Updated: 5/30/2017

[Update] A massive ransomware attack affected thousands of schools, hospitals, and other organizations in more than 150 countries. In a recent blog postresearchers at Kryptos Logic argue that approximately 727,000 unique IP addresses were WannaCry victims and “that the real number of affected systems, by assessing the sinkhole data, is in the millions, and we further estimate between 14 to 16 million infections and reinfections have been mitigated avoiding what would have been chaos, since May 12th”. 

The malware targeted computers with the Microsoft Windows operating system and continued to spread to targets in Japan and China.

We’ll briefly explain what a ransomware attack is, why the WannaCry ransomware program has been so successful, and what you can do to protect your company and your personal devices.

What is ransomware?

Ransomware is a type of malware that infects your computer or your system and then encrypts your files until you can pay the “ransom” to decrypt your data. In recent years, these attacks have successfully extorted millions of dollars from individuals and organizations. According to Verizon’s 2017 Data Breach Investigations Report (DBIR), ransomware is now the fifth most common variety of malware.

What is WannaCry and how does it work?

WannaCry, also known as WannaCrypt, Wana Decryptor or WCry, is a ransomware computer worm that primarily targets computers running on Microsoft operating systems. WannaCry works by infecting the target’s computer, encrypts its data, and then displays a screen asking for a ransom to be paid in Bitcoin–a digital payment system.

The attack was temporarily stalled after an independent security researcher known as Malware Tech discovered the program’s kill switch. According to NPR, Malware Tech “registered a domain name that was called out in the code and use it to stop the worm from spreading.” However, new variants of the worm have been discovered, some without the kill switch.

The attackers behind WannaCry are demanding a $300 payment by Bitcoin, but the price doubles if the ransom isn’t paid within 72 hours. If the ransom is unpaid, the files could be permanently locked or deleted. According to CNET, as of Tuesday, attackers have collected about $70,000 in Bitcoin payments.

[Update] We also have new insight on how the WannaCry ransomware exploited Windows devices. According to Kryptos Logic, WannaCry used one of the NSA’s leaked hacking tools called ETERNALBLUE, which primarily exploited the “MS17-010 SMB” vulnerability. A server message block (SMB) protocol, as Barkly explains, is used to provide “shared access to files, printers, serial ports, etc.”

Essentially, WannaCry was designed to successfully infect unpatched Windows 7, Windows Server 2008, or earlier versions of the operating systems and continue spreading the infection to other hosts on the local network vulnerable to MS17-010. However, Kryptos Logic also notes that Windows XP computers were most immune from the attack.

Who is behind the attack?

It’s currently unknown who is behind this unprecedented attack, however, according to NPR, a security researcher claimed this attack has lines of code that are identical to malware used by hackers known as the Lazarus Group,” who have links to North Korea. If this theory held up, this would’ve meant that WannaCry would be the first nation-state powered ransomware, says security researcher Matt Suiche to NPR.

[Update] However, Gizmodo is reporting that security researchers at Flashpoint have performed a linguistic analysis which concluded, “the author(s) of WannaCry’s ransomware notes are fluent in Chinese, as the language used is consistent with that of Southern China, Hong Kong, Taiwan, or Singapore.”

What is known is that WannaCry uses an exploit stolen from the National Security Agency (NSA). According to NPR, the malware was published online in April.

Who was affected by WannaCry ransomware?  

Photo credit: Malwaretech.com

According to the U.S. Department of Homeland Security, “the list of victims” is very small” although the attack is still ongoing. As of Friday, according to Malware Tech, at least 1,600 organizations in the US have been hit.

In Europe, when the attack started on Friday, computers and medical equipment at hospitals in the National Health Service system in the U.K. were compromised. NBC reported that automakers Renault and Nissan had to halt production in their plants as a result of the attack.

As of Sunday, The Verge cited European authorities who said that over 10,000 organizations and 200,000 individuals in over 150 countries have been affected. Moreover, according to Forbes, Russia was hit the hardest, but China, Spain, Ukraine, and India were also highly affected.

How does ransomware infect a target’s computer?

Generally, victims get infected with malware from:

  • A “drive-by” download from an infected website
  • A phishing email with an infected link or attachment
  • Clicking a compromised advertisement
  • Other malware, like a Trojan

Can I become a target of ransomware?

If you own a computer or mobile device you can easily become a target of ransomware at any time. However, Verizon’s DBIR report notes that there was a significant change in ransomware in 2016–attackers turned their attention from infecting individuals to vulnerable organizations. Organizations in the Public Administration sector are at the greatest risk, followed by organizations in Healthcare and Financial Services sectors, respectively.

Can ransomware steal my passwords?

It’s important to note that while all ransomware strains work differently, there have been documented cases of password-stealing malware being used in conjunction with ransomware on a target’s infected system.

In any event, the best way to keep your passwords protected from WannaCry ransomware is to backup your credentials using a cloud-based password manager, like Dashlane. Dashlane users can rest assured that their passwords will remain encrypted, and since your Master Password is never stored anywhere on our servers or on your computer, your passwords cannot be accessed by a ransomware attacker.

Moreover, Dashlane Premium users will never lose access to their passwords due to ransomware. Premium users will be still able to access and change their passwords on other uninfected devices, and once the infected device is fixed, their passwords will be restored automatically.

If you’re not a Dashlane Premium user, we highly recommend upgrading today to avoid this potential risk in the future. You can also protect your entire company from losing their passwords with Dashlane Business, which you can try free for 30 days.

How can I protect myself from WannaCry and other ransomware?

For individual consumers, here’s how to protect yourself:

  • Update your software immediately – Microsoft released a software update to patch this vulnerability in March, so make sure you install the latest software update as soon as possible. Also, always keep your device up-to-date by enabling automatic updates or creating a reminder to check for updates at least once a month.
  • Backup your devices – Backup your files and data in a portable hard drive or to the cloud.
  • Install a robust antivirus and anti-malware program and make sure to use firewalls. If you have the resources, consider installing an anti-spam and anti-phishing software as well.
  • Learn how to identify malicious emails – If you receive an email from a person or company you don’t know, avoid clicking any links or opening any attachments.
  • Enable a pop-up blocker – To avoid drive-by downloads, add and enable a pop-up blocker on your web browsers.

In addition to the tips above, KnowBe4 offers tips on how business owners and other organizations can take extra precautions to protect their company’s data from ransomware:

  • Consider endpoint protection products, like real-time executable blocking or whitelisting.
  • Invest in cybersecurity awareness training – Attackers rely heavily on employees falling for phishing and social engineering scams via email. Teach your staff members how to identify potentially malicious emails, websites, ads, and file extensions.
  • Implement software restriction policies to areas of your network.