WannaCry: New and Unique Cyberattack

Since last week the Internet and news in general were abuzz with a new type of malware called “WannaCry” or “WannaCrypt”. This malware has around more than 2 million infections around the globe and is considered to be the largest ransomware campaign ever. So what is about this attack that makes it different and so dangerous from other previous cyber-attacks?

What is WannaCry?

WannaCry is a combination of two type of malware capabilities. First capability is of a ransomware where the important files (like documents, email, videos, media) are locked (or encrypted) and cannot be accessed by their rightful owner or user. The second is the worm like capability, where the malware moves from one infected computer and spread to another computer on its own by finding flaws in the computer operating systems. Till date this attack is only affecting Windows based computers.

The Root of the Attack

As per the news reports, all Windows PC (new and old) had a flaw in their operating system component and this flaw had been reportedly known to US NSA (National Security Agency) which uses certain tools to exploit this (and similar) flaws for their global surveillance programs. Few weeks back one such tool (named EternalBlue) was stolen from NSA by a group of hackers and they made this tool public on the Internet. The same was then used by some other hacker group to develop the WannaCry malware. 

How it Works

There are more than one way to launch this malware. The malware can be sent as an attachment or a website link to an unsuspecting user in a spam email, or users browsing to an infected website and downloading the infected files. Once the user’s PC is infected and the malware is activated, it starts to encrypt user’s files. The file extensions (like zip, docx, xlsx, eml, jpg, mp4) are changed so that the user cannot access the files. A screen opens on the user’s computer stating that the files are encrypted and a payment of bitcoins (Internet based currency) worth of 3,000 USD is to be paid online to release the files. The malware also gives the users 3 days to pay after which the amount is doubled, thus pressurizing users to pay urgently. Malware claims that the files will be released after the ransom has been paid but experts warn the users that this promise of release might be honored and the users might still lose their files after paying the ransom.

How to be Protected

There is no way to restore the files once they are encrypted. Therefore, the most important defense against these attacks is prevention and for the users to be vigilant and avoid opening spam emails and browsing malicious websites (like free software downloads). Further, all computers should be patched with the latest security updates and the antivirus definitions needs to be updated frequently. Microsoft and other vendors have released patches for closing this flaw. The users are also advised to back up their important files so that the files can be restored in case of infection.

What’s Next

Although now the spread of this malware is getting slow, security researchers expect a second and more lethal wave of this attack, as the hackers will also be evolving their attack strategy. The risk of these infections are further elevated as many organizations are not implementing the good security practices related to security patching, antivirus updates and users’ awareness. Organizations should devise processes to ensure that all users are informed about these attacks and how to be protected. In addition, processes should be implemented to ensure that the computers are up-to-date with the latest security patches and any security incident is timely reported, identified and managed.