WannaCry Ransomware

Posted on Thursday, 18 May 2017
Reading time:
2 minutes

How does it spread? 

The ransomware spreads through phishing mails and other network defence vulnerabilities that might exist within a targeted organisation. The ransomware exploited vulnerability in the Server Message Block (SMB) protocol of Windows Operating Systems. According to the American Whitehouse it infected more than 300 000 computers worldwide in more than 150 countries. Microsoft has released a security patch in March 2017 to resolve this vulnerability but the majority of the organisations that were targeted by the WannaCry Ransomware had not applied this update. 

What does it do?

Once executed on a system, the ransomware starts encrypting computer data without user consent. The ransomware exploits the SMB vulnerability which enables it to infect other computer systems on the network. Once it has encrypted the computer data the payload displays a message informing the user that all the computer data has been encrypted and then demands the user to make a payment in order to receive a decryption key for the data to be decrypted. It is impossible to decrypt the files without the decryption key. And there is no guarantee that once you pay the required amount you will get the decryption key.

What can I do to prevent being infected? 

The WannaCry ransomware spreads through exploiting the SMB vulnerability. Microsoft released a security patch to resolve this vulnerability in March 2017. This security patch is documented in the MS17-010 security bulletin. There are security patches for all supported Windows Operating Systems including Windows Vista, 7, 8, 8.1 and 10. 

Your organisation needs to ensure that this security patch is applied across all Windows systems within your organisation. You have to ensure that Windows Updates are set to download automatically to ensure that these security updates are installed once they are released by Microsoft. 

It is also important for users not to open email attachments from unknown sources. If you see a suspicious email in your inbox, it is better not to open it but rather consult a cybersecurity expert to analyse the email for you. Make sure your antivirus is always up to date and Windows Firewall is enabled. 

Your organisation needs to educate all its employees about security awareness and how to react to security threats. This will help users become aware of the steps to take to prevent ransomware from infecting your organisation. 

Your organisation needs to backup data regularly so that in the event of being hit by ransomware, you have a backup copy which can be restored once the ransomware has been mitigated. 

Written by
Danny Myburgh 
Managing Director
Cyanre