How to prevent global threat ransomware ‘Wanna Cry’ from making you cry

On May 12, a ransomware attack swept the globe by force, infecting 230,000 computers across more than 150 countries. The cryptoworm was called “Wanna Cry” that targeted Windows systems, and the real kicker is that any tears shed because of it could have easily been prevented.

Wanna Cry utilized two previously known exploits that had been included in a dump on April 14: EternalBlue exploit and DoublePulsar backdoor. Both vulnerabilities were created by National Security Agency and had been patched by Microsoft prior to the dump.

Despite the advanced warning and preventative measures several companies were crippled by the attack, including 16 medical centers in the UK and a Spanish airline. The three hardest hit countries were Russia, Ukraine and India according to Kaspersky Lab.

The worm spread through a SMBv2 remote code execution and encrypted data with the file extension .WCRY. From there, it demanded $300 in bitcoins to decrypt the files. If that ransom wasn’t paid in three days, the amount would double to $600 and after a week the files would be deleted entirely. As of this article’s writing, over $72,000 has been paid in ransom.

Previously patched by Microsoft

It’s unconfirmed exactly how the attack started, though many researchers suggest a spear-phishing attack. A clue to the hacker(s)’ intent may be in how the ransom notes were written in the language of its target, revealing a degree of depth most attacks don’t have.

The attack came on the heels of an executive order signed by Trump on Thursday which calls for broadly sweeping modernization of IT systems at executive branch agencies across the nation.

In response, Microsoft released a patch for systems running XP, an operating system Microsoft had previously cut technical support for. Overall, as worrisome as the attack was, it could have been worse, especially if it had managed to target highly critical systems such as nuclear power plants or dams.

Part of what prevented the attack from causing more damage was a built-in kill switch that might have been a bug in the ransomware’s code. The kill switch was accidentally found by 22-year-old researcher Marcus Hutchins who discovered that the worm needed communication with a domain server in order to trigger encryption. While flicking the switch didn’t stop the ransomware from spreading, it severely slowed its assault and gave organizations time to respond.

If your department is up-to-date with all of Microsoft’s security patches, there isn’t anything you have to worry about where Wanna Cry is concerned, at least. However, organizations that are still running antiquated systems may be resistant in applying the patch or updating their legacy systems due to the disruptive impact such a move may cause. But, on the other hand, not updating could hit such organizations hard later and unexpectedly.