FAQ: Are you in danger from the WannaCrypt ransomware?
The worm called WannaCrypt (aka WannaCry, WannaCrypt0r, WanaCry, and WCry) dominated tech headlines through the weekend. According to Europol, quoted in the New York Times, WannaCrypt infected 200,000 computers in more than 150 countries, tied the UK health service in knots, knocked out the Spanish phone company, troubled train travelers in Germany, and took big swipes out of FedEx, Renault, a reported 29,000 Chinese institutions, and networks all over Russia—including the Russian Interior Ministry.
I first saw reports of the new ransomware on Friday morning, although it looks like the worm started spreading on Thursday night (per Costin Raiu). By Friday evening, a security researcher who goes by the handle MalwareTech (and who wants to remain anonymous) became an “accidental hero” by activating a sinkhole that killed WannaCrypt.
Microsoft posted a description of the inner workings of WannaCrypt on Friday, the day it appeared. Amanda Rousseau at Endgame posted a more detailed technical analysis on Sunday. There’s an active GitHub Factsheet, and SANS Internet Storm Center has an excellent PowerPoint presentation suitable for management.
I’m going to cut through the jargon and answer the questions that normal people have about the WannaCrypt ransomware, and what comes next.
Can I get infected by WannaCrypt?
No. MalwareTech defanged the malware. Although there are a few extraordinary situations where the threat persists (in particular if your network blocks access to one odd website), for most people, WannaCrypt has been out of commission since late Friday.
So I don’t need to worry about it right now?
Wrong. Very wrong. This is one of those rare times when the Windows sky is falling. We already have reports from Matt Suiche of a new WannaCrypt variant that’s been sinkholed with 10,000 infections logged. The clones are coming, and many of them won’t be easy to stop. You have to get your Windows PC patched NOW.
How do I patch my Windows computer?
If you’re using Windows 7, 8.1, or 10, you can run Windows Update and install all “important” patches. If you don’t feel comfortable installing all patches, or if Microsoft has blocked updating on your computer because it’s running a Kaby Lake processor, I have instructions on AskWoody that will help you figure out if your system’s already patched and, if not, how to minimally patch your system. ProTip: Installing all important patches, if you can, is much easier.
If you’re using Windows XP, 8, or Vista, special instructions apply. (See the AskWoody site.)
I installed the WinXP patch. Do I need to update Microsoft Security Essentials?
There’s no MSE patch available, according to Michael Horowitz at Computerworld.
Can I install the WinXP patch on pirated software?
You’re caught between a rock and a very hard place: You can install the patch and hope it doesn’t brick your machine, or you can wait and see if a future piece of malware bricks your machine. My recommendation is to back up everything, install the patch, and be ready to install a genuine copy of Win7 if the PC goes belly-up.
Do I need to patch other computers?
It looks like macOS, iOS, ChromeOS, Android, and Linux of all flavors got a free pass on this one.
How does the infection work?
WannaCrypt and its cohorts infect by looking on the network for other computers that are running an old communication program called SMBv1. The only way it can spread is if there’s another machine attached to the network with an open port (called port 445) that’s using the old version of SMBv1.
That explains how the infection spreads on a network. It doesn’t explain how the first computer on a local network gets infected.
So how does the first computer on a local network get infected?
Nobody knows. There are lots of possibilities, but as of this writing we don’t have an example of a smoking gun. Malware legend Vess Bontchev deduces that the first computer infected on a local network probably had port 445 open to the internet.
Can I get infected by opening an email attachment?
No—as far as we know, anyway. Nobody’s found an infected email, and a lot of people have looked. Kevin Beaumont (@GossiTheDog) has a video showing how WannaCrypt replicates worm-style over a network, with no email required. It takes two minutes.
Can I get infected by surfing to a bad website or viewing compromised ads online?
No.
What’s a sinkhole?
WannaCrypt has an off switch. Before the infection mechanism runs, it tries to connect to a website with a very weird URL. If the website exists, WannaCrypt won’t run. By registering a website with the correct name, MalwareTech defused the WannaCrypt infection function. There’s lots of speculation as to the reason for the off switch, but nobody has a clue what the author was thinking.
Why the worry about copycats?
WannaCrypt code is widely available. Anybody with a hex editor can change—or delete—the off switch. Making a clone is easy, although getting it started might not be.
Why didn’t WannaCrypt infect Windows XP computers?
Because the author didn’t include code that would infect WinXP computers.
Why didn’t WannaCrypt infect Windows 10 computers?
Because the author didn’t include code that would infect Win10 computers.
Where did WannaCrypt come from?
Nobody knows who put it together, but the code is largely copy-and-pasted from the Shadow Brokers leaked code—specifically the part called EternalBlue, which I’ve discussed. It seems likely (and Microsoft just confirmed) that the Shadow Brokers code was stolen from the U.S. National Security Agency.
So the NSA is to blame?
It’s not that simple.
So Microsoft is to blame?
It’s not that simple, either.
So WannaCrypt is based on the CIA code that was leaked by Wikileaks?
No. The CIA and the NSA are two entirely different organizations. Shadow Brokers is not Wikileaks. The leaked code is completely different, according to Grant Gross of the IDG News Service.
Can antivirus software stop WannaCrypt?
All of the AV vendors have been working overtime to get WannaCrypt detectors working, and many have created advanced defense systems. Even if your AV vendor says it covers WannaCrypt, you still have to get Windows patched. No exceptions.
If I get infected, what happens?
Microsoft You get a big dialog box that tells you that your files have been encrypted. If you see this dialog, yep, your DOC, DOCX, XLS, XLSX, JPG, and more than a hundred additional file types have all been encrypted. To date, nobody has been able to crack the encryption.
If my computer gets infected, will all of the drives get hit?
Yes. Even your file history drive, according to poster @b on AskWoody.
So I should pay the ransom?
No. The idiot(s) who wrote WannaCrypt are handling all the decryption activity—the order fulfillment—by hand, according to @hackerfantastic. Even if you pay them, and thus encourage them and others to do it again, there’s a very good chance you won’t receive a response.
They made a killing off this, right?
As of Monday morning, the three hard-coded bitcoin wallets have accumulated about $60,000. You can see the latest results for yourself: wallet 1, wallet 2 and wallet 3. No bitcoins have been pulled out of the wallets, as of this moment, so the author(s) hasn’t spent any of it.
We were lucky it was “just” ransomware, yes?
No. We don’t have the slightest idea if WannaCrypt installed backdoors, or if there is some other unforeseen consequence to all of this, according to Dan Goodin at Ars Technica.
Is this a good reason to get Windows 10?
No. This particular piece of malware didn’t infect Windows 10, but that’s because the underlying NSA code doesn’t infect Windows 10. Someone considerably more adept than the WannaCrypt author(s) could find a way to infect SMBv1 in Win10. The only general solution is to get SMBv1 patched, on every version of Windows, using the techniques discussed earlier.
Surprisingly, WannaCrypt didn’t infect WinXP computers either, although the underlying NSA code does.
Is this a good reason to turn on Automatic Updates?
No. It’s a good reason to apply updates periodically. Microsoft released the SMBv1-correcting patch (MS17-010) 60 days before WannaCrypt appeared. If you applied patches at any point during those 60 days, you were covered.
Is the stockpiling of vulnerabilities by governments a problem?
Brad Smith, Microsoft’s head lawyer, thinks so. According to Smith:
We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage… We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits… We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks.
You should read the rest of his call to arms. He’s right.
Questions—and answers—continue on the AskWoody Lounge. Apologies if you have trouble getting through—the site’s been overwhelmed with WannaCrypt traffic.