What is WannaCry and what happened?
- The NSA found a flaw in the windows operating system and had been exploiting it for some time to take control of remote computers. The NSA made a handy tool called EternalBlue to make things easy.
- The tool was stolen by a hacker group known as The Shadow Brokers, and placed online.
- The NSA let Microsoft know about the vulnerability and Microsoft released a patch for newer versions of Windows but not Windows XP which is out of support (custom support only).
- Virus writers re-used some old ransomware code adding the EternalBlue code making it into a ‘worm’. A worm is a virus that scans the local network to find more computers to infect.
- The virus starts infecting vulnerable machines, those without the update or running Windows XP. Initially infections would have been by email, but where there’s one vulnerable machine, there tends to be more. The EternalBlue exploit is used to infect the other local machines causing the virus to spread very rapidly.
- Luckily for us the virus writers made a terrible miscalculation. They included a piece of code it’s believed designed to check if the virus was being run in a sandbox environment (fake environment for testing). It did this by checking to see if it could contact a domain that wasn’t registered. A sandbox would have produced a fake response even though the domain wasn’t registered. So if the unregistered domain responded the virus believed it was being tested and shut down immediately to make it more difficult to decode. This worked great – until someone registered the domain. At that point every new infection checked the previously unregistered domain, received a response and shut down. Thus immediately halting the spread of the infection.
- Microsoft released a patch for Windows XP.
The virus writers behind this attack, and any others around the world (who will now have a copy of the EternalBlue code) will correct their mistake and try again. The anti-virus vendors will attempt to write definitions to catch the new variant viruses, but this is not always successful.
What you should do next
- All Windows systems should be patched immediately using Windows updates. Windows 10 doesn’t have this specific vulnerability but should be kept updated as normal. If concerned, ensure your IT support company uses monitoring tools to manage this.
- Update away from Windows XP where possible. Windows XP in no longer covered for general support. You can run many Windows XP applications in ‘compatibility mode’ on newer operation systems.
- Some anti-virus programs like our Managed Anti-Virus product would protect your systems from this attack. Consider installing or upgrading your anti-virus protection.
- Educate staff about phishing emails.