This is another Wordfence public service announcement (PSA) that describes new WannaCry ransomware variants that have emerged in the past few hours and describes how to protect yourself against the WannaCry ransomware, also known as the WannaCrypt ransomware. We occasionally send out alerts that are outside the WordPress space when we feel that they are in the interests of our WordPress publishers and the broader global community. This is, unfortunately, one of those alerts.
On Friday we alerted you to a global ransomware campaign a few hours after it started. That campaign has now infected over 10,000 organizations and 200,000 individuals in 150 countries. This includes the UK National Health System which saw ambulances divert from affected hospitals.
On Friday a researcher accidentally stopped the ransomware from spreading by registering a domain that served as a kill switch for the ransomware.
A few hours ago new variants of the WannaCry ransomware started emerging. One of the variants was also stopped today by registering a kill switch domain, the same way the ransomware was stopped on Friday. A second variant is not encrypting infected machines due to an error in programming, but it is spreading.
We expect new variants to emerge all week that continue to exploit the vulnerability in SMB that WannaCry has been using. It is critical that Windows users protect themselves immediately against this threat.
WannaCry Ransomware: How to protect yourself
- If you use Windows, install the patch that Microsoft has released to block the specific exploit that the WannaCry ransomware is using. You can find instructions on this page in the Microsoft Knowledge Base. You can also directly download the patches for your OS from the Microsoft Update Catalog.
- If you are using an unsupported version of Windows like Windows XP, Windows 2008 or Server 2003, you can get the patches for your unsupported OS from the Update Catalog. We do recommend that you update to a supported version of Windows as soon as possible.
- Update your Antivirus software definitions. Most AV vendors have now added detection capability to block WannaCry.
- If you don’t have anti-virus software enabled on your Windows machine, we recommend you enable Windows Defender which is free.
- Backup regularly and make sure you have offline backups. That way, if you are infected with ransomware, it can’t encrypt your backups.
- For further reading, Microsoft has released customer guidance for the WannaCry attacks and Troy Hunt has done an excellent detailed writeup on the WannaCry ransomware.
Get the word out
The second wave of attacks appears to have just started within the past few hours. This is going to be a rough week for Windows users. We recommend you get the word out by sharing this post to help keep friends and family secure.
Additional resources:
- A fact sheet: https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
- A detailed description of the worm and the exploit it uses to spread: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/
- Deep technical analysis: https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58
- Info on new variants detected today (also linked to in the post, above): https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e
- Coverage analysis on Virustotal. A spreadsheet showing which signatures/files are being detected by anti-virus vendors, when they were first submitted to virustotal and the names of each component each AV vendor is using: https://docs.google.com/spreadsheets/u/1/d/1XNCCiiwpIfW8y0mzTUdLLVzoW6x64hkHJ29hcQW5deQ/pubhtml#
- NoMoreCry: A tool created by the Spanish cyber security center (CCN-CERT) to prevent infection by this ransomware. We don’t recommend you use this tool at this time. Instead, patch your system and use a an anti-virus product or firewall rules. This is merely for academic interest: https://www.ccn-cert.cni.es/en/updated-security/ccn-cert-statements/4485-nomorecry-tool-ccn-cert-s-tool-to-prevent-the-execution-of-the-ransomware-wannacry.html
- A live feed of WannaCry infections on a map: https://intel.malwaretech.com/WannaCrypt.html
- Microsof Customer Guidance: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
- A tweet by Tal Be’ery describing the root cause of the vulnerability with links: https://twitter.com/TalBeerySec/status/863741929401585664
Thank you to Wordfence for staying on top of this and publishing this article.