What is Wannacry Ransomware and how to avoid it?

Wannacry Ransomware

The days of kidnapping people for ransom are gone. The cyber world has got so sophisticated that hackers are using software programs to lay a siege on the computers worldwide and disrupting the operations of numerous companies, leading to kidnap of the very ethos of ethical conduct of business and functioning of economy. Reeling under the pressure of liberating the infrastructure, companies are coerced to pay ransom money to resume their operations and counter the possibilities of huge losses staring at their faces.

Tens of thousands of computers in 150 countries worldwide, especially in Russia, Taiwan and Ukraine, have been affected by a ransomware called “WannaCry”. If you have been hearing the buzz recently, yet don’t know what it is or want to know how to protect yourself, then continue reading.

What is WannaCry?

WannaCry is a malicious computer program, also called a ransomware, which locks up the files on your computer. The files get encrypted in a manner that they cannot be accessed any longer. The primary target has been the Windows operating system from Microsoft. Once active, the ransomware displays a pop-up window showing detailed instructions for paying $300 as a ransom amount.

The pop-up displays a countdown clock that shows the countdown to the deadline of 3 days, post which the ransom money will double to $600. Another countdown clock ticks away to the deadline (7 days) when the victim will lose the data forever. Payment has to be made necessarily in Bitcoins. A few files can be decrypt for free using a button on the pop-up window. Moreover, after you do the payment, you will have to confirm if the payment was successful.

The most common pop-up lock screen looks like this.

Wannacry Lockscreen

Wannacry Lock Screen

The popup window also provides links to contact the hackers and to learn about Bitcoins. The Bitcoin address is clearly mentioned and victims have to buy Bitcoins if they don’t have enough Bitcoins. The popup message also mocks the people, who don’t pay, by saying that a free event will be organized for such “poor” users.

The origins

Researchers at Kaspersky Lab and Symantec have said that an earlier version of WCry (the official name of WannaCry) had some code that appeared in programmes that were used by Lazarus Group. Many researchers from different companies have identified this as a hacking operation run by North Korea.

How it spreads?

The ransomware was sent to victims through mails that contained attachments, apparently containing invoices or job offers or other legitimate-looking files. The malware exploits a security loophole in Windows’s XP OS. Though Microsoft sent out a fix shortly for the security flaw, yet this old variant of ransomware has affected nearly 0.2 million victims. National Security Agency (NSA) in the US had tried to exploit the loophole in Windows XP, which later got leaked and fell into wrong hands.

The infection was deployed through a worm that spreads by itself on a network of computers.

Can you be affected?

Yes, if you are using Windows operating system. If your organization is using Windows operating systems, then you are at high risk of getting affected by WannaCry.

How to avoid it?

Here are a few steps to be taken to protect yourself from the malware.

For the individual users and small businesses:

  1. Install the up-to-date antivirus solution by Microsoft Security Essentials. Microsoft has added detection and protection against the ransomware.
  2. Your anti-virus software must be up-to-date. Try scanning your computer for any suspicious program. Auto scans can help too.
  3. Refrain from clicking on suspicious links. Also, don’t download and open attachments or emails from unknown sources. This is a very common mistake and in spite of repeated warnings, people still make this mistake. Please note this as rule #1 while browsing or using email.
  4. Install a pop-up blocker for your web browser.
  5. If you are using Internet Explorer, then do turn on Smart Screen. This helps to report the phishing and malware websites that have been reported.
  6. Keep regular backups of your important files in portable hard disks or use online storage providers like Dropbox, Google Drive, iCloud etc. This does not prevent a malware attack, but at least you’ll still have your files in the worst-case scenario.

For the larger organizations:

  1. Apply the up-to-date Microsoft security patch that has been released specifically for the particular exploit that was used by the malware.
  2. Scan all the outgoing and incoming mails and check if the attachments are infected.
  3. The important data needs to always be backed up through multiple channels.
  4. Update the anti-virus programs frequently and conduct regular scans.
  5. Run penetration tests against the network security more than once annually.
  6. Train employees to identify scams and malicious emails / links.

The ‘Kill Switch’

A prominent cyber security researcher has discovered a ‘kill switch’ infused into the malicious software that helps the hackers to stop their operations. The researcher goes by the name of @MalwareTechBlog on Twitter and he said that the domain of the kill switch had not been registered. After he registered the domain in his name for $10.69, he could shut down the attack and prevent it from spreading.

The way it works is like this. The malware checks for a particular domain to see if it is active. If it receives a response from the domain, then it kills itself and stops spreading. If the response is not received, that means the kill switch is off and it continues to spread.

This is probably the first time a kill switch has been used in a malware. Security experts around the world are still debating the reason for having this kill switch.

Registering the domain to on the kill switch is only a temporary solution, as the group behind this malware has already changed the domain and released another version of the malware. For now, the current strain of the malware that had the earlier kill switch has been turned off and will not cause anymore damage.

What can victims do?

Being a victim of this ransomware attack is really disappointing and frustrating. However, a few steps have to be taken by the victims now.

  1. A cyber security firm called ‘Check Point’ has warned people against paying the ransom money, since the payment carries no guarantee of hackers decrypting the files for us. So whatever the consequence, DO NOT pay the ransom.
  2. Individuals must contact their local IT support services.
  3. Restore the data from backups if available. The ransomware gives an option of restoring a few files for free.
  4. Businesses must reach out to law enforcement agencies and ask for due assistance.

Cyber-attacks are getting increasingly sophisticated and hackers are always on the lookout for derailing businesses using their malicious attacks. A few simple and careful steps can help you avoid such attacks in future. Moreover, a tinge of suspicion always helps when it comes to cyber security. Carelessness on your part or anyone in your organization can lead to catastrophe. The thumb rule is to always be careful and vigilant!

Leave a Reply

Your email address will not be published. Required fields are marked *