WanaCryptor, Ransomware, Updates, and Windows XP
Author: Adam Baldwin
You may have heard recently of new ransomware called “WannaCry” or “WanaCryptor” or some variant of that name. On Friday, May 12th, the ransomware appeared seemingly out of nowhere and began ravaging computer systems across Europe and Asia. The virus had spread so quickly that within a few hours, it had infected more computers than all other ransomware had infected all week. Victims of the virus included banking institutions, telecom companies, universities, the National Health Service in the UK, and even the Russian Interior Ministry. So what is this ransomware? What is the current status of it? And what can we do to stop the spread?
This is a good opportunity to quickly review what exactly “ransomware” is. Put simply, “ransomware” is software that holds your data for ransom. It does this by searching for specific types of files (usually your pictures, videos, and other documents) and then encrypting them using a unique encryption key. Once the encryption process is complete (depending on how many files there are and how fast the computer is, it could take mere minutes or up to several hours), the virus puts a ransom message on the screen and removes itself from the computer. The encryption process occurs silently in the background; often the user has no idea that the infection has occurred until after all of their data has been encrypted. Only once the ransom message appears is the user aware of what has happened, and when a person tries to access one or more of their files, they are unable to open properly.
What exactly is encryption, anyway? Encryption is a security tool. When you encrypt a file, you’re basically using a secret code to scramble the contents of the file so that no one can access its contents without knowing the code. When a file is encrypted, its contents appear to be random. A Word document, for instance, doesn’t just contain the information you typed in it, it also includes stuff called “metadata,” or data about the data. This metadata contains everything from information about the file type to stuff like text formatting. Because everything within the file is encrypted, if you try to open it without decrypting it first, Word won’t even know what kind of file it is. It will not be able to open the file because the file would appear to the program as random data.
As we said before, this is a security feature. If your files happened to fall into the wrong hands, whoever has access to them cannot read their contents without breaking the encryption, which is extremely difficult if not impossible to do without the decryption key. So encryption is good for keeping prying eyes away from your data. Unfortunately, it has also turned into a powerful money-making tool for malicious program writers. They turn encryption against you by secretly encrypting your data using their own key and then telling you that if you want the key, you’ll have to pay up or else!
WanaCryptor is somewhat unique in that it uses an alleged CIA exploit tool that was leaked to the public last month. Before then, the virus was not being widely distributed, but it has now made its presence known. The exploit being used affects all versions of Windows from XP to 10, including server versions. The virus includes a worm executable which scans the Internet for computers with a certain port open. Microsoft actually released a patch in March to address the vulnerability, but had not included Windows XP or Windows 8, since those operating systems are no longer actively supported. However, after the huge spread of the virus, Microsoft has released emergency patches for those operating systems as well. It is believed that a large portion of the machines that have been infected recently have been running Windows XP.
If you’re still running Windows XP, it might be finally time to move on. Despite the growing pains of migrating to a new operating system on a new computer, computer security is more important than ever, and one of the key ways of protecting an Internet-connected computer (or other device, for that matter) is to keep it up-to-date. Windows XP is now 15 years old, which is ancient in the world of operating systems. Only in rare, critical instances like this will Microsoft release a new security patch. And by the time they do, it may already be too late. Even if you’re using a newer version of Windows, it is absolutely CRITICAL that all of the recent patches have been installed to ensure the operating system is up to date and safe from the security flaw that allowed WanaCryptor to run rampant across Europe.
Here’s what the WanaCryptor ransom message looks like:
If you ever see a message on your screen stating that your files have been encrypted, your immediate action should be to shut the computer down! The longer the computer runs, the more time the virus has to do what it wants to do, whether it’s encrypting more of your data or deleting restore copies of the data that has already been encrypted. It’s not that common for the ransom message to appear before the virus is finished its task, but it does happen sometimes. Sometimes we are able to catch the virus early enough to be able to retrieve data even if the virus has deleted it, or we’re able to find a decryptor available to decrypt the data, but this is not always the case. Regardless, your best shot at saving your data is to shut down the computer as soon as you see the message!
Additionally, during and after the decryption process you’ll often find that your newly-encrypted data files have new names. Sometimes the virus will randomize the filenames, or it may just change the file extension. In the case of WanaCryptor, it does the second option. You’ll see your files, but they will have the .WNCRY extension, as shown below:
This is another important indication that your data is in jeopardy. If you go into your documents folder and start seeing weird file names, weird extensions, or files that no longer open properly, you may be seeing the effects of a ransomware virus in the encryption process before the ransom message has had a chance to appear. Again, the best course of action is to shut the computer off, which will prevent the virus from being allowed to continue its actions. Bring it in to us and we can assess the damage without powering the computer on, and will do everything in our power to save any data we can.
Ransomware is an extremely lucrative business for the people who write it, generating about $1 billion in 2016. Mission-critical outlets like hospitals often have no option other than to pay the ransom and get their data back as time is of the essence. It’s important to note that, if the data really is critical, sometimes paying the ransom is the best or only option. However, paying the ransom doesn’t always guarantee that you’ll get your data back. There have been instances of laziness in ransomware developers that cause the decryptors to not work properly, meaning not only did you not get your data back after paying, but the decryptor actually destroyed the encrypted data and eliminated any chance of recovery. That’s why it’s important to take the computer to people who are familiar with ransomware and let them assess the situation. We have been able to recover all encrypted data in about 50% of the infections we’ve seen, and we can advise you of the best possible solution moving forward.
WanaCryptor has seen a big drop-off from its initial outbreak, thanks to the inadvertent discovery of a “kill switch.” How the kill switch was found and how it works is not important, the takeaway here is that the virus has been temporarily slowed down. The nature of how the virus spreads means that the most important thing right now is to ensure your computer has the necessary patch to fix the vulnerability, because even though this particular variant of the virus has a kill switch, it would be very easy for malware writers to create a new version of the virus with a different switch, or no switch at all. These people don’t usually wait too long to create new versions once their virus gets defeated. This recent event has been a harsh reminder of the importance of keeping computers up-to-date and the importance of backing up critical data.