The WannaCry worm encrypts computers around the world

2017-05-15

On Friday, 12th of May, 2017, an unidentified party unleashed a new computer worm on the Internet. The worm spreads using a vulnerability in the SMB communication protocol, which is used by Windows for file sharing. This vulnerability was used for the first time in the cyber-weapons stolen from the NSA and released publicly by the group using the pseudonym Shadow Brokers, who are probably linked to the Russian intelligence services. The vulnerability was patched by Microsoft in March 2017 but there are still thousands of computers whose owners have not applied the patch. It was just a matter of time before somebody would release a worm using it.

When the worm infects a vulnerable machine, it drops a ransomware program, which encrypts the data files of the user and displays a message, requesting a $300 ransom paid in bitcoins. If not paid within 3 days, the ransom doubles to $600. If not paid within 7 days, the ransomware starts deleting the encrypted files.

There is date about more than 140,000 infected computers in nearly 100 different countries around the world. At least 37 hospitals in the UK were forced to close down and cancel surgical procedure due to the inability of their computers to control the necessary hardware (e.g., CAT scanners). The Spanish telecommunications company Telefonica was hit very hard. From it, the infection has hit the international courier service FedEx. There are news about closed down automobile factories (Renault in France and Nissan in the UK). ATM machines in China have been infected. Of all countries, Russia is hit the hardest, with about 57% of the known infections being there. We have information about infected computers of the Russian Ministry of the Interior. For now, we have no data about infected computers in Bulgaria, but this is likely to change.

The worm enters the vulnerable machine through SMB port 445, if it is opened to the Internet. Normally, this port is used only for file sharing on a LAN and is closed to the Internet by a firewall, but in many cases this is not so. It is enough for one PC (e.g., a laptop) to be infected outside the company and it will infect all vulnerable machines inside the company, when connected to the company’s LAN.

What we need to know, in order to protect our machines

If you are a user. Nothing special. This worm does not spread via e-mail or links in instant messengers, so the usual advice not to open e-mail attachments and not to click on suspicious links here is useless. If your machine is infected, do not pay the ransom. There is no reliable mechanism in the ransomware, which its author could use to verify that you have made the payment, so you probably won’t receive a decrypting program. Simply restore the encrypted files from backups, if you have any.

If you are a system administrator. Make sure that all your machines are patched and up-to-date. In particular, make sure that the patches described in Microsoft’s MS17-010 security bulletin have been applied:

 

https://technet.microsoft.com/en-us/library/security/ms17-010

 

Windows 10 is not vulnerable. Windows XP, Windows 2003 and Windows Vista are no longer supported by Microsoft, but given the urgency of the situation, the company has released a special patch for them:

 

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 

Make sure that port 445 is not export to traffic coming from the Internet. Do everything in your power to get rid of unsupported versions of the operating system (XP, 2003, Vista). Do not pay the ransom, because you most likely won’t receive a decrypting program anyway. Make regular backups of the data on your computers and in such situations restore from them.