Photo: Troy Hunt

How to avoid WannaCry Ransomware attack

Bradley Wint
By - Founder/Executive Editor
May 14, 2017 10:38pm AST
Photo: Troy Hunt
Get the latest news stories of the day delivered to your inbox

By now you may have heard about the WannaCry/WannaCrypt ransomware attacks plaguing Windows users across Europe. Ransomware is usually not a huge problem, but this week’s attack affected a number of vital institutions across Europe including hospitals, car manufacturers, airlines, telecom giants, and even energy companies.

This quickly turned into a huge problem for many, but how did it spread so quickly? Unlike common phishing techniques that redirect users to phishing sites via fraudulent links or emails, the WannaCry randomware program took advantage of an exploit in various versions of Microsoft Windows.

How it works

WannaCry/WannaCrypt/WanaCrypt0r 2.0/Wanna Decryptor actually uses a leaked NSA hacking tool called DoublePulsar (part of the EternalBlue exploit), which exploits a vulnerability in Microsoft’s file sharing protocol Server Message Block (SMB). SMB is enabled by default on all Windows machines, making it an easy protocol for mass attacks.

The hackers search for servers running unpatched versions of SMBv1 and use the DoublePulsar injection tool to open up a backdoor to deliver the WannaCry program. Oddly enough, Microsoft issued a fix (MS17-010) for this on March 14th, exactly two months ago.

However, systems running Windows XP, Windows 2003, and Windows 8 (not 8.1) initially did not benefit from this patch as they are no longer supported by Microsoft, but a patch was issued for these systems a few days ago to help curb the fast spread of WannaCry.

While many may have an issue with Windows 10 and its forced updates, this is one time we can say it definitely paid off.

Once the WannaCry script gets through the backdoor, it runs a program called tasksche.exe and scans the system for as many connected hard drives, removable disc drives, and network drives, in an effort to encrypt as many files with a 2048-bit RSA encryption key. WannaCry also attempts to automatically spread itself to as many vulnerable networks and machines as possible.

Besides targeting new networks, it also tries to spread itself across LANs, and given that it’s using SMB to do so, firewalls are pretty much useless as it already has its foot inside the door.

The first versions of WannaCry contained a “killswitch”, which was basically a randomly typed domain that the program searches for. If the domain resolves, the program would simply exit, but if it could not find the domain, it would then execute its encryption directives.

Once the program reached the encryption stage, it would let users know that their data is encrypted, and that they would have to fork up $300 within 3 days to decrypt it. Should they fail to do so, the figure would double to $600. From then, they would have just one week again to pay up or face the risk of their data being deleted.

Users would have to pay via one of at least 3 Bitcoin wallets to have their files released. In total, the hackers have already received about $33,000 in funds from users attacked by the ransomware.

It should be noted that payment for decryption will not result in the removal of the DoublePulsar backdoor, meaning that the same exploit could be taken advantage off in a different form in the future.

The killswitch

It was discovered that the killswitch was just an unregistered domain name (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) that was randomly typed in in plain text within the code. The domain was intentionally not registered so that the script would be unable to resolve it so it could execute the encryption routine.

My guess is hackers assumed that even if security experts figured out that a domain name would have to be used as the killswitch, they would be unable to quickly determine what was in time to prevent a mass spread.

The coincidental discovery of this domain appears to have been the result of a bug in the program, allowing MalwareTech to register it, significantly slowing further spread of the script. That gave security companies and Microsoft a good head start to analyze the situation and issue the relevant warnings and patches.

How to avoid it

The long and short is that whether you’re a home user or manage servers, you should always keep your systems up to date. If you’re still running older versions of Windows (XP, 2003, or 8), it’s time to consider switching to something that Microsoft supports to avoid problems like this.

Unfortunately for many large institutions though, a simple upgrade may not always be the answer as 3rd party software needed to carry out various tasks on the job may not be compatible with newer versions of Windows, so maybe there needs to be a more collaborative effort between MS and these developers.

Microsoft has addressed the WannaCry issue directly, so if you have fallen prey to this attack (even on older systems), check out this blog post for more details on how to clean your system.

Here’s a video I found demonstrating the program in action.

Have your say

Stay in check with our daily burst of news stories delivered to your inbox.

Read more

WestJet to announce new 787 livery on February 28th

Travel - Something’s brewing up at WestJet. Employees at the Canadian carrier were teased about a new livery announcement set for February…

By - Feb 15, 2018 11:10pm AST

E-cigarette explodes in man’s pocket, causing second degree burns

Lifestyle - A Texas man has been left with second degree burns after his e-cigarette battery exploded in his pants pocket. The…

By - Feb 13, 2018 11:34pm AST

Instagram may soon notify you if someone snaps your Story

Social Media - If you’re a creeper, then you may be in for some bad news as Instagram is quietly testing a new…

By - Feb 12, 2018 9:10pm AST

Google to introduce iPhone X ‘notch’ support in future Android updates

Mobile - As part of Google’s continued effort to streamline the Android platform, they are once again targeting higher end iPhone customers…

By - Feb 12, 2018 8:27pm AST

Logan Paul’s YouTube ads suspended after he tased a dead rat and gave dead fish CPR

Social Media - Internet man child Logan Paul just can’t stop being an idiot. After taking some time off and posting an apology…

By - Feb 11, 2018 2:17am AST

The Samsung Galaxy S9 could start at $800+

Mobile - With every new flagship release, phone prices just seem to continually creep up and up over time. For instance, Apple’s…

By - Feb 8, 2018 4:42am AST

SpaceX nails tandem landing after successful Falcon Heavy test launch

Featured - What a time to be alive! Elon Musk and the team at SpaceX has set another major milestone by successfully…

By - Feb 7, 2018 1:38am AST

Video depicts drone flying dangerously close to aircraft

Transportation - Video of a drone flying dangerously close to an aircraft in Las Vegas has gone viral. The original clip was…

By - Feb 5, 2018 12:26am AST

PornHub to force UK viewers to give up their name, ID details and address to view content

Privacy/Security - If you fancy X-rated content but happen to live in the UK, some of your favourite sites will soon be…

By - Feb 1, 2018 10:19pm AST

Crypto mining hurting PC gaming; some retailers cracking down on miners

Featured - If you’re a hardcore PC gamer looking to build a rig right about now, you’re most likely going to be…

By - Jan 31, 2018 10:07pm AST