Open in app

Sign in

Write

Sign in

WannaCry ransonware

simon rose
Ntwrk_IT
Published in
3 min readMay 15, 2017

WannaCry is a ransomware program that began targeting older versions of Microsoft Windows on 12th May 2017. It was first reported as affecting PC’s in UK’s NHS and quickly spread to other countries and organisations. The BBC have reported Over 200,000 PCs are thought to have been affected in 150 countries — this number is growing and more variants are expected.

WannaCry infects by encrypting data on the PC and demanding a $300 ransom to decrypt the files. After 3 days the ransom increases and after 1 week the data will not be recoverable.

WannaCry attacks PCs running Windows Operating System (OS) that are not kept up-to-date with recent patches. Microsoft released a patch MS17–010 on 14 March 2017 which would have prevented this attack. Windows XP did not have this patch as this OS is not supported anymore. Windows XP was released in 2001, mainstream support ended in 2009 and extended support ended in 2014. On 13th May 2017, Microsoft released a emergency patch for Windows XP.

A “kill switch” was found, which stopped the spread of the WannaCry ransomware. WannaCry checks for a website and if it is not found then it will encrypt the PC’s data. Registering this domain stopped the ransomware spreading. Different variants of WannaCry have been seen with a different website and WannaCry 2.0 has been seen without this website check, so no “kill switch”.

WannaCry transmits to other PCs through ports 139 (NetBIOS Session Service) and 445 (Microsoft-DS Active Directory, Windows shares). Organisations should have these ports blocked on their external firewalls. But if a PC has been affected and then connects to an organisation’s network, then it will start scanning and trying to affect other unpatched vulnerable Windows PCs on the network.

To prevent against the WannaCry attack: -

  • Ensure all Windows PCs and servers have the latest patches applied
  • Install the Microsoft security update MS17–010
  • Ensure antivirus software are kept up-to-date — Windows Defender Antivirus detects this threat as Ransom:Win32/WannaCrypt as of the 1.243.297.0 update.
  • Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547
  • Ensure ports 139 and 445 are disabled on your corporate firewall
  • Where possible upgrade to the latest versions of Windows 10 and avoid running Windows XP and other unsupported OS

More information from Microsoft can be found on the following links: -

Microsoft’s response to WannaCry

Microsoft details WannaCry ransomware

Security
Wannacry
Ransomware
Windows

--

--

simon rose
Ntwrk_IT

Written by simon rose

0 Followers
Editor for

Husband, dad of 2, likes football and F1

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams