WannaCry Ransomware

A few weeks ago WannaCry ransomware made a lot of headlines around the world. People were waking up to a scary looking red and white screen that informed them that their files were encrypted and if they wanted them back they had to send $300 in Bitcoin to a specified address.

I discussed Bitcoin a few columns ago. One of the attributes of Bitcoin that makes it desirable to use in a situation like this is that it is very difficult to track transactions. Typically the end user will have several Bitcoin wallets and as money is put into the publicized wallet it is being transferred out to anonymous wallets to make it more difficult to track.

So, what is ransomware and why is this happening? Ransomware is a type of malware. Malware being any program that is intended to do something to your computer that you don’t want: steal data, delete files, interrupt communications, etc. Ransomware is malware designed to hold your files hostage until money is paid. Usually the files remain on your computer, but they are encrypted. The encryption used can be extremely powerful, so that even state agencies are unable to retrieve your files.

Why are people doing this? Money. Plain and simple. This is no different than someone taking a person hostage and demanding a ransom. They don’t care about you or your files. They just want to extract some money from you. Why $300? Well, it’s enough money to be of value, but small enough that the vast majority of people and organizations affected will simply pay. It cost ten times that amount to hire a computer professional to recover data from your hard drive (assuming that’s even possible), so you just pay.

How do you protect yourself? There are two things you need to do. Keep your computer updated with the latest security patches and backup. The technique that WannaCry is using to spread to computers was discovered by the National Security Agency (NSA) in the USA and stolen by a hacker organization known as The Shadow Brokers. The hackers then released the exploit. The exploit was known about and patched by Microsoft months ago, but older operating systems like Windows XP and Windows Server 2003 no longer receive security patches and as such were vulnerable. Also at risk were people that turned off automatic updates and weren’t diligent at installing patches.

This is part of the reason why WannaCry has had less impact in North America where computers are more likely to be newer and more up to date than the more heavily impacted countries such as Russia, Ukraine, and India among others. North America was also saved somewhat because a British anti-malware researcher spotted and activated a built-in URL “kill switch” that slowed the spread considerably.

This is another example where a backup would save you. Once you’ve eliminated the malware from your computer, which is straightforward, you simply restore your files and carry on. Without a backup, however, you have two choices, pay or forfeit your files.

In some cases of ransomware the files themselves are not entirely encrypted, but instead the file system is encrypted. In these cases it may be possible to recover the files using data recovery software such as the EaseUs Data Recovery software I’ve discussed in previous columns. I wouldn’t want to bet on it though. A backup is better.

It is good practice to plan for malware exactly the same as you would plan for any computer outage as the results will be essentially the same. Your computer has limited operation and your files are gone. If you followed along on my story about my dead harddrive in a previous column, the results with WannaCry would have been exactly the same, with the addition of removing WannaCry and the Double Pulsar backdoor that it installs at the same time. There is a lengthy, but clear process on Bleeping Computer (https://tinyurl.com/kcs7c2e) that will let you remove the malware, but it may be worth hiring an expert.

Finally, one last comment. WannaCry will encrypt DropBox files too, but DropBox does versioning, so you can go backwards and restore encrypted files to previous unencrypted versions. This is laborious though, so a backup restore is better.
p.s. If you have any specific questions for the Answer Guy send them to info@clarismedia.com. Chances are good that if you want to know others do too.