“The files on this computer have been encrypted. You have 96 hours to submit payment, otherwise your files will be permanently destroyed.”
This kind of pop-up message means only one thing. You’re running Microsoft Windows on your desktop PC or laptop and you’ve been hit with ransomware.
These days, the majority of countries all over the world was facing the largest security threat in the history of Internet, WannaCry ransomware leaving everything from businesses and governments to academic institutions, hospitals and ordinary people affected.
This malware spread like a worm and was transmitted through a phishing email containing a compressed, encrypted file. Since the file was encrypted, security systems did not identify the ransomware, called Wanna Decryptor, until after it was downloaded. Wanna Decryptor, a next-gen version of the WannaCry ransomware, gained access to a given device once the malware-filled file was downloaded: it then encrypted data, locked down the system and demanded ransom.
Ransomware does not typically work this quickly. But thanks to a stolen NSA cyber-weapon called EternalBlue, which was made public last month by a hacking group known as the “Shadow Brokers,” the malware spread rapidly by exploiting a security flaw in Microsoft Windows servers.
But first, let’s face the concept of this “ransomware”? Ransomware stops you from using your PC. It holds your PC or files for “ransom”.
There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC.
They can target any PC users, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider.
Ransomware can:
- Prevent you from accessing Windows.
- Encrypt files so you can’t use them.
- Stop certain apps from running (like your web browser).
Ransomware can get on your PC from nearly any source that any other malware (including viruses) can come from. This includes:
- Visiting unsafe, suspicious, or fake websites.
- Opening emails and email attachments from people you don’t know, or that you weren’t expecting.
- Clicking on malicious or bad links in emails, Facebook, Twitter, and other social media posts, instant messenger chats, like Skype.
The ransomware was slowed by a security analyst last week after discovering a kill switch in its code, but has since been updated without the kill switch, allowing it to grow further. WannaCry has now reached more than 150 countries and 200,000 computers, shutting down hospitals, universities, warehouses and banks.
Though it might seem to be an issue for only businesses, institutions and governments, individuals are at risk, too, as WannaCry targets a Windows operating system flaw in older versions of the OS that have not been patched.
These OSes are affected
The attack exploits a vulnerability in older Windows operating systems, namely:
- Windows 8
- Windows XP
- Windows Server 2003
If you’re using a more recent version of Windows — and you’ve stayed up up-to-date on your system updates — you should not be vulnerable to the current iteration of the WannaCry ransomware:
- Windows 10
- Windows 8.1
- Windows 7
- Windows Vista
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
But the reverse applies, too: If you haven’t been keeping those newer versions of Windows updated, you’ll be just as vulnerable until and unless you do.
If you’re using MacOS, ChromeOS or Linux — or mobile operating systems like iOS and Android — you don’t have to worry about this particular threat.
Update Windows immediately
If you’re using one of the newer versions of Windows listed above (10/8.1/7, etc.) and you’ve kept your PC up-to-date with automatic updates, you should’ve received the fix back in March.
In the wake of WannaCry, Microsoft issued rare patches on the older versions of Windows it no longer formally supports to protect against this malware. Here’s where you can download these security updates:
- Windows 8 x86
- Windows 8 x64
- Windows XP SP2 x64
- Windows XP SP3 x86
- Windows XP Embedded SP3 x86
- Windows Server 2003 SP2 x64
- Windows Server 2003 SP2 x86
The full download page for all Windows versions is available here.
Turn Windows Update on if it’s disabled
It’s not uncommon for people to disable Microsoft’s automatic updates, especially because earlier iterations had a tendency to auto-install even if you were in the middle of work. Microsoft has largely fixed that issue with the current version of Windows 10 (the recent Creators Update). If you have disabled automatic updates,, head back into Control Panel in Windows, turn them back on and leave them on.
Install a dedicated ransomware blocker
Don’t assume that your current antivirus utility — if you’re using one at all — offers protection against ransomware, especially if it’s an outdated version. Many of the big suites didn’t add ransomware blocking until recently.
Not sure if you’re protected? Dive into your utility’s settings and see if there’s any mention of ransomware. Or, do some web searching for the specific version of your product and see if it’s listed among the features.
If it’s not, or you’re pretty sure you don’t have any kind of safeguard beyond your patched version of Windows, install a dedicated anti-ransomware utility. Two free options: Cybereason Ransomfree and Malwarebytes Anti-Ransomware (currently in beta).
What people need to do
Simply put: make sure your Microsoft Windows server is up to date. Microsoft issued a patch in mid-March to fix the hole in Windows 7 and other supported versions of Windows: Vista, Server 2008, Server 2008 R2, 8.1, Server 2012, RT 8.1, 10, Server 2012 R2, and Server 2016. But those who did not apply the software update were—and still are—left exposed to the hack.
In light of the attack, Microsoft rolled out patches to protect older versions of Windows that “no longer receive mainstream support” from the company like Windows XP, Windows 8, and Windows Server 2003. Those running on Windows 10 are fine, as their software is not vulnerable to this particular cyberattack. Devices that are potentially susceptible are Windows 7 and Windows Server 2008, and earlier operating systems.
Microsoft recommends users upgrade to Windows 10 and install the security update MS17-010. With the 1.243.297.0 update, Windows Defender Antivirus detects the malware as Ransom:Win32/WannaCrypt. The company also recommends Device Guard for businesses and Office 365 Advanced Threat Protection for blocking emails carrying malware.
The U.S. Computers Emergency Readiness Team (CERT) issued advice on how users can best protect themselves from the recent WannaCry ransomware threat. In addition to being “particularly wary of compressed or ZIP file attachments,” CERT recommends using caution when clicking directly on links in email even if the sender is someone you know. They suggest trying to independently verify web addresses.
What happens if you don’t take protective measures?
Even if you don’t actively download the file from a phishing email, your device could be at risk—the ransomware also spreads through file-sharing systems on networks. Microsoft explains that the worm-like functionalities of the ransomware infects “unpatched Windows machines in the local network” and “executes massive scanning on Internet IP addresses to find and infect other vulnerable computers.”
Infected devices will find the desktop background image replaced with a message, calling for the user to follow instructions until they reach the ransom screen. Here, there are two timers—one showing the amount of time left until files will be deleted and a second displaying time until the ransom will increase from $300.
At this point, people have two choices: pay up and hope their device is restored, or part ways with the contents of their computer.
General, good-sense advice: remotely back up your files on a regular basis. This way you’ll never have to give in to a ransomware request if and when your device is compromised. And, of course, always stay up-to-date with your computer’s software.
Details for enterprises and IT professionals
The number of enterprise victims being targeted by ransomware is increasing. Usually, the attackers specifically research and target a victim (similar to whale-phishing or spear-phishing – and these in fact may be techniques used to gain access to the network).
The sensitive files are encrypted, and large amounts of money are demanded to restore the files. Generally, the attacker has a list of file extensions or folder locations that the ransomware will target for encryption.
Due to the encryption of the files, it can be practically impossible to reverse-engineer the encryption or “crack” the files without the original encryption key – which only the attackers will have access to.
The best advice for prevention is to ensure company-confidential, sensitive, or important files are securely backed up in a remote, un-connected backup or storage facility.