WannaCrypt attacks

By | July 30, 2017

The ransom is $300 and you’ve got 3 days to pay before it doubles to $600. If you don’t pay within a week then the ransomware threatens to delete the files altogether.  Note the “Wana Decrypt0r” title on the window below: the three terms WannaCry, Wcry and WannaCrypt are all referring to the same piece of malware, they’re merely various representations of the same name.

The malware spread via SMB, that is the Server Message Block protocol typically used by Windows machines to communicate with file systems over a network. An infected machine would then propagate the infection to other at-risk boxes:

WannaCry

It’s able to do this where the machine supporting the protocol has not received the critical MS-17-010 security patch from Microsoft which was issued on the 14th of March and addresses vulnerabilities in SMBv1 (Microsoft doesn’t mention SMBv2 but Kaspersky has stated that WannaCry targets v2 as has Symantec). Windows 10 machines were not subject to the vulnerability this patch addressed and are therefore not at risk of the malware propagating via this vector.  The ransomware is encrypting everything it can get its hands on in terms of connected or networked devices:

In March, Microsoft released a security update which addresses the vulnerability that these attacks are exploiting Microsoft Security Bulletin MS17-010.

Microsoft Security Bulletin MS17-010 – This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.  The security update addresses the vulnerabilities by correcting how SMBv1 handles specially crafted requests.

Note – Microsoft has taken the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the recent attack.

Useful download links

Windows Server 2003 SP2 x64

Windows Server 2003 SP2 x86

Windows XP SP2 x64

Windows XP SP3 x86

Windows XP Embedded SP3 x86

Windows 8 x86, Windows 8 x64