The Wanacrypt0r 2.0 Ransomware May Have Stopped Spreading, But Are You Protected Against Future Attacks?
by Josh Lake
The vicious ransomware, Wanacrypt0r 2.0, may have been halted by the quick actions of a security researcher, but it won’t be long before a similar beast comes back with a vengeance. On Friday, the virus tore across the world, affecting more than 75,000 machines in over 74 countries.
It affected a range of businesses and organizations, including Fedex, Vodafone Espana, Santander, Portugal Telecom, Telefonica, and the UK’s healthcare system, the NHS. Once Wanacrypt0r 2.0 penetrated a system, it locked down files and demanded a ransom payment to have them decrypted.
The massive attack has seriously affected operations at a range of companies and has also forced some UK hospitals to divert emergency patients to locations that were unaffected. Although the spread of the attack has been stopped, it does not alleviate the problems for organizations that have already been infected.
Microsoft had already released patches for supported versions of their software that closed up the vulnerabilities. Despite this, the scale of the attack shows that many organizations either had not run the patch, or were using unsupported versions of Windows.
Due to the immense scale of the attack, Microsoft made the rare move to release patches that address the vulnerability in unsupported versions such as Windows XP, Windows 8 and Windows Server 2003. Organizations need to run these patches if they want to be protected from future forms of the virus, which could turn out to be even more damaging.
How Does Wanacrypt0r 2.0 Work?
Wanacrypt0r 2.0 (also known as WannaCrypt, Wcry, and a range of other similar names) is a type of ransomware that infiltrates networks, uses a self-replicating payload and then spreads through an SMBv1 exploit known as EternalBlue. This exploit has enabled Wanacrypt0r 2.0 to spread quickly, because it does not require user interaction. It scans IP addresses to find other vulnerable systems which it can infect.
Once Wanacrypt0r 2.0 has breached a system, it locks down the files and demands about $300 worth of Bitcoin in exchange for a key to decrypt them. It is not yet known whether making the payment will actually unlock the files, and investigations into the identity of the perpetrators are ongoing.
Researchers aren’t yet 100% certain of how the attack infiltrates systems, although spearphishing attacks and network vulnerabilities are likely scenarios. Wanacrypt0r 2.0’s means of spreading is highly controversial, because EternalBlue is an exploit that was developed by the NSA and leaked in April by a hacking group known as The Shadow Brokers. This is the largest attack we have seen that uses the NSA tools exposed in the leak.
What Systems Are Affected?
The EternalBlue exploit only affects older versions of Windows, however Microsoft had already released a patch that addressed the vulnerability in supported systems. Because of this, only systems that had yet to run these security updates, or that were using unsupported versions such as Windows XP, Windows 8 and Server 2003 have been affected.
The rapid spread of this attack shows just how many enterprises are running outdated and vulnerable systems. Scans have revealed that 1.3 million Windows systems are yet to be patched, Those that are proactive with their security updates have not seen this ransomware spread through the EternalBlue exploit.
How Was the Spread of WanaCrypt0r 2.0 Stopped?
Fortunately, it didn’t take long for a UK-based researcher to figure out a way to stop the rapid spread of the ransomware. The researcher posted a series of tweets under the name Malwaretech, explaining that he registered an obscure domain name contained in the code. This unexpectedly halted the virus, because it activated a hardcoded killswitch. While this killswitch may has stemmed the spread of the virus, it does not help the systems that have already been infected.
Can WanaCrypt 2.0 Rise Again?
While this version of the attack was able to be stopped quite quickly and easily, it is trivial for other hackers to rework the code without a killswitch that can halt the attack. If organizations do not run the Microsoft patches, they could easily be struck once again.
What Should You Do If Your Systems Have Been Infected By WanaCrypt0r 2.0?
If your systems were victim to this attack, you may find that you have been locked out of some of your essential files. To get them back, you can make the $300 Bitcoin payment to the attackers, but there is no guarantee that this will result in the return of your files. In past ransomware attacks, sometimes victims make the payments and never receive the encryption key or hear from the attackers again.
There is also the ethical question of whether it is right to give money to criminals, because it only further encourages these types of attacks. Despite this, it is understandable that many companies are willing to pay significant sums of money for the return of valuable data.
It is also possible that methods to restore the data without making payments will emerge. This has been seen before in less sophisticated attacks, but it is unlikely in more professional attacks such as Wanacrypt0r 2.0. Victims are free to wait it out and see whether any workarounds emerge, however the ransom message says that the payment will double after three days and the data will be permanently deleted after seven.
How to Stay Safe from Future Attacks that Use This Exploit
These attacks serve as yet another reminder of how important it is to run up-to-date software. The exploit that enabled the rapid spread of this ransomware only affects older versions of Windows, so those that operate Windows 10 are safe. Microsoft had already released patches for their supported versions around the time of The Shadow Brokers, so those that had already run the updates were also immune. If you use one of these versions and have not yet run the patch, you can download it here. This will prevent hackers from using the EternalBlue exploit to penetrate your systems.
If you are running unsupported versions of Windows, it is recommended that you upgrade as soon as possible. Despite the huge levels of risk that come with unsupported versions, there are still many enterprises that are yet to upgrade due to the associated costs and complexities.
Fortunately, Microsoft has released patches for Windows XP, Windows 8 and Windows Server 2003 which can prevent the EternalBlue exploit from working. While this may be able to prevent attacks such as Wanacrypt0r 2.0, these systems are still vulnerable to a range of other attacks.
If you cannot patch your systems, you need to make sure that outside access to ports 138, 139 and 445 are blocked. The SMBv1 protocol also needs to be disabled to prevent infection from viruses that work similarly to Wanacrypt0r 2.0.
To protect your files against ransomware, it is recommended that you keep backups in offline storage. This ensures that you have another copy in case you are locked out, meaning that you will not have to pay the ransom to recover your files.
Another step you can take to boost your security is to make sure that your staff are adequately trained in social engineering. This is because attacks such as these are frequently delivered via phishing. If your staff know how to recognize and avoid phishing attacks, it can reduce the chances of your systems from becoming infected.
The Wanacrypt0r 2.0 attack has been exceptionally widespread and damaging, but it also easily preventable. To reduce the chance of succumbing to such a devastating attack, you need to be proactive with your security rather than reactive. While security measures can seem expensive to implement, they can be much cheaper than dealing with the fallout of a massive attack.