WannaCryptor - What to do if you’ve been attacked by ransomware

WannaCryptor, dubbed WannaCry in the media and specifically detected by ESET as Win32/Filecoder.WannaCryptor.D, has been one of the biggest cybersecurity stories of 2017. Leveraging the leaked US National Security Agency (NSA) exploit, EternalBlue, the malware spread across the globe at a scale and speed not seen for many years, unprecedented for a piece of ransomware. 

Mass-spreading worms, which were common in the mid-2000s, had pretty much gone the way of the dodo and it seems that some of the hard-learned IT security lessons from that time may have been lost with them. The big risk with this particular attack has been with machines that have not been patched against the vulnerabilities fixed in the MS17-010 update, and WannaCryptor definitely found plenty such machines. 

According to Nick FitzGerald, Senior Research Fellow at ESET, “the most dangerous of all was not the WannaCryptor ransomware itself, but the EternalBlue exploit, which abused a vulnerability in unpatched Windows systems, allowing the infection to spread to other unpatched computers. While the WannaCryptor ransomware remains the most visible, the exploit can still be and is being used in the wild by any other malware and malicious actors – not just ransomware.”

Among many other things, the MS17-010 update fixed the remote code execution vulnerability that the NSA “Eternal Blue” tool used. Organisations that had failed to install the Windows update were most vulnerable to contracting the WannaCryptor ransomware, as once it gains initial access to a network (such as through unwary users opening suspicious email attachments) it will find its way to all other machines on the network with the EternalBlue vulnerability still unpatched.

Is my system patched against EternalBlue?

Beyond the WannaCryptor ransomware case, it’s extremely important to verify whether your computer is patched against EternalBlue, considering the possibility of other malware popping up to exploit the EternalBlue vulnerability in the future. 

The recent ransomware attacks should instill renewed determination for more urgent collective action by both individuals and businesses. 

If you haven’t taken advantage of the MS17-010 update for supported versions of Windows (Vista, 7, 8.1 and later, and Server versions later than 2003) since it was made available on May 12th, now would be a good time to do so. If you’re running one of the older, unsupported Windows versions (Windows XP, 8.0, Server 2003) and do not have a custom support contract with Microsoft, it is strongly recommended that you again consider your upgrade options. If you cannot replace or upgrade such systems, or just to keep them safe in the meantime, seriously consider taking advantage of Microsoft’s unusual release of a security update fixing the MS17-010 vulnerabilities for those OSes.

Finally, if you are unsure whether the appropriate updates have been applied to your system, ESET has released a tool, free for anyone to use, that can conduct the check for you. Read about its use and find a download link for it in ESET’s Knowledgebase article.

How to combat ransomware once you’ve been hit:

Should you, or someone in your office, be hit with ransomware, there are a few things you can do to reduce the damage: 

  1. Isolation 
    In general, if ransomware has been executed, isolate the victim machine from the network as quickly as possible. Pull network cables from the machine or from their wall socket, or pull patch cables from the switches or routers connecting that machine to the rest of the network. If the machine is on a Wi-Fi connection, disable the wireless interface in that machine (via the keyboard shortcut for airplane mode on a laptop, or WindowsX then “Turn wireless off”, etc.) or shutdown all access points within range of the machine. 

    Next, take pictures of any screen messages displayed by the ransomware. Make sure these are clear and the text readable, as these will be helpful later in diagnosing what has hit you.

    Better yet, hibernate the machine, but only after disabling any Wi-Fi connections. If hibernation has not been previously enabled, then usually we would recommend turning the machine off. However, in the WannaCryptor case, at least for some OSes, it turns out that the decryption keys could be re-generated by capturing data in memory; data that is lost through a power cycle or reboot. This was not discovered until several days after the outbreak, and is due to a shortcoming in the Windows Crypto API which means it may be usable in future ransomware incidents. It worked at least under Windows XP, but there were mixed reports of this recovery operation working on other 32bit Windows OSes, at least under laboratory test conditions. This strengthens the suggestion that hibernation, rather than powering-off, is probably the better general approach.

    Eventually you will need to turn the machine back on, without reconnecting to the network and allowing the malware to spread again. This approach won’t help with any damage that has already been done, but the worm functionality of WannaCryptor means that it can spread very rapidly to any other machines on the local (home, office, or corporate) network if they do not have the MS17-010 patch installed.

    By not doing all this, all files on local drives and networks that the affected machine’s user currently has write access to, will be encrypted. Thus, “pulling the network plug” on the “patient zero” machine is a good start to limiting the damage. In general, this step is not expected to cause any further harm, even for more “usual” ransomware that does not have worm-like spreading functionality.

    Next, you have to decide whether to isolate any other PCs, as a precaution. Any that you suspect the malware has spread to, or otherwise been executed on, should definitely be isolated from the rest of the network. 

  2. Analysis and recovery
    Once you’re sure an outbreak has been arrested and contained, carefully analyse what happened and work out what data was affected, whether you can recover it from backup, and what the ransomware was. The photos from the first step will be useful here. So too will be any copies of ransom note files and the usually distinctive file extension added to the encrypted files that you might find on network shares that any affected users had write access to.

    If most encrypted files can be recovered from backups, save copies of the encrypted files somewhere safe “just in case” (generic decryptors for specific ransomware variants sometimes become available long after an attack, when master keys are released or leaked), restore affected files from backup, clean-up the affected machine(s) and get back to work.

    You may want to check with your endpoint security provider’s customer support team before starting any of this work, as they will have experience handling such situations and will be able to provide useful guidance specific to the ransomware used in your attack. Finally check that all your systems are updated and have automatic security updates enabled. Unless you live somewhere devoid of natural disasters, and where disk drives never randomly fail, we recommend you have good, working and tested backup and restore systems in place! 

ESET has created educational tools for both individual users and businesses on how to protect against WannaCryptor and other similar ransomware threats.