Cross-posted from Carpe Datum Law.
Recently, a widespread global ransomware attack has struck hospitals, communication, and other types of companies and government offices around the world, seizing control of affected computers until the victims pay a ransom. This widespread ransomware campaign has affected various organizations with reports of tens of thousands of infections in as many as 99 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly.
The risk posed by this ransomware is that it enumerates any and all of your “user data” files like Word, Excel, PDF, PowerPoint, loose email, pictures, movies, music, and other similar files. Once it finds those files, it encrypts that data on your computer, making it impossible to recover the underlying user data without providing a decryption key. Also, the ransomware is persistent, meaning that if you create new files on the computer while it’s infected, those will be discovered by the ransomware and encrypted immediately with an encryption key. To get the decryption key, you must pay a ransom in the form of Bitcoin, which provides the threat actors some minor level of anonymity. In this case, the attackers are demanding roughly $300 USD. The threat actors are known to choose amounts that they feel the victim would be able to pay in order to increase their “return on investment.”
The ransomware works by exploiting a vulnerability in Microsoft Windows. The working theory right now is that this ransomware was based off of the “EternalBlue” exploit, which was developed by the U.S. National Security Agency and leaked by the Shadowbrokers on April 14, 2017. Despite the fact that this particular vulnerability had been patched since March 2017 by Microsoft, many Windows users had still not installed this security patch, and all Windows versions preceding Windows 10 are subject to infection.
The spread of the malware was stemmed on Saturday, when a “kill switch” was activated by a researcher who registered a previously unregistered domain to which the malware was making requests. However, multiple sources have reported that a new version of the malware had been deployed, with the kill switch removed. At this time, global malware analysts have not observed any evidence to substantiate those claims.
You should remain diligent and do the following:
- Be aware and have a security-minded approach when using any computer. Never click on unsolicited links or open unsolicited attachments in emails, especially from sources you do not already know or trust.
- Ensure that your antivirus and anti-malware are up-to-date.
- Apply Security Updates! Enable automatic updates and reboot weekly. Systems that are receiving automatic updates should already be protected against this malware. If you aren’t sure, visit https://support.microsoft.com/en-us/help/3067639/how-to-get-an-update-through-windows-update
- Backup your data! The risk of malware is losing your data. If you perform regular backups, you won’t have to worry about ransomware. Make sure you utilize a backup system that is robust enough to have versioning so that unencrypted versions of your files are available to restore. Make sure your backup system isn’t erasing your unencrypted backups with the encrypted ones!
If your organization is the victim of a ransomware attack, please contact law enforcement immediately.
- Contact your FBI Field Office Cyber Task Force immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
- Report cyber incidents to the US-CERT and FBI’s Internet Crime Complaint Center.