Massive Global Ransomware Attack Underway, Patch Available
UPDATE on Sunday at 1:40PM PST: New variants of WannaCrypt are now emerging. We have posted an updated blog post that includes instructions on how to protect yourself.
UPDATE on Saturday 9am PST: The attack was accidentally stopped yesterday when a malware researcher registered a domain that appeared in the ransomware source code. They later discovered that the author had built the domain into the ransomware to defeat analysis techniques, but registering that domain had the effect of stopping world-wide distribution of the ransomware once the domain was registered. You can read the researcher’s full description of how the WannaCrypt ransomware was stopped on their blog.
Note: This attack has stopped, but there is nothing preventing the ransomware author restarting the attack with the ‘stop’ mechanism removed. So it is still critically important that you update your Windows systems now and let your friends and family know they should do the same.
End of update. Original post is below:
This is a Wordfence public service security announcement for all users of computers running any version of Windows.
We have confirmed that a serious virulent ransomware threat known as WannaCrypt/WannaCry has affected Windows computers on shared networks in at least 74 countries worldwide, with 57,000 reported individual cases being affected. And according to the analysis team at Kaspersky Lab, that number is growing fast.
Once one computer on a network is affected, the malware infection easily spreads to other Windows computers on the same network, shutting down entire government agencies and national infrastructure companies. Hospitals across the UK were being forced to divert patients and ambulance routes as of Friday afternoon, and several utility companies across Europe reported infection across their computer networks according to BBC News.
What Is Ransomware?
Ransomware is a kind of malicious script or software that installs itself on your computer without your knowledge. Once it’s installed and running, it will lock down your system and won’t allow you to access any files or programs on that computer. Usually, as in this current WannaCry exploit, it will alert you to the lockdown with an impossible-to-ignore pop-up screen which informs you that your computer is being held for ransom. To unlock your system and regain access to the computer being held hostage, the lock screen informs you that you must purchase an unlock tool or decryption key from the hacker.
Where Did This Threat Originate?
In this case, Microsoft has been aware of the vulnerability since March 2017, when it published a Security Bulletin covering the potential risk. According to the Spanish newspaper El Mundo, early indicators seem to point to the attack originating in China, but more information is needed.
How Can You Tell If Your Computer Is Infected?
The most obvious way to tell if your computer has been affected is if you are seeing a ransomware pop-up screen when you start up your computer. But because we don’t know how long the malware sits on your computer or network, not seeing this pop-up isn’t necessarily an indication that you haven’t been infected. The bottom line: if your Windows computer has connected to a shared network, such as those found in schools, public places, cafes and businesses, and you don’t have complete control over every computer on that network and haven’t been keeping Windows up-to-date, your computer may be infected.
How to Protect Yourself From the Vulnerability
According to Microsoft a fix for this vulnerability was released on March 14th for all affected versions of Windows. If you are running Windows and have automatic updates enabled you should be okay. If you don’t and haven’t updated recently you should update to the most recently released version immediately. It is important to note that unsupported versions of Windows, like XP, did not receive this security update. Those systems should either be isolated or shut down.
Please pass this along to your friends and family. Those that are less technical may not have updates auto-enabled, and may need a helping hand updating their operating system.
Am smart enough not to use Microsoft!
Because attacks only target Windows/Microsoft machines riiiiiiight? :\
Blimey, that did not take too long for the ignorant comment to show up...
You do realise, there is nothing in itself inherently more secure about Mac or Linux and both have their issues, but hey we don't need to get into this do we, as you are so smart.
Well done and thank you for your show of concern for others.
Hopefully, most folks have update back in March or April and will have negated the issue, I am expecting more calls about this in the next day or so...
I just hope the large companies and organisation that have been affected, such as hospitals in the UK, manage to get themselves back up asap as it has been affecting patients and some treatment.
Best wishes to all...
Please be aware that vulnerabilities affect every platform. Whatever platform you are using can still be infected and spread it to Windows Systems, depending on the distribution method.
Most importantly, Vulnerabilities for your platform - like all platforms, have, can and will exist, the only reason you don't hear much about it is due to Windows being a larger target for execution success and profit gain.
