[SingCERT] WanaCrypt0r aka WannaCry: What You Need to Know and Actions to Take

Published on Sunday, 14 May 2017 18:19

Background
On 12th May 2017, there was a global wide-spread infection of a ransomware known as "WannaCry" aka. WanaCrypt0r. This ransomware has the capability to spread over the network by scanning for vulnerable systems, and infecting them. It then encrypts files on the system, and extorts a ransom payment in bitcoin for the decryption of files

Since the initial news of the infections, Singapore has seen a number of victims struck by the ransomware.

Why “WannaCry” Is Dangerous
What makes WannaCry dangerous is that the attackers are leveraging a Windows exploit code-named EternalBlue, which was reportedly leaked and dumped by the Shadow Brokers hacking group over a month ago. The exploit has the capability to penetrate into machines running unpatched version of Windows XP through 2008 R2 by exploiting flaws in Microsoft Windows SMB (Server Message Block) Server.

The WannaCry ransomware has since spread rapidly across the world, affecting thousands of systems in over 100 countries. Once a single computer in an organisation is infected with the WannaCry ransomware, the worm looks for other vulnerable computers within the network and infects them as well.

Recommendations
Prevention is always better than cure. For the WannaCry ransomware, this principle is strongly recommended.

Microsoft has released a patch for the SMB vulnerability (MS17-010) in March 2017. You should install this patch immediately if you have not done so.

Like all other ransomware infection, you should always be suspicious of unsolicited documents sent through email. Do not click on links inside these documents unless you have verified the source.

Always make backups of your important files and documents. This will save you when you have to restore your files and documents.

Do ensure that you run an active anti-virus security suite of tools on your system, and most importantly, always browse the Internet safely.

What If I’m Infected?
Firstly, don’t panic. Although there is currently no known way to recover files encrypted by “WannaCry”, you should follow these steps:

Disconnect your computer from the network. This can be done by removing your network cable or shutting down the wireless function on your computer. By doing so you are preventing the spread of the WannaCry ransomware.

Start rebuilding your affected computer. This can be done by performing a clean installation of your Windows operating system.

After you have rebuilt the infected computer, patch it with the recommended patch and restore your system from any backup you have made.

If you need further assistance, you can contact SingCERT for advice.

References
Massive ransomware attack hits 99 countries http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html
SingCERT Advisory on Ransomware dated 6 May 2016 https://www.csa.gov.sg/singcert/news/advisories-alerts/ransomware
Microsoft Security Bulletin (MS17-010-Critical) dated 14 March 2017 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
WannaCry Ransomware That's Hitting World Right Now Uses NSA Windows Exploit dated 12 May 2017  http://thehackernews.com/2017/05/wannacry-ransomware-unlock.html