SingCERT Advisory WanaCrypt0r aka WannaCry: What You Need to Know and Actions to Take

 


Background

On 12th May 2017, there was a global wide-spread infection of a ransomware known as "WannaCry" a.k.a. WanaCrypt0r. This ransomware will scan for vulnerable systems on the network and infect them. When a system is infected, the ransomware will encrypt files found in the system and extorts a ransom payment in bitcoin for the decryption of such files.


Why is “Wannacry” dangerous 

What makes Wannacry dangerous is that the attackers are leveraging a Windows exploit developed by NSA called EternalBlue, and reportedly leaked and dumped by the Shadow Brokers hacking group over a month ago. Since then, it has spread rapidly across the world affecting thousands of systems in over 100 countries.

 

By exploiting flaws in Microsoft Windows SMB Server, this ransomware is capable of penetrating machines running unpatched version of Windows. Once a single computer in your organization is hit by the WannaCry ransomware, the worm looks for other vulnerable computers within the same network and infects them as well.

 

Recommendations

Microsoft has released a patch for the vulnerability in March (MS17-010).  It is recommended that you patch your system if you have not done so.

 

Like all other ransomware infection, you should always be suspicious of uninvited documents that are sent through email. Do not click on links inside these documents unless you have verified the source. 

 

Always make backup of your important files and documents so that you can restore the files and documents when needed.


Do ensure that you run an active anti-virus security suite of tools on your system, and most importantly, always browse the Internet safely.

 

What if I’m infected ?

What if it is too late and my system is already infected with “WannaCry”? What should I do ?

 

First of all, don’t panic. There is no known way yet to recover files encrypted by “WannaCry”, but you should follow these steps:

 

Remove the network connection from your computer. This could be done by removing your network cable or shutting down the wireless function on your computer. By doing so, you are preventing the spread of this ransomware.

 

Start rebuilding your infected computer. After you have rebuilt your computer, apply the recommended patch, and restore from backups.

 

If you need further assistance, you can contact SingCERT for advice. 

 

 

References
Massive ransomware attack hits 99 countries http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html 
SingCERT Advisory on Ransomware dated 6 May 2016 https://www.csa.gov.sg/singcert/news/advisories-alerts/ransomware 
Microsoft Security Bulletin (MS17-010-Critical) dated 14 March 2017 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

WannaCry Ransomware That's Hitting World Right Now Uses NSA Windows Exploit dated 12 May 2017http://thehackernews.com/2017/05/wannacry-ransomware-unlock.html