Wanna Cry? Active Ransomware Outbreak

According to numerous reports, there is an ongoing, fast and widespread ransomware attack against Microsoft Windows machines, with reports of tens of thousands of infections in as many as 74 countries. The software can run in as many as 27 different languages, matching the operating system language settings.

The malware is variously known as WannaCry, WCry, or Wanna Decryptor, or Wanna Derypt0r and was discovered the morning of May 12, 2017.  It works by encrypting your data and requesting a ransom of .1781 bitcoins, the equivalent of roughly $300.

Initial reports indicate it initially spreads in multiple ways, possibly including e-mail attachments,  Remote Desktop Protocol (RDP) compromise and through the exploitation of a critical Windows SMB vulnerability.  Once a machine is infected, it tries to spread further via SMB file sharing using any SMB shares which are not password protected.

It was believed that a fully patched machine would not be exploitable, though there is some debate as to that.  Microsoft released additional patches on Friday, May 12th which everyone should apply to their Windows systems as soon as possible.

Steps you can take now include:

  • Make sure your Windows operating systems are updated and current as of the latest patch released May 12th, 2017.
  • Make sure you have anti-virus (AV) and/or malware software running and scanning your machine, and that it is updated to the latest AV definitions.
  • Make sure all your SMB network shares are password protected.  Consider disabling them during this outbreak.
  • Don't open e-mail attachments if you are not expecting them or sure of the sender. 
  • Consider disabling MS Office macros in files transmitted via e-mail.
  • Consider using Office Viewer or some other previewing software to view MS Office attachments sent via e-mail, rather than using the full Office Suite.
  • Make sure you backup your data often, so you can recover from any lose including ransomware attacks.

So far, we don't know of any presence of this ransomware on campus.

Written by Eric Rostetter, Senior System Administrator
Questions or comments? The best and easiest way to contact us is via the CNS Help Desk form.