The worm called WannaCry (aka WannaCrypt, WannaCry0r, WanaCry, and WCry) dominated tech headlines through the weekend. According to Europol, quoted in the New York Times, WannaCry infected 200,000 computers in more than 150 countries, tied the UK health service in knots, knocked out the Spanish phone company, troubled train travelers in Germany, and took big swipes out of FedEx, Renault, a reported 29,000 Chinese institutions, and networks all over Russia—including the Russian Interior Ministry.
I first saw reports of the new ransomware on Friday morning, although it looks like the worm started spreading on Thursday night (per Costin Raiu). By Friday evening, a security researcher who goes by the handle MalwareTech (and who wants to remain anonymous) became an “accidental hero” by activating a sinkhole that killed WannaCry.
Microsoft posted a description of the inner workings of WannaCry on Friday, the day it appeared. Amanda Rousseau at Endgame posted a more detailed technical analysis on Sunday. There’s an active GitHub Factsheet, and SANS Internet Storm Center has an excellent PowerPoint presentation suitable for management.
I’m going to cut through the jargon and answer the questions that normal people have about the WannaCry ransomware, and what comes next.
Can I get infected by WannaCry?
No. MalwareTech defanged the malware. Although there are a few extraordinary situations where the threat persists (in particular if your network blocks access to one odd website), for most people, WannaCry has been out of commission since late Friday.
So I don’t need to worry about it right now?
Wrong. Very wrong. This is one of those rare times when the Windows sky is falling. We already have reports from Matt Suiche of a new WannaCry variant that’s been sinkholed with 10,000 infections logged. The clones are coming, and many of them won’t be easy to stop. You have to get your Windows PC patched now.
Why didn’t WannaCry infect Windows XP or 10 computers?
Because the responsible for Friday’s attacks used code from several sources, and researchers have determined that the code used didn't include functions for Windows XP or Windows 10. (Britain’s National Health Service has said its WinXP PCs were not infected by WannaCry, despite initial reports that they were.)
However, that doesn’t mean WinXP and Win10 are safe. If unpatched, both have the same vulnerability as other versions of Windows that different exploit code could take advantage of, which is why Microsoft issued an emergency patch for it.
Even though WannaCry’s exploit code doesn’t target WinXP or Win10, you can expect that other variants will, which is why every Windows PC should be patched immediately.
How do I patch my Windows computer?
If you’re using Windows 7, 8.1, or 10, you can run Windows Update and install all “important” patches. If you don’t feel comfortable installing all patches, or if Microsoft has blocked updating on your computer because it’s running a Kaby Lake processor, I have detailed instructions that will help you figure out if your system’s already patched and, if not, how to minimally patch your system. Tip: Installing all important patches, if you can, is much easier.
If you’re using Windows XP, 8, or Vista, special instructions apply. (See my detailed instructions.)
I installed the WinXP patch. Do I need to update Microsoft Security Essentials?
There’s no MSE patch available, according to Michael Horowitz at Computerworld.
Can I install the WinXP patch on pirated software?
You’re caught between a rock and a very hard place: You can install the patch and hope it doesn’t brick your machine, or you can wait and see if a future piece of malware bricks your machine. My recommendation is to back up everything, install the patch, and be ready to install a genuine copy of Win7 if the PC goes belly-up.
Do I need to patch other computers?
It looks like MacOS, iOS, ChromeOS, Android, and Linux of all flavors got a free pass on this one.
How does the infection work?
WannaCry and its cohorts infect by looking on the network for other computers that are running an old communication program called SMBv1. The only way it can spread is if there’s another machine attached to the network with an open port (called port 445) that’s using the old version of SMBv1.
That explains how the infection spreads on a network. It doesn’t explain how the first computer on a local network gets infected.
So how does the first computer on a local network get infected?
Nobody knows. There are lots of possibilities, but as of this writing we don’t have an example of a smoking gun. Malware legend Vess Bontchev deduces that the first computer infected on a local network probably had port 445 open to the internet.
