Questions and answers about the WanaCrypt0r ransomware

The WanaCrypt0r ransomware has spread aggressively around the world. Below our specialists answer some questions about the ransomware.

The WanaCrypt0r ransomware has spread aggressively around the world. Below our specialists answer some questions about the ransomware.

What is WanaCrypt0r?

WanaCrypt0r is a ransomware program that started to spread aggressively on Friday, 12 May 2017.

It infects the user's computer and encrypts the files, making them inaccessible. Then, the ransomware program demands a ransom of around EUR 300 for delivering a decryption key for the victim. Ransomware has been around for years and it is a serious problem for the information security of a computer user.

WanaCrypt0r is a different type of ransomware program because it is also a worm. It spreads independently to other computers by exploiting a software vulnerability in the operating system. Once WanaCrypt0r has infected one computer, it looks for other vulnerable computers in the local network and the internet to infect. This means that one infected workstation in an organisation can infect all vulnerable workstations within the organisation's network.

By scanning the internet, WanaCrypt0r can also spread to other networks e.g. through a vulnerable server and infect other workstations in the network. Because of its worm-like functionalities, WanaCrypt0r could spread so rapidly and infect more than 200,000 workstations around the world, according to the most recent information.

The original spreading mechanism and the origin of the aggressive campaign remain unconfirmed.

Typically ransomware spreads via email attachments but, despite of the exceptional attention received by WanaCrypt0r, researchers have not been able to pinpoint the emails used to spread the malware.

More than 150 countries have reported cases of WanaCrypt0r infections. In Finland, the attack has had limited effect and, according to FICORA, the number of infected computers is around 100. Regularly updated operating systems have probably protected Finland against the attack as the updates have been available already before the malware started to exploit the vulnerability.

How does it work?

Ransomware programs work almost identically regardless of version: they read the user's files, encrypt them with a passphrase and overwrite the original data with the encrypted version.

Ransomware looks for certain types of files and mainly encrypts files that seem to have been created by the user based on their file extension. Such files include pictures, documents, text files and other media content. Current ransomware programs also delete volume shadow copies in Windows.

The ransomware program encrypts all files to which the user has write access. This means that networks drives and connected mass storage devices may also be encrypted.

The malware does not encrypt all files in the computer because it needs to leave the operating system in workable condition. Once the files are encrypted or during the encryption, the ransomware program sends an encryption key to a command-and-control server controlled by criminals and deletes the key from the local computer. After sending the encryption key, the ransomware posts a message to the user on how the pay the ransom to receive the key to decrypt the files.

Image: Message posted by WanaCrypt0r

Some ransomware can be decrypted using decryption software designed by information security companies. However, the so called keyless decryption cannot be done unless there is a vulnerability or a weakness in the ransomware itself.

Unfortunately, there is no such software for the current professional ransomware programs. However, some older versions of ransomware that are currently active may be decrypted. For more information about ransomware and decryption tools for some ransomware, visit https://www.nomoreransom.org/fi/

How can I protect against it?

If your computer has been infected, there is nothing you can do. The only way to regain access to your files is to restore them from backups. To protect yourself against ransomware, follow the general instructions for protecting against other malware:

Always install the most recent updates for the software and operating system

Use robust antivirus software

Do not open suspicious email attachments.

Do not run unknown programs on your computer

To protect against WanaCrypt0r:

Check that you have installed the most recent updates for the operating system of your computer. Restart your computer to install the updates. WanaCrypt0r exploits the MS17-010 vulnerability. Read more about the vulnerability here.

Block traffic on port 445 (SMB) at the organisation firewall. WanaCrypt0r spreads by exploiting a vulnerability in the SMB protocol. The SMB protocol uses port 445 and therefore, blocking the port prevents the vulnerability from being exploited.

Disable SMB version 1. SMB1 contains several known vulnerabilities. Read more here.

What can I do if my computer is infected?

Remove the infected computer from the network immediately. If the ransomware has already demanded ransom, it is probably impossible to restore your files unless you have a backup. The safest way is to wipe and reinstall the computer before restoring data from backups.

However, do not delete the encrypted files as the police, for example, may be able to obtain the decryption keys or the developers of the ransomware may release them later for some reason. It is also recommended to report the case to the police. Spreading ransomware is a crime.

Should I pay the ransom?

No. There is no guarantee that paying the ransom will get your data back. Paying the ransom supports the developers of ransomware and facilitates the development of malware which means more and more sophisticated and professional ransomware in the future. It is always unethical to support criminals.

It is likely that the developer of WanaCrypt0r cannot even deliver the decryption keys for users paying the ransom because there are so many infected computers. The malware does not provide any unique code or identifier for the victims which he developer could use to automatically connect a decryption key to a workstation.

The information security specialists researching WanaCrypt0r have concluded that the decryption keys should be delivered manually to each victim which would mean an enormous amount of work for the criminals. Furthermore, communicating with the victims increases the risk of getting caught. Therefore, it is very likely that the developer of the malware will never get back to you.

Update history

Key words: Information security , Cyber security , Cybercrime , Ransomware , Information security now!

LinkedIn Print

logo

The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313

FI-00180 HELSINKI


Media contacts by telephone +358 295 390 248