows files shares based on the SMB (Server Message Block) protocol. Ransomware is typically delivered to your computer via poisoned e-mail attachments, drive-by downloads (from infected websites), network service attacks, or lateral movement through your network (automated file copies to shared folders).

WannaCry is somewhat unique in that it uses a Worm (a program) to exploit the NSA-leaked Microsoft vulnerability to spread itself to other network computers that host unpatched "file shares". This is something to be taken very seriously, because one WannaCry infection could easily potentially multiply within your network.

What to do:

• Scrutinize links and files contained in emails.
• Only download software from trusted sources.
• Always have a current, full backup of your computer.
• Run a Windows Update to get the latest software updates.
• Make sure any anti-virus product is up-to-date and scan your computer for any malicious programs. You will also want to verify that you have real-time protection.
• If you do get a Ransomware infection, we do not recommend paying the ransom for two reasons; you will be encouraging more computer ransom behavior, and there is no guarantee that the criminals will give you access to your files!

And, of course, call WinTech for all of your IT Security needs at 540-722-2122!

Would you like more tech news more often? Follow us on Facebook!

Comments are closed.