The weekend of 12-14 May 2017 saw a mass outbreak of a malicious software virus which aimed to lock data files and hold them to ransom. Within three days the virus, dubbed “WannaCrypt”, had been halted, but the damage was done; businesses and services and government departments across the world were taken down, unable to operate properly until they had either paid the ransom or implemented costly, time-consuming recovery efforts.

This kind of malicious software, known as “ransomware”, is not new; we’ve written about it before. WannaCry is, however, the largest ever ransomware infection to date, affecting users in over 170 countries. So what was it about this specific outbreak that made it so prevalent, so damaging, and so well-reported? How did this virus operate, and are businesses still at risk?

History of WannaCry

The United States of America’s NSA security agency maintains a catalogue of hacking tools and system vulnerabilities that it uses in the course of its operations. These vulnerabilities include holes and weaknesses in the security of Microsoft Windows operating systems. Rather than advising the public and software providers about vulnerabilities, the NSA preferred to leave them active. However, in late 2016 the cache was hacked by an unknown group, and this highly damaging information made its way into the hands of malicious users.

By March 2017, the NSA appears to have advised Microsoft of the specific vulnerabilities that would later be used by WannaCry. Microsoft acted promptly to patch the security holes using its regular update patch program for Windows computers, with a security patch released in early April. Computer users and system administrators had several weeks to ensure their machines were patched and secure before WannaCry was released in May.

Three days after WannaCry’s introduction, hundreds of thousands of computers had been infected, including businesses like FedEx and Renault, universities in China, Germany’s federal railway system and Russia’s Interior Ministry. Britain’s public health system was particularly badly affected, with operations rescheduled and patients turned away from emergency rooms.

So is it over?

Security researchers were able to rapidly stop the WannaCrypt virus from spreading any further, but they did so due to a vulnerability in the virus code and the poor organisation of the hackers. The code of the virus included a “kill switch” that researchers were able to trigger.

However, the core vulnerability that WannaCrypt attacked is still present in unpatched Windows computers, and hackers are creating and releasing modified versions of the WannaCrypt virus (and others),  that have closed the particular hole that stopped the weekend’s attack. In the two days following the successful “cure” of WannaCrypt, there have been several identified new variants released. The initial outbreak of WannaCrypt is past, but the underlying weakness is still there.

The best way to ensure that WannaCrypt and its descendants do not infect a computer network is to ensure that all Windows machines are fully patched with security updates. The NSA vulnerability in Windows is so severe that Microsoft has released a patch specifically for computers that would otherwise not be subject to support – those using Windows XP or Windows 8.

In addition to security patching of Windows itself, most major antivirus and internet security companies now include protection against WannaCrypt and similar viruses in their software. Symantec Endpoint Protection, the internet security package Adams Consulting Group recommends for clients, was already protecting against WannaCrypt before it was released, and computers protected by this software are currently safe.

However, viruses are always mutating and being redesigned to take advantage of new holes in computer security. The best solution is always to keep antivirus up to date, patch your operating systems, and ensure you have a working external backup of all critical business files.

Deconstructing malware

Viruses such as WannaCrypt operate in three distinct phases: infection, propagation and payload. An effective security approach will address all three.

The first thing a virus has to do is to get onto a vulnerable computer. The original infection of WannaCrypt is unclear, but it may have been disseminated by spam emails encouraging users to click on an attachment; running any unknown software will always put your computer at risk despite the best antivirus software. Alternatively, some WannaCrypt variants have been seen on corrupted websites, where simply visiting the site without the appropriate protection can be enough to infect a computer. Prevention of a virus infection requires a combination of user behaviour (treating all incoming emails with caution, particularly those from users you don’t know) and up-to-date antivirus software.

Following the initial infection, WannaCrypt was able to use the Windows vulnerability to reproduce itself and spread through internal networks. During the propagation phase, a virus infects as many files and programs as it can access with copies of itself, throughout the host computer and, if possible, through other computers on the network. Most viruses can only affect the one machine and will require action before another computer can be infected. This is often where the payload comes into operation. Once a virus has infected a computer, there is little that can be done to prevent propagation, but keeping systems patched is vital to ensure that computers are not infected by other affected computers on the network.

Once the virus is fully propagated through the computer’s files, it is able to execute its payload, the action for which it was designed. Sometimes that action will be invisible to the user – for example, turning the infected computer into a factory for spam email. In other instances the payload is intended to generate money for the attackers, whether through scaring users with popup windows to convince them to buy and download “cleaning” software (which will often further increase the virus damage) or, as in the case of WannaCrypt, encrypting files and providing a ransom message. Dealing with a virus once it has begun executing its payload will typically involve an expensive, time-consuming cleanup job to isolate and remove the virus and restore corrupted files. In the case of ransomware like WannaCrypt, recovery might require restoration from backup. We do not recommend payment of any demanded ransom.

Take action to keep your business safe.

Whilst the attack by WannaCrypt appears to be over, the threat from the NSA-revealed Windows bug is not diminished. The next versions of this malware will not be so easily stopped. The best defense is to ensure that all workstations are up to date with antivirus software and system patches.

Most Windows workstations will be set to automatically receive and implement patches, and if so they will be safe from infection. However, for computers using Windows XP and Windows 8, a manual patching process is required. The required patches can be sourced direct from Microsoft at this link. Alternatively, contact Adams Consulting Group or your preferred IT services consultancy to review and update the workstations in your network.