WanaCrypt0r aka “WannaCry”: What you need to know and the actions to take

by GOsafeonline | 14 May 2017

Background 
On 12th May 2017, there was a global wide-spread infections of a ransomware known as "WannaCry" aka. WanaCrypt0r. This ransomware has the capability to spread over the network by scanning for vulnerable systems, and infecting them. It then encrypts files on the system, and exhorts a ransom payment in bitcoin for the decryption of files.

Since the initial news of the infections, Singapore has seen a number of victims struck by the ransomware.


Why is “WannaCry” dangerous
What makes "WannaCry" dangerous is that the attackers are leveraging a Windows exploit developed by NSA called EternalBlue, and reportedly leaked and dumped by the Shadow Brokers hacking group over a month ago. Since then, it has spread rapidly across the world affecting thousands of systems in over 100 countries.

The exploit has the capability to penetrate into machines running unpatched version of Windows through 2008 R2 by exploiting flaws in Microsoft Windows SMB Server.

Once a single computer in your organisation is hit by the "WannaCry" ransomware, the worm looks for other vulnerable computers within it your network and infects them as well.


Recommendations
Prevention is always better than seeking for a cure. For the “WannaCry” ransomware, this principle is strongly recommended.

For this Ransomware, Microsoft has released a patch for the vulnerability in March (MS17-010). Do this now if you have not done so.

Like all other ransomware infection, you should always be suspicious of uninvited documents send through email. Do not click on links inside these documents unless you have verified the source.

Always make backup of your important files and documents, this will save you when you have to restore your files and documents when needed.

Do ensure that you run an active anti-virus security suite of tools on your system, and most importantly, always browse the Internet safely.


What if I’m infected?
What if it is too late and my system is infected with “WannaCry”? What should I do?

Firstly, don’t panic. There are no known way to recover files encrypted by “WannaCry”, but you should follow these steps:

Remove the Network connection from your Computer. This could be done by removing your network cable or shutting down the wireless function on your computer. By doing so you are preventing the spread of this ransomware

Start rebuilding your effected computer, be it laptop or workstation.

After you have rebuilt the infected workstation, patched it with the recommended patch and restore your system from the backup you have made.

If you need further assistance, you can contact SingCERT for advice. 


References
Massive ransomware attack hits 99 countries: http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html
SingCERT Advisory on Ransomware dated 6 May 2016: https://www.csa.gov.sg/singcert/news/advisories-alerts/ransomware
Microsoft Security Bulletin (MS17-010-Critical) dated 14 March 2017: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
WannaCry Ransomware That's Hitting World Right Now Uses NSA Windows Exploit dated 12 May 2017: http://thehackernews.com/2017/05/wannacry-ransomware-unlock.html