Starting on May 12th, a huge ransomware cyberattack dubbed WannaCry spread across the web, encrypting the data files of victims in over 150 countries. The extortion malware has hit thousands of individuals and huge institutions the world over like FedEx or Britain’s National Health Services, Spain’s Telefonica, France’s Renault cars, and even India’s state police.
Encrypted computers display ransom notes for hundreds of dollars worth of bitcoin, with no guarantee of unlocking the files.
How does WannaCry spread?
WannaCry’s incredible speed took the world by surprise, spreading to hundreds of thousands of infected computers in just a few hours. That speed and scope is largely due to a couple of factors:
First, unlike your garden-variety ransomware which spreads via infected email attachments or websites, WannaCry also incorporates elements of a worm. Computer worms don’t spread by infecting files, like viruses, but instead spread via networks, seeking vulnerabilities in other connected computers. So once it infected one computer in a network, it was able to move to infect them all.
WannaCry uses an exploit of Windows allegedly developed by the NSA
Second, WannaCry’s worm uses an exploit allegedly developed by the NSA, and leaked to the public via the hacker organization The Shadow Brokers. The exploit goes after a vulnerability in Windows’ Server Message Block (SMB) protocol used by devices to communicate on a shared network. Specifically, it looked for any PC with the Samba TCP port 445 accessible.
Until it was leaked, this exploit was unknown to the world (a zero-day threat), and Microsoft was only able to release a patch for it in March. But millions have yet to install the patches, and older versions of Windows which Microsoft doesn't support anymore didn’t receive update prompts at all. Microsoft has since made patches available even for the older systems – if you are running Windows 8 or below, you should install these post-haste.
Now that the genie is out of the bottle, we can expect to see new variants of this ransomware.
Who has been impacted?
The most affected countries, according to our data, are (in order): Russia, Ukraine, Taiwan, India, Brazil, Thailand, Romania, Philippines, Armenia, and Pakistan. More than half of the attempted attacks we recorded were in Russia.
Big institutions were also hit hard, particularly hospitals and other public services. Many of them rely on outdated systems to operate and simply cannot update their systems.
But many individuals had failed to install the security patches released in March. Older versions of Windows no longer supported by Microsoft didn’t even have security patches to install until the weekend of the attack.
Is my computer at risk of WannaCry?
If you are running a Windows machine, you are potentially vulnerable to this ransomware. Here are some of the steps you should take immediately to stay protected:
Update your Windows operating system with the latest security patchesMicrosoft released Windows security updates for this vulnerability when it was leaked by the Shadow Brokers in March. The flaw is severe enough that they even released security patches for Windows versions it has stopped supporting, like Windows XP and Vista (find them here).
However, millions of users have ignored these updates. Don’t be one of them.
If you haven’t already, install an up-to-date antivirusThe NSA's exploit was quickly repurposed for ill, so relying on Microsoft’s security patches for attacks is not enough. A new variant is likely in the works. A good antivirus program that includes anti-ransomware capabilities is essential in catching the ever-evolving threat of ransomware.
Start making backups of your PCIf you’re like most people, you’ve probably heard this advice before and ignored it. But with the low price of external hard drives and the ease of doing backups, there's no excuse for not having one. Weekly backups are more than enough for most people, and can save you a world of pain in case you do get infected.
Stay on the lookout for phishing emails and linksWhile WannaCry’s worm component helped it spread, it relied on the usual phishing emails and bad links to start with. Make sure you check emails and links before clicking them. Don’t know what to look for? We’ve got a handy test just for that.
Does AVG block WannaCry?
Yes. All AVG security products detect WannaCry ransomware. Even AVG AntiVirus Free goes beyond detecting normal code signatures, and looks at the actual behavior of the applications installed. So even if doesn’t know what the next variant will look like, it will know to catch it when it sees it spring into action.
I’ve been infected with WannaCry. What should I do?
The same thing that makes encryption such a powerful tool when used to protect information, also makes it such a problem when it is used for ill. If your computer is infected with the WannaCry ransomware, you should brace yourself for the possibility that you may not be able to recover your data. If you are infected, here are a few recommendations:
Don’t pay the ransomWhatever happens, we don’t recommend that you pay the ransom. We know that doesn’t sound very sensitive when your personal photos or important work files are at stake. But there’s no guarantee your files will be decrypted, or that the perpetrators won’t just run away with the money.
Never pay ransom: there's no guarantee you will get your files backPaying up only makes these schemes more attractive. And any contact with the attackers gives them more chances to infect you with more malware.
Disconnect your computer from the internetPull the plug out of your Wifi router, pull the ethernet cables out of your computer. Isolate it from the web as soon as possible. Stop the malware from spreading to others, or from receiving more instructionsfrom whoever made it.
Restore from a backupIf you’ve been following best practices and have a backup on an external hard drive, you can use it to recover you data. Make sure that you do a complete wipe of your system and reinstall Windows completely before connecting your backup to your computer. Ideally, don’t even let it connect to the internet while your backup hard drive is connected, just in case.
Restore from Dropbox, Google Drive, or other cloud-based storageIf you’ve been backing up files via an online storage, it’s possible your local files were encrypted, and then synced to the clouds. So the first thing is to unsync your smartphone, tablet or any other cloud-connected device as soon as you can.
Then, access the service via a browser on an uninfected computer. You should be able to access the version history of your files, and restore them to earlier, unencrypted states.
Use a ransomware decryption toolWe’re hard at work on a decryption tool that might be able to recover your files. When it is ready, you’ll be able to find it here.