Several large organizations reported an infection simultaneously. Among them were several British hospitals that had to suspend their operations. According to data released by third parties, WannaCry has infected more than 200,000 computers. The sheer number of infections is a big part of the reason it has drawn so much attention.
The largest number of attacks occurred in Russia, but Ukraine, India, and Taiwan have suffered much damage from WannaCry as well. In just the first day of the attack, we found WannaCry in 74 countries.
Generally, WannaCry comes in two parts. First, it’s an exploit whose purposes are infection and propagation. The second part is an encryptor that is downloaded to a computer after it has been infected.
The first part is the main difference between WannaCry and the majority of encryptors. To infect a computer with a common encryptor, a user has to make a mistake, for example by clicking a suspicious link, allowing Word to run a malicious macro, or downloading a suspicious attachment from an e-mail message. A system can be infected with WannaCry without the user doing anything.
ORIGIN & PROPAGATION
The creators of WannaCry have taken advantage of the Windows exploit known as EternalBlue, which relies on a vulnerability that Microsoft patched in security update MS17-010, dated March 14 of this year. By using the exploit, the malefactors could gain remote access to computers and install the encryptor.
If you have the update installed, then this vulnerability no longer exists for you, and attempts to hack the computer remotely through the vulnerability will fail.
After hacking a computer successfully, WannaCry attempts to spread itself over the local network onto other computers, in the manner of a computer worm. The encryptor scans other computers for the same vulnerability that can be exploited with the help of EternalBlue, and when WannaCry finds a vulnerable machine, it attacks the machine and encrypts files on it.
Therefore, by infecting one computer, WannaCry can infect an entire local area network and encrypt all of the computers on the network. That’s why large companies suffered the most from the WannaCry attack — the more computers on the network, the greater the damage.
Unfortunately, there is currently no way to decrypt files that have been encrypted by WannaCry (however, our researchers are on it). For now, prevention is the only hope.
Here are several pieces of advice on how to prevent infection and minimize damage.
- Install software updates. This case desperately calls for all Windows users to install the MS17-010 system security update. Microsoft even released it for systems that are no longer officially supported, such as Windows XP or Windows 2003. Seriously, install it right now; it’s very important.
- Create file backups on a regular basis and store the copies on storage devices that are not constantly connected to the computer. If you have a recent backup copy, then an encryptor infection is not a catastrophe; you can spend a few hours reinstalling the operating system and apps, then restore your files and move on.
- Use a reliable antivirus.