WannaCry Ransomware Explained By An Aussie Security Expert

There’s been so much noise regarding the “WannaCry/” ransomware that it can be difficult to get a straight answer about what it does and how to fix (or avoid) it. Fortunately, Gold Coast-based Microsoft security MVP Troy Hunt has been able to shed some light on the situation for those in the dark.

An expansive blog post by Hunt details the malware’s supposed origins and attack vectors, as well as preventative measures. But first, what the heck does it actually do?

The ransom is $300 and you’ve got 3 days to pay before it doubles to $600. If you don’t pay within a week then the ransomware threatens to delete the files altogether. Note the social engineering aspect here too: a sense of urgency is created to prompt people into action. A sense of hope is granted by virtue of the ability to decrypt a sample selection of the files.

Hunt goes on to explain that the malware uses the Server Message Block protocol (SMB) to spread and that by disabling this service, you can mitigate WannaCry’s ability to go anyway.

Not that you should need to. If you’re running Windows 10, or keep your operating system reasonably up-to-date, you’ll be fine:

…you had to be almost 2 months behind in your patch cycle in order to get hit with this. Windows 10 machines were not subject to the vulnerability this patch addressed and are therefore not at risk of the malware propagating via this vector.

Microsoft itself also has guidance from the company’s principal security group manager, Phillip Misner. Here’s are the bullet points from that post:

• In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability. For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.
• For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt. As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider, that they are protected.
• This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks).

Given how serious the vulnerability is, Microsoft has made an exception regarding patches for unsupported operating systems:

…we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download.

So, all in all, you should be OK as long as you update your OS and aren’t running an ancient version of Windows.

Hunt’s post has a lot more info, so if you’re curious about WannaCry, or ransomware in general, be sure to give it a read.

Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware [Troy Hunt]