Last week, we discussed the appearance of a new type of ransomware and the havoc it has wreaked across the internet. WannaCrypt (also known as Wanna, Wannacry, or Wcry) uses NSA-derived exploits and has hit tens of thousands of systems worldwide. Infections have spread across the globe and included institutions in Spain, the UK, China, Russia, and the United States. The response from governments around the world has been equally dramatic, and we're seeing broad cooperation between governmental organizations and private business in a bid to bring the attack under control as quickly as possible. While Microsoft had previously released patches for the NSA exploits that WanaCrypt targets, it's taken the rare step of releasing patches for operating systems not currently in mainstream or extended support.
Microsoft's general support policy is to provide patches and feature updates for operating systems in mainstream support, while operating systems in extended support are limited to bug fixes. Once your OS of choice falls out of extended support, you'll need to pay Microsoft for a custom support program in which you continue to receive fixes (we have no idea what that costs, but you can bet it ain't cheap). Over the weekend, Redmond announced that it would break with this policy due to the severity of the WannaCrypt threat. The company writes(Opens in a new window):We are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.
The company goes on to note that it released an update in March that should protect against this vulnerability automatically (Microsoft Security Bulletin MS17-010). It has also pushed an update to Windows Defender that will detect the malware as Ransom:Win32/WannaCrypt. If you use Windows Defender, scan your system immediately to determine whether or not you may have been infected.
WannaCrypt's message screen
As our own Ryan Whitwam detailed on Friday, the WannaCrypt bug spreads via the Server Message Block (SMB) protocol that Windows machines typically use to communicate over a network. Infected machines attempt to spread the infection to other devices on the same network. Any single infected system can therefore spread the malware across a network; the New York Times has released a time-lapse graphic(Opens in a new window) of how rapidly the infections spread across the world.
This particular attack has been stopped by provenance. Researchers looking at the WannaCrypt code realized that the developers had coded a kill-switch domain that would shut the worm off, but then forgotten to register the domain name. White hats registered the domain and presto--the bug is no longer spreading as of this writing. At the same time, however, it's important to get your OS patched up. There will be copycats, and next time the developers may not be so nice as to leave a backdoor any white hat can activate. If you want a blow-by-blow account of the attack, how it spread, and technical analysis of its particulars, there's an excellent one available here(Opens in a new window).
Now read: The 5 best VPNs
