WannaCry ransomware: How it works and how to protect yourself

WannaCry ransomware: How it works and how to protect yourself


Wanna ransomware – also known as WannaCry,
WanaCrypt, WanaCryptOr and other names: what is it? How does Sophos block it? And what can you do to stay protected? Wanna is a widespread ransomware attack affecting
IT organizations across the globe. It’s encrypting people’s files, changing the
files’ extensions, and demanding ransom payment to unlock the files. This ransomware spreads rapidly like a worm
by leveraging a Windows vulnerability in the Server Message Block or SMB service, which
is used by Windows computers to share files and printers across local networks. Details are still a bit murky, but the attack
appears to have been based off of code leaked from a cyberweapon developed by the U.S. National
Security Agency. The attack itself is massive, prompting Microsoft
to issue a patch for Windows XP, an operating system it doesn’t even support anymore. And it was found to contain a kill-switch
— a URL that the code looks for when it initially runs. If that URL is live, the attack stops working. Thankfully, a malware researcher took the
liberty of registering the URL, effectively neutralizing the attack; however, expect to
see a series of additional attacks based on this one but that ignore the kill-switch. Customers using our Sophos Intercept X and
Sophos EXP products are protected against this threat and threats like it. In the case of Intercept X, for example, our
CryptoGuard anti-ransomware technology notices that files are being rapidly encrypted and
recognizes it as attack-like behavior. It then stops the encryption and rolls affected
files back to their safe states. This is done using proprietary shadow-copy
technology to make just-in-time copies of files once the encryption process begins. Intercept X then calls upon our Sophos Clean
product to remove the offending code from users’ machines and does a deep scan-and-fix
to restore registry files back to normal as well. The entire process doesn’t rely on anti-virus
signatures or updates: Intercept X simply recognizes malicious techniques to thwart
attacks. It says, “Hey, this machine’s files are being
rapidly encrypted, which isn’t a normal behavior. Time to step in and stop this from happening.” So how can you stay protected? As mentioned, this ransomware variant contains
a kill-switch by way of a URL lookup. If applicable, make sure to white-list the
following domains in your environment in order to neutralize the attack. Other steps to take include making sure your
Windows computers are up to date, as Microsoft issued a patch to fix this flaw back in March. Back your systems up regularly, keeping a
recent backup copy off site. And encrypt that offsite backup just in case
it falls into the wrong hands. Be cautious about unsolicited attachments. We see an overwhelming number of attacks arrive
via email, so think twice about opening files that are sent to you even if they appear to
be from someone you know. And finally, make sure your anti-virus is
up to date and consider next-generation endpoint protection. If you’re a business interested in protecting
your users from ransomware, we recommend our Intercept X product, which includes CryptoGuard
ransomware protection, exploit prevention, root-cause analysis, and Sophos Clean, all
managed from anywhere through our award-winning Sophos Central Admin console. If you’re a home user looking to protect your
personal computers, check out the beta of Sophos Home Premium – which includes ransomware
prevention – at home.sophos.com. To learn more about this attack and others,
and to try Sophos protection for yourself, visit Sophos.com today.

4 Replies to “WannaCry ransomware: How it works and how to protect yourself”

  1. This is one of the best reasons to use Sophos Home which uses their Business Class anti-malware software for FREE

Leave a Reply

Your email address will not be published. Required fields are marked *