Malicious software called ‘ransomware’ has forced British hospitals to turn away patients and affected Spanish companies such as Telefonica as part of a global outbreak that has affected tens of thousands of computers. What is WannaCry – also known as WanaCrypt0r 2.0, WannaCry and WCry?
How does it work?
WannaCry is a form of “ransomware” that locks up the files on your computer and encrypts them in a way that you cannot access them anymore.
How does it spread?
Ransomware is a program that gets into your computer, either by clicking on the wrong thing or downloading the wrong thing, and then it holds something you need to ransom.
In the case of WannaCry, the program encrypts your files and demands payment in bitcoin in order to regain access.
Security experts warn there is no guarantee that access will be granted after payment. Some ransomware that encrypts files ups the stakes after a few days, demanding more money and threatening to delete files altogether.
There are different variants of what happens: Other forms of ransomware execute programs that can lock your computer entirely, only showing a message to make payment in order to log in again. There are some that create pop-ups that are difficult or impossible to close, rendering the machine difficult or impossible to use.
Where has it spread?
British based cyber researcher Chris Doman of AlienVault said the ransomware “looks to be targeting a wide range of countries”, with initial evidence of infections in at least two dozen nations according to experts from three security firms.
The broad based ransomware attack has appeared in at least eight Asian nations, a dozen countries in Europe, Turkey and the United Arab Emirates and Argentina and appears to be sweeping around the globe, researchers said.
What is so special about WannaCry?
WannaCry is not just a ransomware program, it’s also a worm. This means that it gets into your computer and looks for other computers to try and spread itself as far and wide as possible.
Ransomware has a habit of mutating and so it changes over time in order to find different ways to access computers or to get around patches (operating system updates that often include security updates). Many security firms are already aware of WannaCry in past forms and most are looking at this one right now to see how it might be stopped.
Several cyber security firms said WannaCry exploits a vulnerability in Microsoft and that Microsoft patched this in March. People don’t always install updates and patches on their computers and so this means vulnerabilities can remain open a lot longer and make things easier for hackers to get in.
It exploited a vulnerability in the Windows operating system believed to have been developed by the National Security Agency, which became public last month. It was among a large number of hacking tools and other files that a group known as the Shadow Brokers released on the Internet. Shadow Brokers said that they obtained it from a secret NSA server.
The exploit is known as EternalBlue, and the backdoor it uses on the system is known as DoublePulsar.
The identity of Shadow Brokers is unknown though many security experts believe the group that surfaced in 2016 is linked to the Russian government. The NSA and Microsoft did not immediately respond to requests for comment.
What are the preventive measures that can be taken?
While cybersecurity experts are scrambling to come up with a decryption too, there are currently no known ways of recovering the affected files. The Indian Computer Emergency Response Team (CERT-In) has put up a red alert advisory asking all system administrators and users to apply the security patches released by Microsoft to fix the vulnerability. Users are also advised to back up critical data, preferably in an air-gapped system or external hard drive that is not connected to LAN networks.
Users are advised to be wary of clicking links from unsolicited or unexpected emails. Be very careful and authenticate the source before enabling macros while using Microsoft Outlook. If a link has to be clicked, a safer option is to close the browser with the email account, or the software used to access the emails, and navigate to the web site directly from a fresh browser window. An updated anti virus software, and enabling a firewall are both highly recommended.
With inputs from Reuters