Wanna Cry? Active Ransomware Outbreak (Updated)

According to reports, there is an ongoing, fast and widespread ransomware attack against Microsoft Windows machines, with reports of as many as 200,000 infections in as many as 150 countries (according to Europol on Sunday, 14 May 2017). The software can run in as many as 27 different languages, matching the operating system language settings.

This malware is variously known as WannaCry, WCry, Wanna Decryptor, or Wanna Derypt0r and was discovered the morning of May 12th, 2017.  It works by encrypting your data and requesting a ransom of .1781 bitcoins, or roughly $300.

Initial reports indicate it spreads in multiple ways, including as e-mail attachments,  via Remote Desktop Protocol (RDP) compromise, and through the exploitation of a critical Windows SMB vulnerability.  Once a machine is infected, it tries to spread further via SMB filesharing using any SMB shares that are not password protected.

It was believed that a fully-patched machine would not be exploitable, though there is some debate as to that.  Microsoft released additional patches on Friday, May 12th that everyone should apply to their Windows systems as soon as possible.

Steps you can take now include:

  • Make sure your Windows operating systems are updated and current as of the latest patch released May 12th, 2017.
  • Make sure you have anti-virus (AV) and/or anti-malware software running and scanning your machine, and that it is updated to the latest AV definitions.
  • Make sure all your SMB network shares are password protected.  Consider disabling them during this outbreak.
  • Don't open e-mail attachments if you are not expecting them or sure of the sender. 
  • Consider disabling MS Office macros in files transmitted via e-mail.
  • Consider using Office Viewer or some other previewing software to view MS Office attachments sent via e-mail, rather than using the full Office Suite.
  • Make sure you backup your data often, so you can recover from any loss, including loss of your data from ransomware attacks.

So far, we don't know of any presence of this ransomware on campus.

To learn more about ransomware, please consider reading this CNS IT Support Blog article published on 8 August, 2016: https://sites.cns.utexas.edu/oit-blog/blog/ransomware

Written by Eric Rostetter, Senior System Administrator
Questions or comments? The best and easiest way to contact us is via the CNS Help Desk form.