How to avoid WannaCry Ransomware attack

Bradley Wint
May 14, 2017 10:38pm AST
Photo: Troy Hunt

By now you may have heard about the WannaCry/WannaCrypt ransomware attacks plaguing Windows users across Europe. Ransomware is usually not a huge problem, but this week’s attack affected a number of vital institutions across Europe including hospitals, car manufacturers, airlines, telecom giants, and even energy companies.

This quickly turned into a huge problem for many, but how did it spread so quickly? Unlike common phishing techniques that redirect users to phishing sites via fraudulent links or emails, the WannaCry randomware program took advantage of an exploit in various versions of Microsoft Windows.

How it works

WannaCry/WannaCrypt/WanaCrypt0r 2.0/Wanna Decryptor actually uses a leaked NSA hacking tool called DoublePulsar (part of the EternalBlue exploit), which exploits a vulnerability in Microsoft’s file sharing protocol Server Message Block (SMB). SMB is enabled by default on all Windows machines, making it an easy protocol for mass attacks.

The hackers search for servers running unpatched versions of SMBv1 and use the DoublePulsar injection tool to open up a backdoor to deliver the WannaCry program. Oddly enough, Microsoft issued a fix (MS17-010) for this on March 14th, exactly two months ago.

However, systems running Windows XP, Windows 2003, and Windows 8 (not 8.1) initially did not benefit from this patch as they are no longer supported by Microsoft, but a patch was issued for these systems a few days ago to help curb the fast spread of WannaCry.

While many may have an issue with Windows 10 and its forced updates, this is one time we can say it definitely paid off.

Get your daily tech burst in your inbox!

Once the WannaCry script gets through the backdoor, it runs a program called tasksche.exe and scans the system for as many connected hard drives, removable disc drives, and network drives, in an effort to encrypt as many files with a 2048-bit RSA encryption key. WannaCry also attempts to automatically spread itself to as many vulnerable networks and machines as possible.

Besides targeting new networks, it also tries to spread itself across LANs, and given that it’s using SMB to do so, firewalls are pretty much useless as it already has its foot inside the door.

The first versions of WannaCry contained a “killswitch”, which was basically a randomly typed domain that the program searches for. If the domain resolves, the program would simply exit, but if it could not find the domain, it would then execute its encryption directives.

Once the program reached the encryption stage, it would let users know that their data is encrypted, and that they would have to fork up $300 within 3 days to decrypt it. Should they fail to do so, the figure would double to $600. From then, they would have just one week again to pay up or face the risk of their data being deleted.

Users would have to pay via one of at least 3 Bitcoin wallets to have their files released. In total, the hackers have already received about $33,000 in funds from users attacked by the ransomware.

It should be noted that payment for decryption will not result in the removal of the DoublePulsar backdoor, meaning that the same exploit could be taken advantage off in a different form in the future.

The killswitch

It was discovered that the killswitch was just an unregistered domain name ( that was randomly typed in in plain text within the code. The domain was intentionally not registered so that the script would be unable to resolve it so it could execute the encryption routine.

My guess is hackers assumed that even if security experts figured out that a domain name would have to be used as the killswitch, they would be unable to quickly determine what was in time to prevent a mass spread.

The coincidental discovery of this domain appears to have been the result of a bug in the program, allowing MalwareTech to register it, significantly slowing further spread of the script. That gave security companies and Microsoft a good head start to analyze the situation and issue the relevant warnings and patches.

How to avoid it

The long and short is that whether you’re a home user or manage servers, you should always keep your systems up to date. If you’re still running older versions of Windows (XP, 2003, or 8), it’s time to consider switching to something that Microsoft supports to avoid problems like this.

Unfortunately for many large institutions though, a simple upgrade may not always be the answer as 3rd party software needed to carry out various tasks on the job may not be compatible with newer versions of Windows, so maybe there needs to be a more collaborative effort between MS and these developers.

Microsoft has addressed the WannaCry issue directly, so if you have fallen prey to this attack (even on older systems), check out this blog post for more details on how to clean your system.

Here’s a video I found demonstrating the program in action.

Stay in the know

Subscribe to the Try Modern Tech Daily Digest for the latest tech news stories, deals, and how-to's in your inbox!

Founder/Executive Editor
PGP Fingerprint: EF2C 9B80 085C C837 3DA3 995D A864 F801 147F E619 | PGP Key
More From Technology

How to block those annoying autoplay videos on any website

By - Sep 17, 2017 12:51am AST
As more websites push for video content, their mix of autoplay videos and horrible delivery platforms make browsing many news websites a pain in the behind. Unfortunately, blocking Flash Player… Continue Reading

iPhone X vs. Galaxy S8 vs. LG V30: How does Apple stand up?

By - Sep 12, 2017 11:10pm AST
Now that the iPhone X, 8, and 8 Plus are out in the open, how will the top of the line Apple phone stand up to its recent competition? Let’s… Continue Reading

You can pre-order your gold-plated iPhone X starting at $7,495, with the top model costing $70k

By - Sep 11, 2017 11:06pm AST
With the iPhone X and 8 set to be announced on the 12th, iPhone accessory manufacturers are already busy at work putting the final touches on their cases and other… Continue Reading