Twinstate Ransomware Alert: WannaCrypt, WCry & WannaCry

Technicians checking servers with laptop in data center.jpeg

Since Friday, you may have seen news alerts about ransomware known as WannaCrypt, WCry and WannaCry, which began encrypting victims’ computer files in the UK, causing some businesses to temporarily close down.

This particular form of malware exploits vulnerabilities in Microsoft, specifically older versions of unsupported software (Windows XP/Server 2003, for example) that might be ineligible for a patch provided to fix the flaw earlier this year. Now Microsoft has made additional updates available to safeguard systems, however, it is incumbent on end-users to apply these patches to realize the benefits and reduce your risk.

As a precaution and part of an appropriate process, your systems should be regularly patched. Now is a perfect time to make certain this is happening. Here are some useful links to assist you in learning more about this malware and also about patching to guard against it.

  1. https://www.dhs.gov/news/2017/05/12/dhs-statement-ongoing-ransomware-attacks
  2. https://www.us-cert.gov/security-publications/Ransomware
  3. https://krebsonsecurity.com/2017/05/microsoft-issues-wanacrypt-patch-for-windows-8-xp/
  4. https://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

Once the malware was released, variants were caught by security researchers who acted quickly to study the malware in their sandbox environment offline in order to properly dissect and find ways to stop the malware without causing further damage. WannaCry creators deployed an anti-sandbox technique with the goal of slowing down researcher’s dissection of the malware and encourage further spread of the ransomware. It was through these efforts that researchers were able to buy the previously nonexistent domain the malware was using as an anti-sandbox check from which the malware was sent and created a “kill switch” in hopes of shutting down the spread of the malware. However, it was only successful in shutting down that one variant of the ransomware and slowed the infection rate, leaving those with unpatched Windows XP and Server 2003 along with Windows running SMB services that have not been patched with MS17-010 are vulnerable to attacks. 

Bottom line, if you have not updated Windows since March, you’re vulnerable. Since the incident, Microsoft has put out updates to patch the vulnerabilities which will significantly decrease the number of attacks. However, it is up to you, the end user, to install them. While other variances will most likely be developed, these patches and updates will help protect your information from being encrypted. 

Another critical counterattack against the malware, especially if you’re unable to install Microsoft’s latest updates, would be to essentially “block traffic.” Cutting off access to your firewall will greatly increase your chances of not getting hit. To do this, TCP port 445 must be blocked appropriately. 

At this time, these are the best solutions for those still working within obsolete environments. Those who are still working with outdated equipment should consider investing in a newer system to ensure more frequent updates. 

If you find that you have been attacked or that your systems are vulnerable, contact Twinstate Technologies immediately for professional assistance ensuring that your system properly updates and that all necessary processes needed are met properly. 

To learn more about protecting you and your business, register for our free webinar on May 23rd. “How to Combat Ransomware” will be led by Twinstate’s Alex Insley, UDS Technical Manager and Michael DePalma, Datto expert. Reserve your seat here. 

As the week unfolds, we will be posting additional information. For questions about WannaCrypt, WCry and WannaCry, as well as special Twinstate promotions that can help guard against these attacks, contact us today.