Thanks for the information! Appreciated
A very sad day in hospital. So many operations, many critical, needed to be cancelled. Scary to see malware causing real harm.
Now, my computer is up to date, and I absolutely run WordFence on my blogs (Can't wait until I can afford to go premium!) If someone is creating scripts and developing websites using Windows XP, are potential visitors to their site vulnerable? This person does proudly use XP on a daily basis to update his website along with database. Is this contagious?
A user of XP has an operating system that is vulnerable to attack. Creating a site on Windows XP shouldn't be a problem, as the likelihood of the ransomware being uploaded is minimal and your web host is probably not running a Windows server.
No, the origin of the website does not directly threaten the visitors.
If, however, the ransomware somehow ended up on your website for users to access because of your affected PC, then they might be.
Thanks Dan. This prompted me to ensure all our work computers have the required patch - looks like we were onto it as they are! Poor buggers that weren't, but there's no excuses really.
Thanks for being vigilant in informing the public now that the media haven't.
This ransomware would make people WannaCry...
Are we sure it is not microsfts way of getting everyone off of Windows XP?
Yes - they have now released a patch to fix XP machines.
Thanks for sharing !!! ;-)
Thank you for presenting this in a non-hype manner. I feel better about my software protection knowing that I'm backed up and updated.
You're welcome. Credit goes to a new team member, Andie, who wrote this post. You'll be hearing more from her.
I've always wondered, for small users, if they have a system backup, can they say "no we won't pay", then trash their entire system and reinstall everything from backup? Or does the ransomware lock up their backup versions too? Thanks
Thanks Dan, for this important info.
Question, who does it target? Only shared networks?
Can it get to a personal computer working on windows 10?
If we have backups in the cloud, does it lock that down too?
Thanks for everything, Mary
Thanks for your warning and hints. People should also visit the website nomoreransom.org. It is an iniative of the Dutch national police together with Europol EC3, Kaspersky, Intel security and others. If ever they succeed in "decrypting" a certain type of ransomware, they publish keys and tools to solve your problem without paying. Unfortunately wannacry is not yet decypted, some others are. Good luck.
Thanks Wim. I've verified this site is legitimate. Press release: https://www.europol.europa.eu/newsroom/news/no-more-ransom-law-enforcement-and-it-security-companies-join-forces-to-fight-ransomware.
Site link: https://www.nomoreransom.org/.
If you have been hit by ransomware, this is worth a visit.
The mainframe systems I worked on are architected to assume all resources are protected and can only be accessed if a administrator gives the go ahead. When will Windows as a corporate platform adopt this strategy rather than supporting the continuation of money spinning antivirus?
Microsoft's site that you've linked to is of absolutely execrable quality. I don't usually run windows, I'm on linux, but because some of my customers simply cannot be switched to Linux because they *must* use windows for their accountancy packages, they are of course at risk.
Trying to download any of the patches from the site that you've linked to - the "official" micro$oft estate - leads to nonexistent pages, cryptic, 10 character error messages in the browser, and obviously, none of the "patches" can be downloaded, from a Linux computer at least.
It makes sense to them, right ? we should probably try to download those patches from an uninfected windows computer, sure. Oh, wait... we don't have access to one of those because....well, they are windows computers and they have been infected.
Suuuper smart, Micro$oft, what can I say. Super smart.
Keep up this style of mentality, so you'll help me convince my customers to move to Linux :)
Windows OS is itself a vulnerability. Since the beginning.
Sad day indeed. However it does seem that spread of this could be easily solved with education and backup solutions. Sadly both seem to be lacking.
Thank for the updates though.
Love Wordfence. That gives me a nice cosy glow.
Thanks for the informative post. Another reason to stick to Macs.
I believe Microsoft have now released a patch for Windows XP machines
Hello, I have seen in the news that Microsoft released a patch for windows XP, but I can¡t find it. Do you have any information about this? is not on the link provided in this post.
Thank you very much for taking the time to inform every one.
Hi, according to the Microsoft TechNet blog, they "are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP..."