Everything you need to know about the ransomware sweeping the globe
This story originally appeared on Fortune.com.
A massive cyberattack has been spreading across the globe since Friday, hitting hundred of thousands of computers and crippling major government and corporate operations. The malware is known as WannaCry, and here’s what you need to know.
Isn’t the Attack Over?
Absolutely not. There were widespread reports on Saturday that a security researcher had discovered a “kill switch” that stopped the ransomware from spreading, but that’s only partly true. The kill switch certainly slowed WannaCry down, but it only stopped some of the ways the malware could spread. And Kaspersky Lab security researchers confirmed within hours that new versions of the malware had been detected which were not stopped by the kill switch. The ransomware spread to thousands more computers on Monday morning, as companies continued to cope with the fallout of the initial attack, the Associated Press reported.
What Does WannaCry Do?
WannaCry is ransomware, a growing category of extremely heinous malware. Once it has activated on a machine, it encrypts the files on that machine so they are inaccessible. Then it instructs the owner to pay a ransom in Bitcoin in exchange for unlocking the files.
Who Is it Targeting?
Broadly speaking, WannaCry exploits vulnerabilities in older Windows operating systems, including Windows XP. Microsoft issued a patch for those systems on Friday, but that didn’t stop it from hitting more than 200,000 machines in 150 countries. That has included dozens of large institutions and companies, including the U.K.’s National Health Service, China’s National Petroleum Corporation, and Renault factories in France.
How Can I Protect Myself?
If any of your personal or corporate systems run an older version of Windows (XP, 8, or Server 2003 specifically), you or your admins should immediately install Microsoft’s new security update. You should also, as always, remain extremely careful about opening any email attachments, from known or strange sources. But the truly scary thing about WannaCry is that it can reportedly spread over local networks without user interaction. Some authorities—including the government of Indonesia—are suggesting disconnecting unprotected machines from the Internet.
Is There a Fix If My Computer Is Infected?
Short answer: No. Security firms are getting better at decrypting files from ransomware attacks, but there are as yet no reputable decryptors (tools for removing ransomware) for WannaCry—though that could change at any time. And don’t get tricked twice. Hackers could even use the promise of a WannaCrypt fix as bait for further infections, so be extremely skeptical. Also, according to McAfee researchers, WannaCry deletes so-called ‘Volume Shadow’ backups that can sometimes be used to restore files.
That said, there is one unsavory option here: pay the ransom. WannaCry demands $300 in Bitcoin to unlock files on a machine, and hackers running ransomware have historically proven remarkably trustworthy in fulfilling their end of that bargain. (Whether paying is the ethical move is a big, thorny debate.)
Where Did It Come From?
WannaCry is believed to have been created with the (unintentional) assistance of the U.S. National Security Agency. An NSA exploit known as EternalBlue, part of an April release by a hacking group called the Shadow Brokers, is at its core.
Why Would Someone Do This?
To make money, though that doesn’t seem to be working out so well. While global financial damages from the attack could easily climb into the hundreds of millions, the (publicly viewable) Bitcoin addresses collecting ransom for the attackers are almost comically light: at this writing, they contain barely over $34,000 worth of Bitcoin.