Prevention and Removal of WannaCry Ransomware Attack


Prevention and Removal of WannaCry Ransomware Attack

Wannacry-Ransomware-Message

WannaCrypt Ransomware

A brief about the WannaCry Ransomware Virus and possible ways it infects computers. What steps should we take to ensure our computers are safe?

  1. What does WannaCry Ransomware do to a computer?
  2. Possible ways of infection by WannaCry Ransomware.
  3. Prevent the spread of WannaCry Ransomware.
  4. What should we do?
  5. Remove WannaCry Ransomware from infected systems.

1. WHAT DOES WANNACRY RANSOMEWARE DO TO A COMPUTER

WannaCry ransomware is a type of cyber-attack that targets computer networks, information systems and PC’s to alter or destroy data. It encrypts the files in the system and to get your system working normally, demands payment in a difficult to trace crypto-currency like Bitcoin.

The WannaCry ransomware targets Microsoft Windows operating systems. It spread to more than 0.2 million computers worldwide. Individual computers, Industries, Hospitals, Schools, Railways, Banks, Mobile network and Government organizations were affected.

It takes control of your computer and stops you from getting hold of your data until you make a payment to them.
The WannaCry ransomware encrypts the files on your computer and tells you that your files cannot be recovered without using their decryption service.

They put forward a condition that the files can be recovered as long as you pay them within 3 days, after 3 days they double the price for file recovery. After 7 days your files cannot be recovered. It also has a timer to show how much time is left when your files will be lost.

For the recovery of files, WannaCry accepts payments only through the crypto-currency, Bitcoin.

2. POSSIBLE WAYS OF INFECTION BY WANNACRY RANSOMWARE

WannaCry Ransomware enters and infects computer systems in many ways:

  • Running authentic-looking programs that contain the ransomware virus.
  • Visiting malicious websites.
  • Transferring data from an infected system.
  • Through unpatched and not updated/upgraded computer systems.

Even using a non-admin Windows account or web browser in private mode/incognito mode would not help prevent infection.

WannaCry ransomware was discovered on 12th of May 2017 by a security researcher. it spread like wildfire across the globe. WannaCry asks for around $300 for decryption.
The WannaCry ransomware accessed enterprise servers through RDP (Remote Desktop Protocol) or through the exploitation of critical Windows SMB (Server Message Block) vulnerability.

The WannaCry ransomware is not vulnerable to antivirus software scans. it may not be detected by scans.


Paying the ransom money does not guarantee recovery of your files. Decrypting files does not mean the infection was removed.

WannaCry Ransomware was unable to infect computer systems that were up-to-date and followed safe computing.

3. PREVENT THE SPREAD OF WANNACRY RANSOMWARE

  • Ensure your Windows operating system is up to date. Run Windows Update.
  • Install and use an up-to-date Antivirus software on your computer. Run a Scan. If you don’t have an antivirus, install free versions from reputable vendors like Symantec/Norton, McAfee, AVG etc.
  • Do not click on any links or attachments in emails from people you don’t know or trust.
  • Make sure smart screen filter is enabled in your browser to help you identify phishing and malware websites.
  • Ensure pop-up blocker is up and running in your web browser.
  • Be careful when you download stuff from the internet. Smart screen filter helps to an extent.
  • Take care to regularly back-up your most important files.

4. WHAT SHOULD WE DO – WANNACRY RANSOMWARE?

Though the current WannaCry ransomware is curtailed, new variants might be developed which could cause havoc.
So,

  • Continue to regularly back-up your files.
  • Keep your software programs up to date.
  • Apply all security patches without fail.
  • Upgrade your Windows Operating system to the latest version.
  • Enable Windows Update.
  • Reboot your computers after updates.
  • Be cautious with emails. look out for security warnings.
  • Don’t store backups on the same computer systems or on the same network. Consider using cloud services like DropBox, Google Drive, One Drive to backup important files.

Patches:
Microsoft had released a security update for the MS17-010 vulnerability way back on 14th of March 2017
Microsoft released security updates for Windows XP, Windows 8 and Windows Server 2003 on 1st of May 2017. (KB4012598)

5. REMOVE WANNACRY RANSOMWARE FROM INFECTED SYSTEMS

Resetting your computer back to factory settings might help to get rid of the virus. That is cleaning up the hard drive and reinstalling a fresh copy of Windows. All files will be lost unless you have a back-up.

System restore might help to get back your system to normal. however, your files if, encrypted will still be unrecoverable.
Data cannot be recovered if it has already been encrypted.

Be careful using software programs on the web claiming to remove the WannaCry ransomware. it could be malicious.
Unless the tool is offered by reputable and trusted antivirus vendors like Symantec/Norton, Mcafee, MalwareBytes, AVG etc,

Note: Antivirus vendors are finding ways to detect this malware, so, updating antivirus will provide additional protection.

Microsoft’s Customer Guidance for WannaCry Ransomware Attacks

Excerpts from an email from Microsoft:

  • If you are using Windows Vista, 7, 8.1 & 10: In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Security Update enabled are protected against attacks on this vulnerability.
    For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.
  • Activate Windows Defender: For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt. As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider whether they are protected.
  • If using an older version of Windows: Customers running versions of Windows that no longer receive mainstream support may not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we have released a Security Update for platforms in custom support only. Windows XP, Windows 8 and Windows Server 2003 Security Updates are broadly available for download now (see links below).
  • Additional Steps to consider: This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks). Some of the observed attacks use common phishing tactics including malicious attachments. Customers should use vigilance when opening documents from untrusted or unknown sources.

Further resources: 

Download English language security updates: Windows Server 2003 SP2 x64,Windows Server 2003 SP2 x86,Windows XP SP2 x64,Windows XP SP3 x86,Windows XP Embedded SP3 x86,Windows 8 x86,Windows 8 x64
Download localized versions for the security update for Windows XP, Windows 8 or Windows Server: 
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
Read general information on ransomware:
https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx
Download MS17-010 Security Update:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Subscribe on Youtube

Share

Fernz

By day, a blogger, web developer & system builder.
By night, works as a Technical Support Specialist & Coach for a Leading MNC.
Heston as he is known, loves reading, surfing the Web and learning new stuff. He is married to Linus and have two lovely Kids. Russell & Rochelle.

Leave a Reply

Your email address will not be published. Required fields are marked *