A ransomware called WannaCry (also called called WCrypt or WanaCrypt0r) began infecting computers last week. It has been reported that the number of affected computers, is well past hundreds of thousands in over a 100 countries. Affected parties include police, hospitals, companies, and more.
What is a ransomware and how does it impact your computer?
A ransomware is a dangerous malware, which impacts computers in a very different way than viruses generally do. Fact: Many people think virus and malware are different. A virus is actually a class of malware.
This specific ransomware targets files stored on your computer such as Text Document, Pictures, etc. The list of files targeted by WannaCry is actually very long, to a total of 176 file types, as follows.
source: Symantec, Technet
A ransomware encrypts these files, i.e., you cannot open them without the decryption key (like a password). To unlock the files, you will need to transfer some amount (in this case around $300) to the ransomware creator. It is done using bitcoin (an anonymous money transferring service). Then the bad guys will send you the decryption key via email.
Now, this is not a big deal for regular users. But if you are a company which has critical information which cannot be recovered (or has no backup), then you are doomed, and left with no choice but to cough up the money. The files which are held for ransom are the hostage, hence the term ransomware.
Usually, there is a time-limit before which you have to send the money, otherwise the ransomware will delete the files which it encrypted. Check the first screenshot for reference.
Why is ransomware the most dangerous kind of malware?
Each ransomware has a unique encryption method (an algorithm), which it uses to encrypt the files. So it is impossible for your antivirus to decrypt it, and the same goes for most anti-ransomware software. You need a very specific decryption tool which will be released by security researchers, when they crack the algorithm.
But the danger does not stop here. Normally, when an antivirus detects a ransomware, it will delete the ransomware script files, and this potentially destroys the data along with it. But in this case, the WannaCry ransomware does offer you to re-download it, and tells you to disable your antivirus, for the decryptor to be executed, so people can pay the ransom. WE DO NOT RECOMMEND THIS.
How does WannaCry impact systems?
WannaCRy does not use the regular methods such as requiring the user to clicking a link or or downloading a file to infect computers, though such ways are still possible. It can infect your PC without you doing anything. How is that possible? Well, there is a vulnerability in Windows (from XP to 10), which is called EternalBlue. This exploit was actually created by the US security agency, NSA to spy on users. No wonder it is infamous.
This exploit has been patched in Windows 10 and some others, earlier this year, in the MS17-010 security patch. If this update is already on your computer, WannaCry cannot infect your PC (unless you clicked a malicious link in your email). WannaCry is also a worm or trojan, because once it affects a PC, it will spread from that system to others which are vulnerable to EternalBlue.
source: Kaspersky
WannaCry was stopped briefly, but could still impact computers worldwide.
A 22 year old British security expert called MalwareTech discovered that the ransomware's code, checked whether a particular website existed, before it executed the script to infect the computer. This website with the absurd long URL did not exist, and caused the malware to run. Malwaretech bought the domain and found that the ransomware failed to run when the check for the site which now existed, was true. This appears to be a fail-safe or a kill-switch, but it is unclear why the gibberish URL was put in the code.
How to remove the WannaCry ransomware?
No method exists a the moment, i.e., there is no way to decrypt files that have been encrypted by WannaCry. Your only line of defense is your antivirus and OS updates.
How to prevent the WannaCry ransomware from infecting your computer?
If you have an antivirus solution installed, it is likely that it has already been updated to counter the threat before it impacts your PC. KAspersky, Symantec (Norton), Avast, etc have reported that they have updated their products to keep their users safe from the WannaCry ransomware.
The first thing you need to do, is to check if your computer has the MS17-010 update installed. This security patch was issued by Microsoft, and is available for Windows XP, Windows 2003, Windows Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10. It is good to see Microsoft take moral responsibility, to actually update operating systems which are well past their EOL support date.
Tips to prevent data loss from ransomware attacks:
1. Take regular backups of your important files and store them on a cloud drive, or on an external storage device which is not always connected to the computer.
2. Always keep your antivirus, web browser and operating system up to date.
3. Use a secondary malware scanner and removal tool like Malwarebytes Anti-Malware, and run a scan every week or so.
4. If you are really concerned about security use one of the following methods to add an extra layer of protection.
a. A sandboxing software like Sandboxie, Shade Sandbox for isolating your browser from the rest of the OS.
b. A Virtual environment such as VMware Player.
c. A time machine application like Rollback RX.