How to avoid WannaCry Ransomware attack

Photo: Troy Hunt

By now you may have heard about the WannaCry/WannaCrypt ransomware attacks plaguing Windows users across Europe. Ransomware is usually not a huge problem, but this week’s attack affected a number of vital institutions across Europe including hospitals, car manufacturers, airlines, telecom giants, and even energy companies.

This quickly turned into a huge problem for many, but how did it spread so quickly? Unlike common phishing techniques that redirect users to phishing sites via fraudulent links or emails, the WannaCry randomware program took advantage of an exploit in various versions of Microsoft Windows.

How it works

WannaCry/WannaCrypt/WanaCrypt0r 2.0/Wanna Decryptor actually uses a leaked NSA hacking tool called DoublePulsar (part of the EternalBlue exploit), which exploits a vulnerability in Microsoft’s file sharing protocol Server Message Block (SMB). SMB is enabled by default on all Windows machines, making it an easy protocol for mass attacks.

The hackers search for servers running unpatched versions of SMBv1 and use the DoublePulsar injection tool to open up a backdoor to deliver the WannaCry program. Oddly enough, Microsoft issued a fix (MS17-010) for this on March 14th, exactly two months ago.

However, systems running Windows XP, Windows 2003, and Windows 8 (not 8.1) initially did not benefit from this patch as they are no longer supported by Microsoft, but a patch was issued for these systems a few days ago to help curb the fast spread of WannaCry.

While many may have an issue with Windows 10 and its forced updates, this is one time we can say it definitely paid off.

Once the WannaCry script gets through the backdoor, it runs a program called tasksche.exe and scans the system for as many connected hard drives, removable disc drives, and network drives, in an effort to encrypt as many files with a 2048-bit RSA encryption key. WannaCry also attempts to automatically spread itself to as many vulnerable networks and machines as possible.

Besides targeting new networks, it also tries to spread itself across LANs, and given that it’s using SMB to do so, firewalls are pretty much useless as it already has its foot inside the door.

The first versions of WannaCry contained a “killswitch”, which was basically a randomly typed domain that the program searches for. If the domain resolves, the program would simply exit, but if it could not find the domain, it would then execute its encryption directives.

Once the program reached the encryption stage, it would let users know that their data is encrypted, and that they would have to fork up $300 within 3 days to decrypt it. Should they fail to do so, the figure would double to $600. From then, they would have just one week again to pay up or face the risk of their data being deleted.

Users would have to pay via one of at least 3 Bitcoin wallets to have their files released. In total, the hackers have already received about $33,000 in funds from users attacked by the ransomware.

It should be noted that payment for decryption will not result in the removal of the DoublePulsar backdoor, meaning that the same exploit could be taken advantage off in a different form in the future.

The killswitch

It was discovered that the killswitch was just an unregistered domain name ( that was randomly typed in in plain text within the code. The domain was intentionally not registered so that the script would be unable to resolve it so it could execute the encryption routine.

My guess is hackers assumed that even if security experts figured out that a domain name would have to be used as the killswitch, they would be unable to quickly determine what was in time to prevent a mass spread.

The coincidental discovery of this domain appears to have been the result of a bug in the program, allowing MalwareTech to register it, significantly slowing further spread of the script. That gave security companies and Microsoft a good head start to analyze the situation and issue the relevant warnings and patches.

How to avoid it

The long and short is that whether you’re a home user or manage servers, you should always keep your systems up to date. If you’re still running older versions of Windows (XP, 2003, or 8), it’s time to consider switching to something that Microsoft supports to avoid problems like this.

Unfortunately for many large institutions though, a simple upgrade may not always be the answer as 3rd party software needed to carry out various tasks on the job may not be compatible with newer versions of Windows, so maybe there needs to be a more collaborative effort between MS and these developers.

Microsoft has addressed the WannaCry issue directly, so if you have fallen prey to this attack (even on older systems), check out this blog post for more details on how to clean your system.

Here’s a video I found demonstrating the program in action.

Whether you’re a novice or seasoned traveler, there is always that one person or group of people that occasionally bug…
If you’re buying a Samsung Galaxy S9 or S9+ from Verizon, expect to see Yahoo-based apps and Bixby news content…
Just two months after the unveiling of the Galaxy S9 and S9+, Samsung is will now offer more internal storage…
As cryptominers shift their attention away from GPUs, graphics cards prices may plummet as shipments are expected drop by as…
Facebook has started beta testing a new feature that allows fans of pages to limit conversations to their friends and…
Caribbean Airlines has joined the ranks of other international airlines by introducing a premium economy cabin. Dubbed “Caribbean Plus”, rows…
It’s 2018 and there are still many websites that believe in forcing users to watch autoplay videos. That’s right, we’re…
Sometimes I like to record a snippet of what I’m listening to on my phone’s iTunes player to post to…
If you’re an iPhone user (or use any iOS device as a matter), it may be time to consider using…
Like many other mobile phone manufacturers, Apple can’t keep anything a secret. In a recently leaked internal memo (a lengthy…
We're looking for up and coming writers to join our expanding team!