Ransomware is the fastest growing form of cyberattack. It’s easy for hackers to deploy, there are myriad ways to become infected, and it forces victims to pay perpetrators in Bitcoin, prepaid credit cards, and other untraceable, electronic forms of money.

Ransomware saves attackers all the hassle of stealing credit card numbers and personal info–why do the hard work when you can just encrypt files and force victims to pay you for the decryption key?

Of all the recent ransomware attacks WannaCry (also known as WannaCrypt) has been one of the most devastating. It affected several hundred thousand machines and crippled banks, law enforcement agencies, and other infrastructure.

Much of WannaCry’s threat has been resolved, but it’s only a matter of time before it–or a similar bit of malicious code–strikes again.

TechRepublic’s cheat sheet about WannaCry is a quick introduction to this new malware attack, as well as a “living” guide that will be updated periodically as WannaCry evolves and ways to defeat it change.

SEE: All of TechRepublic’s cheat sheets and smart person’s guides

Executive summary

  • What is WannaCry? WannaCry is a form of ransomware that exploits a flaw in Windows’ Server Message Block (SMB) protocol. Once it infects a system WannaCry encrypts files on the affected machine and forces the machine’s owner to pay the attacker in Bitcoins for the decryption key.
  • Who does WannaCry affect? WannaCry targets Windows systems, particularly those lacking a security update from March 2017. It has affected machines around the world, with particular success in Russia, China, and India, knocking out banks, public transit systems, hospitals, and universities. WannaCry’s attack vector has been closed, but those with unpatched Windows computers are still vulnerable.
  • Why does WannaCry matter? WannaCry is only the latest in an escalating ransomware trend, and it largely affected systems that were lacking a critical Windows security update. Its large-scale success further highlights the need for better security practices.
  • When is WannaCry happening? The WannaCry outbreak started on May 12, 2017, and by the 15th it had largely been stopped due to the discovery of a killswitch and Microsoft’s emergency patching efforts. While we may be in a WannaCry lull its methods have already been found in new strains of malware, meaning it and things like it will continue to be an issue.
  • How do I avoid becoming a WannaCry victim? Make sure that all your systems are patched and up to date, and be sure to educate users about the threats posed by ransomware. It’s also essential to train users on security best practices, as well as ensuring proper access control and BYOD policies to prevent infection spread.

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)

What is WannaCry?

WannaCry is a form of ransomware, which is a subset of malware that encrypts files on computers and demands payment for the decryption key. What makes WannaCry particularly malicious is how it infects Windows machines: through a flaw in the SMB protocol.

SMB is designed to handle packet transmission between machines on local area networks (LANs). A flaw in some versions of Windows’ SMB protocol allowed malicious packets to transmit from one infected machine throughout LANs, making a single compromised machine the patient zero for a massive outbreak.

The transmitted packet itself contains DoublePulsar, an NSA-built backdoor implant tool that opens the machine up to installation of the WannaCry payload.

Once WannaCry makes it to a computer it starts to encrypt files. It then makes its ransom demand while continuing to scan for other vulnerable machines on its network that it can spread itself to.

Infected users are told they have to pay a Bitcoin ransom, which often increases after several days. The eventual threat of permanent encryption is also leveraged, and many people break down and pay the ransom to avoid loss of important data.

Additional resources

Who does WannaCry affect?

WannaCry only targets Windows systems, particularly those vulnerable to EternalBlue, the SMB exploit developed by the NSA. It was able to spread despite Microsoft releasing a security update for the vulnerability in March 2017. The update patched systems still supported by Microsoft (Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, Windows Server 2016, and Windows Vista).

Despite the fact that Windows XP was not included in the original patch (it has since received its own fix) it actually accounted for less than 2% of the total affected machines. 98% were running Windows 7 machines without the March 2017 security update.

Because WannaCry only needs one infected machine on a LAN to start spreading it was incredibly effective at taking down large business and government networks. The British National Health System was a major victim, as were the Russian Ministry of Internal Affairs, Nissan, a major German railway company, several telecom companies, and universities around the world.

SEE: Computer Hacking Forensic Investigation & Penetration Testing Bundle (TechRepublic Academy)

Patching and the efforts of security researchers resulted in the closing of WannaCry’s attack vector, but new versions have already been found in the wild that lack the vulnerabilities that made the initial version easy to stop.

If you haven’t installed the necessary patches or eliminated unsupported machines from your network, you’re still vulnerable to the original version.

Additional resources

Why does WannaCry matter?

Ransomware attacks are becoming more and more common, and WannaCry matters because it has finally brought widespread public attention to the issue. Of particular interest is how the attack worked: by exploiting an issue that had already been resolved in a patch.

The tools that allowed for the development of WannaCry are believed to have been developed by the NSA and were leaked to the internet on April 14, 2017. Microsoft may or may not have been aware of the compromise of these tools when it released a security patch on March 14, 2017, which if applied would have eliminated the vulnerability that caused many of the infections.

WannaCry’s rapid spread over the course of a few days reveals a common problem: Lots of organizations are lax about security updates.

Additional resources

When is WannaCry happening?

WannaCry was first detected on May 12, 2017, and by May 15, 2017 it had largely stopped spreading. Awareness of the existence of security patches helped, but the real interruption came just hours into the initial outbreak when a security researcher accidentally discovered a built-in killswitch.

The WannaCry payload checks for the presence of a domain before executing its encryption process, and when the researcher, who goes by the name MalwareTech, found that the domain was available he purchased it. Almost immediately it starting registering hundreds of hits per minute, and when affected machines saw the domain was answering WannaCry stopped its attack.

The killswitch discovery slowed the spread of WannaCry, and patching the SMB hole further minimized its spread, but it is far from dead. Variants have already emerged that lack the killswitch, but they still rely on the SMB flaw to be effective.

It’s likely that attacks similar to WannaCry will continue as cybercriminals adapt to greater installation of SMB flaw patches–it’s just a matter of someone else finding a hole. And there’s always a hole.

Additional resources

How do I avoid becoming a WannaCry victim?

Individuals and businesses wanting to avoid WannaCry and other forms of ransomware need to do several things. First, and most importantly, is to pay attention to Microsoft security bulletins and immediately install relevant patches. Also be sure to schedule regular updates for PCs and servers that you administer.

It’s also important to get rid of older versions of operating systems, specifically Windows XP. While Microsoft has taken the relatively rare steps of patching XP against WannaCry attacks it’s still not scheduled to receive future security updates.

Windows XP may have only been a small percentage of machines affected by WannaCry, but all it takes is a future exploit that goes unpatched to turn XP machines into an army of infection spreaders. If Windows XP does receive future security updates, it will likely be after the fact, as was the case with WannaCry.

Lastly, it’s essential to train users on proper security behavior. Make sure that everyone knows what a suspicious email attachment, phishing attempts, and questionable websites look like.

It only takes one infected machine to spread WannaCry to every other vulnerable computer on a LAN. Users can’t be vigilant if they don’t know what to look for, and it’s better to have paranoid people flagging emails than letting ransomware onto your network.

Additional resources

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday