(UPDATE : New Decryption Tool should work on any Windows from XP to 7, provided you don't restart your PC.)
WannaCry - also called Wana Cryptor 2.0 - has impacted over 100 countries. This ransomware is not the first of its kind, but its modus operandi is different from its predecessors : it uses tools from the NSA leaks to exploit vulnerabilities in the Windows operating system.
These vulnerabilities were patched in March 2017, but numerous organizations did not apply security updates. As a consequence, numerous important government agencies and companies such as the British NHS and Telefonica were infected.
The ransomware is available in 28 languages, and it encrypts your files, changing the extension to ".WNCRY", and it adds at the beginning of file names a "WANACRY!" string.
Ransom notes are dropped in the form of a text file, and the cryptovirus demands $300 worth of bitcoins.
Most countries have laws that make it a crime to pay a ransom.
The Vectors of Infection
WannaCry uses an exploit from the Equation Group, a group strongly suspected of being tied to the NSA. ShadowBrokers, a hacker group, had stolen Equation Group's exploits and other hacking tools to release them publicly.
The exploit, also called ETERNALBLUE, is a Windows SMB (Server Message Block) vulnerability.
The Targets of the infection
WannaCry did not specifically target the NHS and other hospitals and government agency. It randomly targeted any device that didn't have the patch installed.
WannaCry spread so fast because every Windows computer or server connected to a network with the MS17-010 vulnerability, could be infected without any user interaction.
Indeed, infected PCs scan local networks and choose randomly IP addresses to spread, thanks to worm-like features.
If you or your organization still used Windows XP, you were virtually defenseless, as Microsoft did not release any patch before the attack. Windows XP is an End-Of-Life operating system, and it should not be used in production.
The Kill Switch that Slowed Down the Infection
MalwareTech, a young security researcher, analyzed the DNS queries made by WannaCry, and he discovered that the malware made a request to a specific domain: www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com.
If the domain was live, and a response was received, the malware would exit and stop spreading.
MalwareTech registered this domain and thus stopped the spreading of a variant of WannaCry. Moreover, this only stopped the worm features, which in this malware's architecture, are independent from the file-encryption mechanisms. Basically, you can still be infected if you encounter WannaCry on an already infected medium (a USB flash drive, or an infected email).
WannaCrypt - Bad code doesn’t pay (much)
— CommitStrip (@CommitStrip) 17 mai 2017
https://t.co/KZcBSmupw9 pic.twitter.com/Kqy29LF94v
A Decryption Tool
Fortunately, a potential, WannaCry decryption tool has been published for Windows XP?
WannaKey may allow you to recover the prime numbers of the RSA private key used by Wanacry.
It searches for them in the wcry.exe process in memory. This is why you must NOT have restarted your infected computer for this to work.
A new decryption tool, WannaKiwi was created by French security researchers. It is based upon WannaKey, but it makes the process of prime number search compatible with any Windows version between XP and Windows 7, not just Windows XP.
What Can Be Done
It all boils down to this:
- Always keep your software up-to-date
- Back up your data
This cryptovirus outbreak reiterates the importance of having backups, and not just RAID (disk replication). RAID is not a backup: cryptomalware encrypts your files on every connected devices. If it is on one of your disks, it will get replicated throughout your array.
This is why it's important to have multiple copies of your data: the 3-2-1 backup principle.
This means 3 total copies of your data, 2 of which are local but on different devices, and at least 1 copy offsite (cloud or someone else's computer). You can achieve this by having your data on your main computer, a local backup on an external hard drive, and an offsite backup with a cloud backup provider (CrashPlan, SpiderOak, Backblaze), or on a friend's computer (you can do it with CrashPlan too, and it's free).
Have you been infected? What is your backup plan? Tell us in the comments!