Cyber criminals released a new piece of ransomware called WannaCry (or Wcry) May 12, causing disruptions at hospitals, banks, telecommunications services, train stations and other critical organizations. By itself this would not be newsworthy, as new malware is created every day. What makes Wcry notable is its method, speed of infection and the breadth of operating systems that are vulnerable to it.

The criminals created Wcry based off of the U.S. National Security Agency's EnternalBlue exploit, which was stolen and leaked in April by the hacker group, The Shadow Brokers. EternalBlue exposed a vulnerability in Microsoft's implementation of the Server Message Block protocol. The exploit exists in Windows versions XP, Vista, 7 and 8, and Windows Server versions 2003, 2008 and 2012.

Most malware begins as a nefarious email attachment or software download, which then infects the local machine and attached storage. It generally remains contained to that local computer. Wcry goes one step further by including "worm" functionality. This feature enables the malware to spread automatically from computer to computer without additional human interaction. The worm infects vulnerable computers that are on the same local area network as the infected host. As Wcry is also ransomware, once an infection occurs, a victim's computer denies access and displays a message that demands Bitcoin payments equivalent to $300 to $500, to be paid by May 19, at which point the files will be un-recoverable.

As of May 15, the malware was temporarily stopped after a 22-year-old British security researcher found and hard coded the malware's "kill switch." This action dramatically slowed the infection rate of the malware, but unfortunately has no effect on existing infections.

Intelligence officials say that the Wcry malware has a fingerprint similar to code previously released by North Korea, according to The New York Times. While this is not conclusive evidence, it fits with other points of information. Because of the kill switch and manual verification of ransom payment, officials speculate that the goal of this attack is cyber havoc and not financial gain. Also note that we may quickly see variants of this malware, which could render the kill switch ineffective and not trigger antivirus signatures that identify malware.

Protecting your business from WannaCry ransomware
In a previous blog, I gave some best practices that a business can take to safeguard its data and avoid ransomware. However, should the Wcry infection occur, a business can limit additional damage and protect itself. These steps and general Wcry information have been adapted from SANS Technology Institute:
 

• Confirm that the Microsoft Windows patch MS17-010 is installed on all machines in your environment.
   
• If patching is not an option, ensure that your machines can access the kill switch website.
   
• A registry entry, which is a database that stores low-level settings for the Windows operating system, can prevent infections. Consider how it can apply to your organization's computers.
   
• Be mindful that future versions of the malware could remove the kill switches or change the registry entry, which will render these protection methods ineffective.
   
• Segment your network with a firewall blocking port 445 and RDP, also block port 445 at the perimeter
   
• Disable SMBv1
   
• Detect affected systems:
  • Systems that are infected by WannaCry will try to connect to a specific domain.
     
  • Encrypted files will have the "wncry" extension.
     
  • Systems will scan internally for port 445.
     
  • Ransom message will be displayed.
     
  • Most major anti-malware software has signatures for WannaCry.
     
• Clean infected systems:
  • Anti-malware vendors are offering removal tools, which will remove malware, but not recover encrypted files.
     
  • WannaCry will install a backdoor that could be used to compromise the system further.
     
  • Note that not all files with the .wncry extension are encrypted. Some may still be readable.
     
• Should you pay the ransom?
  • There is no public report from victims who paid the ransom.
     
  • Approximately 100 victims have paid so far.
     
  • The unlock code is transmitted in a manual process that requires the victim to contact the cyber criminals for an unlock code (normally this is automatic)
     
  • Due to legal and public attention, the individuals behind this malware may disappear and not release additional unlock codes.
     

To avoid becoming a malware victim, prevention is key. But even the most vigilant computer user or company can perform actions that usher in ransomware. If an infection from Wcry — or other malware — occurs, act immediately to protect your business.