A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

Everything you need to know about the 'WannaCrypt' ransomware attack

Science

A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

On Monday, at least 45,000 computers across the globe continued to be held hostage by malware called WannaCrypt (also known as WannaCryptor and WannaCry). This ransomware attack, which demands users shell out $300 to $600 worth of Bitcoins to regain access to their systems, spread across Asia after rocking Europe this weekend. In all, 150 countries have reported compromised computer systems. Businesses in China had systems hijacked, Russia's interior ministry had 1,000 computers affected and at least one South Korean movie theater had issues playing trailers. Kaspersky Lab, a Russian cybersecurity firm, alleges WannaCrypt ransomware may be tied to hackers from North Korea.

Ransomware is not a new invention. The first piece of malware that demanded payment was written in 1989. But the latest iterations have become increasingly sophisticated. While governments and corporations scramble to perform damage control, here's what we know about the origins of this cyber attack, who might be to blame and what you can do to protect yourself.

How did this happen?

  • The tools behind the attack originated within the NSA. EternalBlue and DoublePulsar, two tools the NSA used to infiltrate computer networks, were stolen from the agency and leaked online in April as part of a massive data dump by the Shadow Brokers hacker group.
  • WannaCrypt exploits a very specific hole in Windows called Server Message Block connections. SMB networks are used in homes and businesses to transfer data between trusted computers. WannaCrypt hijacks this connection using EternalBlue, which allows the malware to spread across businesses in seconds. The DoublePulsar portion of the code then installs a backdoor into affected computer systems, allowing for remote control of the personal computers.

Who was affected?

  • Computers in 150 countries have been affected. Kaspersky Lab says that the majority of affected systems were in Russia. It appears the developers hoped their malware would go international, as the ransom message had been translated into dozens of languages. You can see how many computers have been infected here.
  • FedEx, French automaker Renault and Spanish telecommunications firm Telefonica are among those attacked.
  • Hospital computer systems across Europe were crippled for several hours. The British National Health Service was one of the earlier targets and also among the hardest hit. On Friday, it reported 16 computer networks were shut down. The hospitals were forced to turn away all non-emergency patients. NHS has mostly recovered — by Monday, only two hospitals were still closed to new patients.
  • Is the threat still out there?

    • New infections stopped Friday when a malware researcher in the UK discovered a web domain in the code. The domain is believed to be a defense against sandboxing, the act of isolating software to research it. By checking if this website — iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com — exists, the program would have closed itself to prevent being examined by cybersecurity personnel. Seconds after the researcher registered the domain, the malware stopped propagating. But this is only a temporary fix, as the software can be modified to check a different domain.
    • Microsoft patched this hole in March for modern versions of Windows. But the vulnerability still existed for legacy versions of Windows, like Windows 8 and Windows XP. Even though Microsoft no longer provides updates for Windows XP, it is still widely used in Europe and Asia.
      Reports say new variants of WannaCrypt have appeared that do not have this kill switch. However, a glitch in the installer means that the variant propagates, but doesn't install the part of the malware that locks the computer.

    How to protect yourself.

    • If you have a recent backup, restore from it: Ransomware is worthless to a hacker if a user has a backup. You may lose some data, but it's a lot better than losing access to all of your files. Make sure the backup is not connected to your main computer, so it doesn't become infected. So either use an external hard drive or a cloud-based system to backup your valuable files.
    • Because WannaCrypt exploits a quirk of the Windows operating system, Macintosh and Linux systems are safe.
    • Microsoft released a patch for the Windows XP and Windows 8 vulnerability on Friday. The patch was automatically applied for Windows 7 systems in March, but Windows XP users must download the patch to secure their system.
    • Always practice net safety. Don't open attachments from people you don't know, and don't visit potentially compromised websites. Some web browsers will alert you if a site appears to be suspicious.
    • Keep your computer up to date. Several security holes are fixed before they can be exploited. No matter what operating system you use, keep on top of when updates are released and install as soon as you can.

    The bottom line: This should be 'a wake-up call'

    In a blog post, Microsoft admonished governments around the world for keeping software vulnerabilities to themselves, instead of reporting them to the developers.

    "The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world," said Microsoft President and Chief Legal Officer Brad Smith. "We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."

Recently in Science