WannaCry

Old Windows PCs can stop WannaCry ransomware with new Microsoft patch

Life
The Wanna Decryptor ransomware's ransom note. (Image: IDGNS)

15 May 2017

Users of old Windows systems can download a patch to protect them from last week’s massive ransomware attack.

In a rare step, Microsoft published a patch for Windows XP, Windows Server 2003 and Windows 8 – all of them operating systems for which it no longer provides mainstream support.

Users can download and find more information about the patches in Microsoft’s blog post about Friday’s attack from the WannaCry ransomware.

The ransomware, which has spread globally, has been infecting computers by exploiting a Windows vulnerability involving the Server Message Block protocol, a file-sharing feature.

Computers infected with WannaCry will have their data encrypted, and display a ransom note demanding $300 or $600 in bitcoin to free the files.

Fortunately, Windows 10 customers were not targeted in Friday’s attack. In March, Microsoft patched the vulnerability that the ransomware exploits – but only for newer Windows systems. That’s left older Windows machines, or those users who failed to patch newer machines, vulnerable to Friday’s attack.

The ransomware was initially found spreading through attachments in e-mail phishing campaigns. In certain cases, the scam e-mails pretended to represent a bank alert about a money transfer, according to Cisco’s Talos security group.

Users can protect themselves by being careful about such e-mails, Microsoft said. The company’s free antivirus software Windows Defender, along with other third party security products from those including Kaspersky Lab and Avast, will also detect and remove the threat.

Once a vulnerable PC becomes infected, the computer will attempt to spread to other machines over the local network as well as over the Internet. The ransomware will specifically scan for unpatched machines that have the Server Message Block vulnerability exposed.

Businesses can prevent this by disabling the Server Message Block protocol in vulnerable PCs. They can also use a firewall to block unrecognised Internet traffic from accessing the networking ports the Server Message Block uses.

Fortunately, Friday’s ransomware attack may have been contained. A security researcher who goes by the name MalwareTech has activated a sort of kill-switch in WannaCry that stops it from spreading.

As a result, over 100,000 new infections were prevented, according to UK’s National Cyber Security Centre. But experts also warn that WannaCry’s developers may be working on other versions that won’t be easy to disable.

“It’s very important everyone understands that all they (the hackers) need to do is change some code and start again. Patch your systems now!” MalwareTech tweeted.

Unfortunately, the kill-switch’s activation will provide no relief to existing victims. The ransomware will persist on systems already infected.

Friday’s ransomware attack appears to have spread mainly in Europe and Asia, with Russia among those nations hardest hit, according to security researchers.

Irish security firm Integrity360 has recommended that affected users not pay the ransom to unlock their systems. “Analysis of the malware, and its payment method, show it is either not created with decryption in mind, or the payment & decryption process is simply poorly written,” said the company ni a blog post. “Unlike other ransomware there is no automated association of payment to a unique host ID to allow the decryption keys to be provided automatically on payment.

“One piece of analysis also indicated decryption would potentially be a manual process, interacting with the attackers via the Tor network, which would be impossible for all 200,000 infected hosts.”

IDG News Service

Read More:


Back to Top ↑

TechCentral.ie