WannaCry uses an exploit that was publicly released by the group calling itself Shadow Brokers. It is also known as “WanaCrypt0r”, “WeCry”, “WanaCrypt” or “WeCrypt0r”

Our analysis indicates the exploit is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.

wannacry screenshot

We support the findings, of Google security researcher Neel Mehta who pointed out in a tweet, that code used in WannaCry bore similarities to code used by the Lazarus Group. This group consists of a cadre of cybercriminals believed to be responsible for the 2014 Sony hack and a recent $81 million heist of the Bangladeshi central bank.

Although it is true that a killswitch has been activated, our intelligence cell has already seen a version without the killswitch starting to spread. We strongly recommend anyone running old versions of windows (XP, 7) to install the Microsoft patch and/or shut down smb shares. In fact all operating systems should be kept updated and patched, preferably automatically or as regularly as possible

If you have been affected, we recommend against paying the "ransom". These criminal gangs rarely decrypt files or release ransomed content, instead trying to get more money from you. In this case, there is so much international attention on the surprisingly small number of target bitcoin wallets that anyone trying to extract money will most likely be noticed. We also note that remote decryption is not necessarily possible upon payment.

Our cell tells us that criminals are now able to pay a "monthly subscription" for exploits from the same source, meaning that attacks like this are likely to be more common in the future. This ransomware cyber attack shows how vulnerable data is, and why we need to protect it. We are here to help prepare for the next attack, contact us today for a personalized service.

There are a number of defences anyone can take such as staying up to date with operating systems and patches, but there are some less well known techniques we can apply to defend you.

At cyber shadow, we are always here to help.  We recommend the following advice to mitigate your exposure to malware and ransomware:

  • Keep your PC up to date via Windows Update. WannaCry doesn't even try to attack Windows 10, choosing instead Windows XP and other older Windows operating systems.
  • Ensure you have an active firewall and antimalware solution in place. Windows Firewall and Windows Defender are barely adequate, a good third-party antimalware solution is far better. WannaCry patches are already available, even for Windows 8 and Windows XP.
  • Don’t rely on anti-malware and virus scanners to save you.  Antivirus companies are only just getting around to addressing ransomware, and their protection isn’t guaranteed.
  • Ensure that Adobe Flash is turned off, or surf with a browser, like Google Chrome, that turns it off by default.
  • Turn off Office macros, if they’re enabled.
  • Don’t open questionable links, either on a webpage or especially in an email. The most common way you’ll encounter ransomware is by clicking on a bad link.
  • Likewise, avoid untrusted areas of Internet. A bad advert on a legitimate site can still inject malware if you’re not careful, but the risks increase if you’re surfing where you shouldn't.
  • Keep offline backups of important data.

Contact us for tailored and specific services for your personal circumstances.