If your computer’s running on Microsoft Windows, you need to take these steps—right away.
Here’s why: in case you haven’t heard, hackers exploited a vulnerability in older Microsoft Windows servers to execute a large-scale global cyberattack on Friday using ransomware — a malicious software that holds your computer hostage for ransom — and a hacking tool stolen from the U.S. National Security Agency (NSA). The massive attack left victims locked out of their PCs with a promise of restored access if $300 was paid in digital currency Bitcoin—and a threat of destroyed files if the ransom is not met.
Thus far, at least 200,000 computers have been infected in more than 150 countries, leaving everything from businesses and governments to academic institutions, hospitals and ordinary people affected.
How it works
The malware, which “spreads like a worm,” is transmitted through a phishing email containing a compressed, encrypted file. Since the file is encrypted, security systems do not identify the ransomware, called Wanna Decryptor, until after it is downloaded. Wanna Decryptor, a next-gen version of the WannaCry ransomware, gains access to a given device once the malware-filled file is downloaded: it then encrypts data, locks down the system and demands ransom.
Ransomware does not typically work this quickly. But thanks to a stolen NSA cyber-weapon called EternalBlue, which was made public last month by a hacking group known as the “Shadow Brokers,” the malware spread rapidly by exploiting a security flaw in Microsoft Windows servers.
What users need to do
Simply put: make sure your Microsoft Windows server is up to date. Microsoft issued a patch in mid-March to fix the hole in Windows 7 and other supported versions of Windows: Vista, Server 2008, Server 2008 R2, 8.1, Server 2012, RT 8.1, 10, Server 2012 R2, and Server 2016. But those who did not apply the software update were—and still are—left exposed to the hack.
In light of the attack, Microsoft rolled out patches to protect older versions of Windows that “no longer receive mainstream support” from the company like Windows XP, Windows 8, and Windows Server 2003. Those running on Windows 10 are fine, as their software is not vulnerable to this particular cyberattack. Devices that are potentially susceptible are Windows 7 and Windows Server 2008, and earlier operating systems.
Microsoft recommends users upgrade to Windows 10 and install the security update MS17-010. With the 1.243.297.0 update, Windows Defender Antivirus detects the malware as Ransom:Win32/WannaCrypt. The company also recommends Device Guard for businesses and Office 365 Advanced Threat Protection for blocking emails carrying malware.
The U.S. Computers Emergency Readiness Team (CERT) issued advice on how users can best protect themselves from the recent WannaCry ransomware threat. In addition to being “particularly wary of compressed or ZIP file attachments,” CERT recommends using caution when clicking directly on links in email even if the sender is someone you know. They suggest trying to independently verify web addresses.
What happens if you don’t take protective measures?
Even if you don’t actively download the file from a phishing email, your device could be at risk—the ransomware also spreads through file-sharing systems on networks. Microsoft explains that the worm-like functionalities of the ransomware infects “unpatched Windows machines in the local network” and “executes massive scanning on Internet IP addresses to find and infect other vulnerable computers.”
Infected devices will find the desktop background image replaced with a message, calling for the user to follow instructions until they reach the ransom screen. Here, there are two timers—one showing the amount of time left until files will be deleted and a second displaying time until the ransom will increase from $300.
At this point, people have two choices: pay up and hope their device is restored, or part ways with the contents of their computer. The U.S. government recommends not paying ransoms, as shelling out money does not certify the data will be recovered and succumbing to cybercriminals may encourage future attacks. But that’s easier said than done, when it’s your own files that have been hijacked.
Wasn’t the ransomware stopped?
On Friday evening, the outbreak was slowed by the unintentional finding of a “kill switch” located in the code of the malicious software. The discovery was made by a U.K.-based cybersecurity researcher who only identifies themselves as MalwareTech.
While this stopped the malware from spreading, the masterminds behind the attack can easily modify the code to get the ball rolling again. Since Friday, two new variations of the malware have been detected. As such, it maintains imperative for people to protect their computers.
How common is ransomware?
More common than you’d think. NPR reports that 40 percent of spam emails last year contained ransomware attachments. And the ransomware-related extortion industry is growing. In 2015, ransomware victims reported $24 million in total annual costs (e.g. ransom, tech support, security software), Reuters reported last year. In just the first three months of 2016, the reported expenses were already at $209 million.
General, good-sense advice: remotely back up your files on a regular basis. This way you’ll never have to give in to a ransomware request if and when your device is compromised. And, of course, always stay up-to-date with your computer’s software.