A few days ago, WanaCrypt0r 2.0, a malicious software hit global companies and internet users around the world leading to PCs and data being locked up and held for ransom.
The ransomware uses a vulnerability first revealed to the public as part of a leaked set of NSA tools in order to infect Windows PCs and encrypt their contents, before demanding payments for the key to decrypt files.
How does ransomware work?
When a computer is infected, the ransomware typically contacts a central server controlled by the hackers for the information it needs to activate. It then begins encrypting files on the infected computer with that information. Once all the files are encrypted, it posts a message asking for payment to decrypt the files and threatens to destroy the information if it doesn’t get paid, often with a timer attached to ramp up the pressure.
Most ransomware is spread hidden within Word documents, PDFs and other files normally sent via email, or through a secondary infection on computers already affected by viruses that offer a back door for further attacks.
The creators of this piece of ransomware are still unknown. However, WanaCrypt0r 2.0 is their second attempt at cyber-extortion with an earlier version, named WeCry being discovered back in February this year. Wecry asked users for 0.1 bitcoin (currently worth about Ksh 17,000) to unlock files and programs while WanaCrypt0r 2.0 is asking for about Ksh 30,000 worth of the cryptocurrency to unlock the contents of the computers.
Once one user unknowingly installed this particular piece of ransomware on their own PC, it tries to spread to other computers on the same network using a known vulnerability in the Windows operating system, jumping from PC to PC. This weakness was first revealed to the world as part of a huge leak of NSA hacking tools and known weaknesses by an anonymous group calling itself “Shadow Brokers” in April.
Shortly before the Shadow Brokers released their files, Microsoft issued a patch for affected versions of Windows, ensuring that the vulnerability couldn’t be used to spread malware between fully updated versions of its operating system. Organizations were caught flat footed due to their slow pace when it comes to installing security updates and patches.
Some badly designed ransomware, however, has been itself hacked by security researchers, allowing recovery of data. Such situations are rare and tend not to apply in the case of wide-scale professional hits like the WanaCrypt attack.
Most Ransomware often has a short shelf life as anti-virus vendors cotton on to new versions of the malware, they are able to prevent infections originating and spreading, leading to developers attempting “Big Bang” introductions like the one currently underway.
Bitcoin, the payment medium through which the hackers are demanding payment, is difficult to trace, but not impossible, and the sheer scale of the attack means that law enforcement in multiple countries will be looking to see if they can follow the money trail and net those involved.
To protect yourself from attacks like this, make sure you have the latest security update from Microsoft. Of importance is only downloading software and other content on the internet from trusted sources.