Science

WannaCry ransomware: What you need to know

The WannaCry ransomware attack has been widespread but not yet catastrophic. Still, there are a lot of unanswered questions as to the source and how the issue has spread.

Most victims so far have not paid the ransom, officials in Europe say

To prevent ransomware attacks, users should make sure operating system software is up to date, and having updates install automatically in the background is key. (Chris Hondros/Getty Images)

WannaCry is so-called crypto-ransomware that encrypts and makes inaccessible files on a computer until a ransom is paid by an individual or company.

The cybercrime unit of Europol says the current attack has reached at an "unprecedented level."

While ransomware attacks have existed for many years, they've reached "a new level of maturity and menace," according to a report last year by software security giant Symantec.

In the past decade, bitcoin and other cryptocurrencies — anonymous and often comprised of "wallets" that can be used one time only — have helped embolden ransomware actors and gangs.

The impact

WannaCry ransomware had been noted earlier by experts, but it mushroomed on May 12. 

Its presence has been noted in 150 countries. Among the 10,000 organizations affected are Britain's National Health Service, the U.S.-based courier FedEx, automaker Renault in France and Spain's largest telecom operator.

The damage has been widespread and it's conceivable that variants of the ransomware, or new versions that attack the same operating system vulnerabilities, could proliferate in coming days.

"As malware researchers have been identifying various parts of it that could be used to disable the ransomware, the ransomware authors have been pushing new ransomware that fixes those vulnerabilities pretty much in real time," Matt Tait, U.K. cybersecurity expert, told CBC News on Sunday.

How it works

Ransomware attacks encrypt documents such as photos, videos, spreadsheets and presentations.

This attack held users hostage by freezing their computers, popping up a red screen with the words, "Oops, your files have been encrypted!" and demanding money in the form of an online bitcoin payment — $300 at first, possibly rising to $600 before it destroys files.

While phishing schemes that encourage users to open infected attachments often play a part in the spread of ransomware, the jury is still out in this case. It seems worm-like processes in which a tainted computer scans other computers in a network have helped increase the damage.

WannaCry exploited a vulnerability in Microsoft operating systems. Microsoft released a patch in March for more recent versions of Windows, but those who didn't update, or those running versions older versions of Windows no longer actively supported, remained vulnerable.

The company issued a new patch for older Windows versions on May 12 after reports emerged of the far-ranging WannaCry attack, an unusual step. As a result Windows versions from XP onwards now have patches — though they must be applied for the protection to work.

How to respond

Decryption of files from this ransomware attack isn't yet possible. Files on a desktop, in My Documents, or on a removable drive will be difficult if not impossible to recover.

For computers within a network, disabling Server Message Block version 1 has been recommended.

In terms of prevention, users should make sure operating system software is up to date, and having updates install automatically in the background is key. Anti-virus and anti-spyware tools are effective bulwarks if OS software is updated.

Experts warn of another cyberattack

8 years ago
Duration 5:25
Despite a "kill switch" found by a security researcher in Friday's massive cyberattack, Europol is concerned more attacks could happen. Cybersecurity expert Matt Tait explains.

Having backup versions of files offline or on cloud services, depending on one's preference and situation, are advisable.

"If you have a backup then this whole thing is moot," said Matthew Braga, CBC technology writer. "You just wipe your computer, restore your backup and it's fine."

In the past, individuals and organizations have differed over whether to pay the ransom. Some who've paid never had their files released, while others who waited out the process without paying were unaffected.

There's no guarantee hackers will restore files, and those who have been successful in regaining files in past attacks have reported wait times that can be days or weeks.

Europol said most currently victimized have not paid the ransom, and Symantec is among the security companies that advise against paying.

Businesses and governments suspecting a cybesecurity incident in Canada are encouraged to report them to the RCMP's cybercrime unit.

Blame game

WannaCry preyed on a Microsoft vulnerability, but widely used operating systems involve millions and millions of lines of code and are far from impenetrable. As stated, there is an onus on individuals and IT professionals to keep patches, software protection and backup systems up to date, especially for an outdated OS.

"As software gets older, it stops being supported and leaves things open to being exploited," said Braga.

But it's also true that when Microsoft stops supporting a version of software, the program or operating system is quite often still widely used. When Microsoft announced it would stop support for XP in 2014, a large number of U.S. gas and electric utilities were said to be using XP operating systems at workstations, inspiring doomsday scenarios in which power grids or water supplies could be affected.

Ransomware and worm-like tools to exploit vulnerabilities have been in some cases leaked or stolen from U.S. intelligence agencies. It appears a tool identified by the National Security Agency for its own intelligence-gathering purposes and leaked by an online group called Shadow Brokers has been used to help exploit this ransomware.

Brad Smith, president and chief legal officer for Microsoft, said in a public response to WannaCry that governments must accept a greater share of responsibility for cyberattacks and not stockpile such code.

"The governments of the world should treat this attack as a wake-up call," said Smith. "They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world."

Tom Bossert, adviser for U.S. Homeland Security, said Monday afternoon less than $80,000 had been paid in ransom, and that the attack seemed more criminal than political in intent. (Kevin Lamarque/Reuters)

Whether the Shadow Brokers are simply disgruntled insiders with ties to the U.S. intelligence community and/or persons with links to Russia has been debated by experts online.

Russian President Vladimir Putin said early Monday that Russia "had nothing to do with" WannaCry.

Tom Bossert, homeland security adviser to the White House, said Monday afternoon the U.S. hasn't ruled out involvement by a foreign government, but that the recent ransom demands suggest a criminal network.

Ransomware can be purchased cheaply in the dark corners of the web by individual or state actors. As such, Europol said in a statement, a "complex international investigation" will be needed to identify those ultimately responsible for these attacks.

Canada and ransomware

Canadian firms traditionally have been tight-lipped about suffering cyberattacks, and Ottawa has been muted about WannaCry, apart from some basic online advisories.

Lakeridge Health, a hospital in Oshawa, Ont., said it was attacked, but the threat was contained and patient care was not affected.

A study published last year indicated Canadian firms targeted by ransomware attacks were more likely than companies in other countries to pay to unlock files.

Seventy-five per cent paid the ransom when targeted before, or instead of, contacting authorities or cybersecurity firms for assistance, compared with the global average of 40 per cent, according to a study sponsored by cybersecurity firm Malwarebytes and conducted by Osterman Research.

Almost half of the Canadian respondents said the ransomware attacks resulted in lost revenue, while a large majority that didn't pay up (82 per cent) lost files in the process.

Canadians expressed confidence in their ability to stop ransomware, but the data reported didn't support that level of certainty, the study's authors concluded.

With files from The Associated Press and Reuters