WannaCry ransomware – how to defend and recover

A new type of ransomware known as WannaCry is infecting hundreds of thousands of computers in homes and businesses across the globe. This malware targets a recently disclosed vulnerability in numerous editions of Windows operating system. Although Microsoft has patched this vulnerability in March of 2017, any Windows servers and devices without automatic updates enabled remain unpatched and vulnerable.

How does WannaCry ransomware work?

Like most types of ransomware, WannaCry can be introduced via a malicious file attached to an email or a downloadable link. For individual home users, it is likely that this infection would require some initial action from the user – clicking the link or opening the file. In organizations with multiple users and servers connected to the network, the infection can spread further without user interaction, using the vulnerability in server software.

Once on the computer, WannaCry encrypts the victim’s files in common locations for documents, including My Documents, Desktop, and any removable drives. The application tells the victim they have three days to pay $300 to decrypt the files. After 3 days, the ransom would go up to $600, and the application threatens to delete the files permanently after 7 days.

Should I pay the ransom?

Paying the ransom is almost never recommended, because there is never a guarantee that the criminals will actually honor the deal and decrypt the files, or that they will not leave other malicious software on the system, and potentially attack again. In the case of WannaCry, paying the ransom makes even less sense due to a bug in the ransomware program itself.  It was discovered shortly after the attacks began that first and most widely spread version of WannaCry failed to generate a unique Bitcoin wallet for each encrypted device, and instead defaulted to one of three hard-programmed Bitcoin addresses. Without the unique Bitcoin addresses, the attackers cannot identify the individual victims who have paid, and therefore can not provide them with the promised decryption keys.

How do I protect against WannaCry?

Home users should practice the same precautions as with any phishing or ransomware risks:

  1. Avoid downloading files or applications from untrusted sources, or opening email attachments you were not expecting to receive.
  2. Keep your antivirus and applications (including the operating system) up to date with the latest updates and patches. The antivirus can catch many known malware files before they get installed and do damage, and patched applications are less vulnerable to being hacked.
  3. Create regular file backups and/or system restore backups. This will help you recover quickly if you do fall victim to ransomware.

What do I do if my files have been encrypted with WannaCry?

Unfortunately, there are no tools available to reverse the encryption done by WannaCry without access to the encryption key held by the criminals. If you have a recent backup of your files or a System Restore point, this would be the best option to get your files back.  Paying the ransom should be considered the last resort without any guarantees.

For more information about ransomware and how to protect against it, read Understanding Ransomware.

No comments

Comment on this article