What Is Wanacry/Wanacryptor?
WannaCry refers to ransomware that uses worm technology to infiltrate multiple computers across a network. It aims to exploit vulnerabilities in the Windows SMBv1 server to quickly and remotely compromise systems, encrypt files, and spread to other hosts. Systems that are fully updated and have installed the MS17-010 patch are not vulnerable to the WannaCry ransomware. Patches that address vulnerabilities identified in the Microsoft Security Bulletin MS17-010https://technet.microsoft.com/en-us/library/security/ms17-010.aspx are available for all versions of Windows from XP onward.
What Do I Do If My Computer Is Infected?
- Isolate the computer’s network to prevent the malware from easily compromising additional devices.
- Do not connect to or power on unpatched systems in compromised networks.
- 2Secure team does not advise negotiating or paying a ransom to criminal actors. Be aware that paying the ransom does not guarantee decryption or removal of the malware from your computer. CERT Australia and other open source reporting agencies have found that even after the ransom is paid in full, a backdoor still remains.
- Restore from backups. Encrypted files cannot currently be decrypted without he corresponding private key.
- A Cyber incident can be reported to 2Secure team 24/7 at email@example.com or 646-755-3933.
Note: It is considered highly risky to continue to use the system since WannaCry will keep encrypting files and attempt to spread across the network.
Note: If backups are not available, still consider storing the encrypted data before wiping the computer in in case a decryption method is found in the future.
What If My System Is Not Eligible For The Current Patch?
There are several workarounds that can help protect systems from infection, including the following:
- Disable SMBv1 on every computer connected to the infected network.
- Block port 445 (Samba).
- Review network traffic to confirm that there is no unexpected SMBv1 network traffic. The following links provide information and tools for detecting SMBv1 network traffic relating to Microsoft’s MS17-010 patch:
- Vulnerable embedded systems that cannot be patched should be isolated in order to prevent further network exploitation.
Note: Information on how to disable SMBv1 can be found here:
Most modern devices will operate correctly without SMBv1 but some older devices may experience communication or file/device access disruptions.
Note: This may cause disruptions in systems that require port 445.
How Do I Decrypt My Files?
There is currently no method for decrypting encrypted files without having the private key.
If I Think A device Is Vulnerable And Would Like To Get Help, Who Do I Contact?
Contact firstname.lastname@example.org or 646-755-3933
What Else Can I Do To Prevent This Kind Of Attack In The Future?
- Immediately update and patch systems as soon as possible after release.
- The CVE for the vulnerabilities associated with WannaCry exploits are as follows: CVE-2017-0143; CVE-2017-0144; CVE-2017-0145; CVE-2017-0146; CVE-2017-0147; and CVE-2017-0148
- Segregate networks based on functionality and the need to access resources.
- Keep offline data backups up-to-date.
- Additional information about ransomware is available from the following references:
- [icon type=”chevron-circle-right” class=”fa-li accent”]https://www.justice.gov/criminal-ccips/file/872766/download
- [icon type=”chevron-circle-right” class=”fa-li accent”]https://www.justice.gov/criminal-ccips/file/872771/download
- [icon type=”chevron-circle-right” class=”fa-li accent”]https://www.2secure.biz/response-to-wannacry-ransomware-attack-update-1/
- [icon type=”chevron-circle-right” class=”fa-li accent”]https://www.2secure.biz/samas-ransomware-deletes-veeam-backups-and-maybe-yours-too/