Author: Aaron White, Date: 15th May 2017
In case you have been living in a cave the past three days…
Wanna Cry is a ransomware that spreads like wildfire by leveraging a Windows SMB exploit to remotely access and infect computers running on unpatched or unsupported versions of Windows. It infects the targeted computer then moves on to others on the network and those it can find on the open internet.
237,000 computers across 99 countries have been infected thus far.
The news has reported that a 22-year-old security researcher has stopped the Wanna Cry ransomware plague.
That’s only partially true.
He found a “kill switch” in the code of Wanna Cry that will keep one strain of Wanna Cry from infecting computers.
Here’s the problem…
Now there are multiple strains of Wanna Cry cropping up across the globe.
Some with a different URL “kill switch,” and if reports can be believed, at least one strain with no “kill switch” at all. This “no kill switch” variant is believed to have been created by parties not related to the criminals who developed the first Wanna Cry code.
Whatever the final number of Wanna Cry strains ends up being, the truth is that we aren’t even close to being done with Wanna Cry. And the criminals in control of this cyber-WMD aren’t done with causing us pain.
Yes, the infection rate has slowed, but that lull is likely only the calm before the second wave of the storm – according to industry experts.
Where did Wanna Cry come from?
There is no public information on the criminals behind Wanna Cry, but the SMB exploit they are utilizing is believed to be part of a hacking toolset that the NSA allegedly created and lost control of when a group of hackers called “The Shadow Brokers” stole it and dumped it onto the dark web.
Currently, the predominant strains of Wanna Cry are being thwarted before they infect computers by utilizing the method discovered by 22-year-old MalwareTech.
He discovered that by registering a domain name that was buried in the ransomware’s code, he was able to create a “sinkhole” that didn’t allow the virus to infect the computer.
The problem is that if the connection to this “sinkhole” domain is lost, Wanna Cry will move into “infect” mode.
As we have stated above, there are now several strains of Wanna Cry out there with a “kill switch” domain name in their code. Each unique domain name must be registered so that a “sinkhole” is created for that strain.
Even with these domain name “sinkholes,” we aren’t out of the woods.
Malware Tech, the security researcher who found the first “kill switch” buried in Wanna Cry code, has stated that “WannaCrypt (or Wanna Cry) ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant.”
There are some scenarios that will allow your unpatched computer to be infected – even with the kill switch in place. Here they are
- If Wanna Cry comes to you via an email, a malicious torrent, or other vectors (instead of SMB protocol).
- If your ISP or antivirus or firewall revokes access to the “sinkhole.”
- If your system requires a proxy to access the internet – common in corporate networks.
- If someone utilizes a DDoS attack to makes the sinkhole domain inaccessible.
What to do…
The cyber-security experts of eSOZO Computer and Network Services advise you to:
- Patch your computers
- Run a decent anti-virus
- Make sure your backups are current and secure
Because of the high-profile nature of this ransomware attack, there will be copycats that make Wanna Cry even more virulent and destructive.
Wanna Cry 2.0 is inevitable.
It’s important that you act proactively for your company now and get the eSOZO Computer and Network Services cyber-security team on your side.
We have the resources to help you stay running and safe.eSOZO > Blog > It’s Not Even Close to Over… Wanna Cry?