Massive Global Ransomware Attack Underway, Patch Available
UPDATE on Sunday at 1:40PM PST: New variants of WannaCrypt are now emerging. We have posted an updated blog post that includes instructions on how to protect yourself.
UPDATE on Saturday 9am PST: The attack was accidentally stopped yesterday when a malware researcher registered a domain that appeared in the ransomware source code. They later discovered that the author had built the domain into the ransomware to defeat analysis techniques, but registering that domain had the effect of stopping world-wide distribution of the ransomware once the domain was registered. You can read the researcher’s full description of how the WannaCrypt ransomware was stopped on their blog.
Note: This attack has stopped, but there is nothing preventing the ransomware author restarting the attack with the ‘stop’ mechanism removed. So it is still critically important that you update your Windows systems now and let your friends and family know they should do the same.
End of update. Original post is below:
This is a Wordfence public service security announcement for all users of computers running any version of Windows.
We have confirmed that a serious virulent ransomware threat known as WannaCrypt/WannaCry has affected Windows computers on shared networks in at least 74 countries worldwide, with 57,000 reported individual cases being affected. And according to the analysis team at Kaspersky Lab, that number is growing fast.
Once one computer on a network is affected, the malware infection easily spreads to other Windows computers on the same network, shutting down entire government agencies and national infrastructure companies. Hospitals across the UK were being forced to divert patients and ambulance routes as of Friday afternoon, and several utility companies across Europe reported infection across their computer networks according to BBC News.
What Is Ransomware?
Ransomware is a kind of malicious script or software that installs itself on your computer without your knowledge. Once it’s installed and running, it will lock down your system and won’t allow you to access any files or programs on that computer. Usually, as in this current WannaCry exploit, it will alert you to the lockdown with an impossible-to-ignore pop-up screen which informs you that your computer is being held for ransom. To unlock your system and regain access to the computer being held hostage, the lock screen informs you that you must purchase an unlock tool or decryption key from the hacker.
Where Did This Threat Originate?
In this case, Microsoft has been aware of the vulnerability since March 2017, when it published a Security Bulletin covering the potential risk. According to the Spanish newspaper El Mundo, early indicators seem to point to the attack originating in China, but more information is needed.
How Can You Tell If Your Computer Is Infected?
The most obvious way to tell if your computer has been affected is if you are seeing a ransomware pop-up screen when you start up your computer. But because we don’t know how long the malware sits on your computer or network, not seeing this pop-up isn’t necessarily an indication that you haven’t been infected. The bottom line: if your Windows computer has connected to a shared network, such as those found in schools, public places, cafes and businesses, and you don’t have complete control over every computer on that network and haven’t been keeping Windows up-to-date, your computer may be infected.
How to Protect Yourself From the Vulnerability
According to Microsoft a fix for this vulnerability was released on March 14th for all affected versions of Windows. If you are running Windows and have automatic updates enabled you should be okay. If you don’t and haven’t updated recently you should update to the most recently released version immediately. It is important to note that unsupported versions of Windows, like XP, did not receive this security update. Those systems should either be isolated or shut down.
Please pass this along to your friends and family. Those that are less technical may not have updates auto-enabled, and may need a helping hand updating their operating system.