In May 2017, thousands of computers across industries and countries were infected by the WannaCry ransomware. Estimates suggest that over 200,000 computers across 150 countries gave in to the computer virus. The virus was such that the more it spread, the greater was its rate of proliferation.
What is WannaCry ransomware?
This computer virus attacks a Windows operating system and encrypts all its files on the hard drive. Once encrypted, it locks the user’s access to the computer. The ransomware then demands the user to pay a ransom in Bitcoin in order to decrypt the files and regain access to the computer.
Essentially, the virus is exploiting a vulnerability in the Microsoft operating system that allows it to take control of the computer through its Server Message Block. It first enters the host computer as a dropper. According to CSO, a dropper is a self-contained program that extracts the other application components embedded within itself. Thus, it can encrypt and decrypt the files on its own, and the program also includes encryption keys. As soon as it has control over all the files on the system, it flashes a ransom notice of US$300 to $600 in Bitcoin.
Many, including Microsoft, hold the American National Security Agency (NSA) responsible for the spread of WannaCry. The NSA discovered a defect in Microsoft’s operating system; however, instead of making Microsoft aware of the defect, the agency began to use it to attack enemy computers. Later, a hackers’ group, Shadow Brokers, stole and leaked the exploit, which allowed WannaCry ransomware to proliferate rapidly.
What to do if your computer is infected?
If you have saved backups (if you haven’t, you should), then you can easily clear your entire system. Make sure to disconnect the infected system from all other computers. This will ensure that the ransomware doesn’t spread to other systems. Then, rebuild your system from scratch, reinstall and restore it using your stored backups. Do not forget to install any and all updates, which have a security fix for the ransomware, before you connect your system online.
If you don’t have a backup and your system is infected, then there isn’t much you can do. If the information on your system is important, then you will have to pay the ransom money to regain access to your system. However, there is no guarantee that even after the payment you will receive the key for decryption from the hackers.
What to do if your computer isn’t infected
If your computer hasn’t been infected, you are lucky. You still have the time to prepare and protect your system from the virus. Here are a few steps you can approach:
Get a Microsoft fix for the ransomware installed and updated on your system promptly.
You can also disable Server Message Block 1 (SMB1), as the ransomware enters your system through there. You can even shut the firewall ports 139 and 445, as they are connected to SMB1.
You can create network segments to reduce the ransomware’s reach to all applications on your system.
Setting up access controls to all your applications, at least the crucial ones, will restrict the ransomware from gaining access to all files on the system.
Above all, get a backup. And make it a habit to regularly save backups of your systems. You can even backup your files on the cloud, for example on Google Drive, Microsoft Onedrive, and Dropbox.
If using an external hard drive for backups, make sure that it isn’t continuously connected to your system as it, too, can be infected by the ransomware. To keep it and your files safe, only plug in the hard drive when you need to use it.