What you should know and do if attacked.
Countless news reports have documented the outbreak of ransomware WCry, also referred to as WNCry, WannaCry, WanaCrypt0r or Wana Decrypt0r, which is spreading globally.
The ransomware locks all the data in a victim’s computer system, and has been demanding payments starting from US$300 in bitcoins to restore access. Further demands include paying the ransom within a defined time period, failing which the demands increase or leads to a complete destruction of data.
How is it spreading?
Like many ransomware attacks, this often starts with attachments coming by email which are inadvertently opened. Initial assessments are suggesting that once a recipient’s computer is infected, the ransomware spreads through a remote code execution vulnerability in Microsoft Windows computers: MS17-010. The encryption is carried with RSA-2048 encryption which makes decryption of the data extremely difficult or near impossible.
The vulnerability MS17-010 is also known as ETERNALBLUE, for which a patch is available.
We advise that users should take precautionary measures by:
- Patching their systems with updates from Microsoft
- Ensuring they have the latest anti-virus software
- Backing up data regularly
Additional communications / reminders to your organization’s users would help with prevention.
- Practice safe online behavior and not to open emails from unknown sources
- Be wary of unsolicited emails that demand immediate action
- Avoid clicking on links or downloading email attachments sent from unknown users or which seem suspicious
- Update your anti-virus software and maintain up-to-date backups of files, and regularly verify that the backups can be restored
- Report all incidents to your IT helpdesk, immediately
In addition, administrators should monitor their network, system, media, and logs for any malicious software, possible ex-filtration of data, abnormal behaviour or unauthorized network connections.
Post proper testing, Windows machines in your environment should be patched with one released by Microsoft in March 2017, as part of MS17-010 / CVE-2017-0147.