WannaCry FAQs: supplied by Kaspersky Lab

Details
Published: Monday, 15 May 2017 13:40

What is WannaCry?
WannaCry comes in two parts. First of all, it’s an exploit which purposes are infection and propagation. And the second part is an encryptor that is downloaded to the computer after it has been infected.

This is the main difference between WannaCry and the majority of other encryptors. In order to infect a computer with a common encryptor, a user has to make a mistake, for example, by clicking a suspicious link, allowing Word to run a malicious macro, or downloading a suspicious attachment from an email message. A system can be infected with WannaCry without doing anything.

What are you seeing in terms of expansion?
We are still observing an increase in the number of infections, which indicates the attack is still ongoing. Compared to yesterday, the number of infections appears to be now about 3 times bigger; this was calculated taking into account new detection methods for the network attacks and several new samples we received in the meantime. Therefore, we estimate about 120-130,000 infections total. A similar number is also offered by malwaretech's sinkhole project.

Can we say with a confidence that the attacks are now under control?
Wherever there are unpatched computers, there is a risk of infection.  Historically, we know that people and organisations don’t necessarily update their systems, even where there is a known exploit for a vulnerability.

Have you already started to see new variations of WannaCry?
Several new variants have emerged during Sunday and last night, of which only one appears to have gone some very limited traction. The other variants appear to have been manually patched by unknown entities and have not been created by the original Wannacry authors. For the new variant that appeared on Sunday morning (all times refered to are GMT), we have seen a very limited number of attacks which included three customers, in Russia and Brasil. We continue to monitor the developments and watch for the emerge of any new variants.

We see in the media, comments that the “worst attacks are about to come”.  What are your thoughts?
No one can say with certainty that ‘the worst is yet to come’.  However, it’s likely that there are still significant numbers of unpatched systems, providing further opportunities for this malware to spread.  It’s also possible that other malware might be created to take advantage of the same exploit.

Where does responsibility lie for these attacks?
The key factor in the spread of WannaCry is the use of the EternalBlue exploit, i.e. that organisations and individuals haven’t updated their systems.  However, as mentioned above, malware can spread in other ways too – most notably by tricking people into installing code.  So patching systems is vital – it reduces your exposure to attack.  But it’s also essential to ensure that systems are protected using Internet security software.  On top of this, education of staff is also vital.  Finally, good network management will also help to reduce the scope of any attack, i.e. don’t assign admin rights to computers automatically, segment different parts of the network and restrict access to data to those who need it.

Are there victims who have installed the patch for Microsoft Windows? If yes, how is then possible that attacks were successful?
While the remote attack of systems using the ‘EternalBlue’ exploit is the most significant factor involved in the spread of WannaCry, this doesn’t mean it can’t spread without this.  But this would require victims to run the infected code.  We know that cybercriminals routinely use social engineering – tricking people into clicking on links and attachments – to spread malware, so it’s entirely feasible for WannaCry to spread this way.

Why is Russia worst affected?
There are a large amount of PCs running out of date or unofficial versions of Windows in Russia.

Do you have any data showing whether people are paying the ransom, and if they are getting access back?
We do observe multiple ransom payments in Bitcoins for the three known wallets we are monitoring, accounting for about 70 people who paid in total.

Based on the current Bitcoin exchange rate the attackers made about $20,000 during the first 24 hours. Taking into account our experience in observing BTC ransomware payments, we estimate that the peak will be reached in 24-48 hours from the beginning of the attack, as people need to research ways of acquiring Bitcoins for the payment. We would also want to clarify we do not recommend to pay the ransom, as this only encourages the criminals to continue their activities.


Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

Cyber Response Guide
The Business Continuity Business Case

Additional Resources

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.