Can I get infected by opening an email attachment?
No—as far as we know, anyway. Nobody’s found an infected email, and a lot of people have looked. Kevin Beaumont has a video showing how WannaCry replicates worm-style over a network, with no email required. It takes two minutes.
Can I get infected by surfing to a bad website or viewing compromised ads online?
No.
What’s a sinkhole?
WannaCry has an off switch. Before the infection mechanism runs, it tries to connect to a website with a very weird URL. If the website exists, WannaCry won’t run. By registering a website with the correct name, MalwareTech defused the WannaCry infection function. There’s lots of speculation as to the reason for the off switch, but nobody has a clue what the author was thinking.
Why the worry about copycats?
WannaCry code is widely available. Anybody with a hex editor can change—or delete—the off switch. Making a clone is easy, although getting it started might not be.
Where did WannaCry come from?
Nobody knows who put it together, but the code is largely copy-and-pasted from the Shadow Brokers leaked code—specifically the part called EternalBlue, which I’ve discussed. It seems likely (and Microsoft just confirmed) that the Shadow Brokers code was stolen from the U.S. National Security Agency.
So the NSA is to blame?
It’s not that simple.
So Microsoft is to blame?
It’s not that simple, either.
So WannaCry is based on the CIA code that was leaked by Wikileaks?
No. The CIA and the NSA are two entirely different organizations. Shadow Brokers is not Wikileaks. The leaked code is completely different, according to Grant Gross of the IDG News Service.
Can antivirus software stop WannaCry?
All of the AV vendors have been working overtime to get WannaCry detectors working, and many have created advanced defense systems. Even if your AV vendor says it covers WannaCry, you still have to get Windows patched. No exceptions.
If I get infected, what happens?
You get a big dialog box that tells you that your files have been encrypted. If you see this dialog, yep, your DOC, DOCX, XLS, XLSX, JPG, and more than a hundred additional file types have all been encrypted. To date, nobody has been able to crack the encryption.
If my computer gets infected, will all of the drives get hit?
Yes. Even your file history drive, according to poster @b on AskWoody.
So I should pay the ransom?
No. The idiot(s) who wrote WannaCry are handling all the decryption activity—the order fulfillment—by hand, according to @hackerfantastic. Even if you pay them, and thus encourage them and others to do it again, there’s a very good chance you won’t receive a response.
They made a killing off this, right?
As of Monday morning, the three hard-coded bitcoin wallets have accumulated about $60,000. You can see the latest results for yourself: wallet 1, wallet 2 and wallet 3. No bitcoins have been pulled out of the wallets, as of this moment, so the author(s) hasn’t spent any of it.
We were lucky it was “just” ransomware, yes?
No. We don’t have the slightest idea if WannaCry installed backdoors, or if there is some other unforeseen consequence to all of this, according to Dan Goodin at Ars Technica.
Is this a good reason to get Windows 10?
No. This particular piece of malware didn’t infect Windows 10, but that’s because the underlying NSA code doesn’t infect Windows 10. Someone considerably more adept than the WannaCry author(s) could find a way to infect SMBv1 in Win10. The only general solution is to get SMBv1 patched, on every version of Windows, using the techniques discussed earlier.
Surprisingly, WannaCry didn’t infect WinXP computers either, although the underlying NSA code does.
Is this a good reason to turn on Automatic Updates?
No. It’s a good reason to apply updates periodically. Microsoft released the SMBv1-correcting patch (MS17-010) 60 days before WannaCry appeared. If you applied patches at any point during those 60 days, you were covered.
Is the stockpiling of vulnerabilities by governments a problem?
Brad Smith, Microsoft’s head lawyer, thinks so. According to Smith:
We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. … We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. … We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks.
You should read the rest of his call to arms. He’s right.
Questions—and answers—continue on the AskWoody Lounge. Apologies if you have trouble getting through—the site’s been overwhelmed with WannaCry traffic.