We all know -- or, well, we should all know -- how to block malware attacks.
You don't install unknown applications. You don't open dodgy email attachments. And you don't download files from strange websites. But then, there's WannaCrypt, aka WannaCry. It starts by infecting you the old-fashioned way, but once it makes it on your network, it uses an out-of-date version of Windows' Server Message Block (SMB) networking protocol to spread like wildfire.
The protocol is typically used to share files over networks. One version of it, Common Internet File System (CIFS), has been used since the introduction of Windows 2000 for file transfers on Windows and many other operating systems including Linux, Unix, and macOS.
On modern networks, SMB works by using the TCP port 445. Before that it was used with the NetBIOS. But, ever since Microsoft introduced SMBv1 over port 445 in Windows 2000 with Direct hosting of SMB over TCP/IP, a hidden security hole was waiting to be exploited. SMB1 is where the flaw WannaCrypt uses hides.
There are many ways to exploit the SMBv1 hole -- and they're still being used. Rapid7, makers of the penetrating testing program, Metasploit, reports there are over a million devices, which leave port 445 wide open. Of those, over 800,000 run Windows. Anyone foolish enough to leave this port open to the internet is dumb enough to still be running SMBv1 and to not patch their systems regularly.
WannaCrypt is more deadly than previous ransomware, because once any single Windows PC is infected on a network using SMB, all the networked Windows PCs are open to attack. While SMB is used on many operating system -- such as the Linux-powered network-attached storage (NAS) on many small business networks -- WannaCrypt can only attack Windows systems. Specifically, WannaCrypt uses a SMB Remote Code Execution (RCE) vulnerability to accomplish this.
The mechanism used to spread WannaCrypt is built from from a pair of National Security Agency (NSA) hacker tools (EternalBlue / DoublePulsar), which was revealed by a hacker group called the Shadow Brokers. EternalBlue allows remote attackers to execute arbitrary code on Windows systems via SMB crafted packets. DoublePulsar is a Trojan horse that opens a back door on the compromised computer. Between them, they open the door to attackers and spread the ransomware payload over your Windows network.
Unlike other ransomware programs, if it can get to these sites, it won't try to do any more harm. If it can't, then the "fun" begins.
On your infected system, it will create a service called mssecsvc2.0. This program attempts to infect all other Windows PCs it can reach on your network. That done, it will unzip the actual password-protected ransomware .zip archive. This painful package includes a program that encrypts all the files it can find. It then renames them by appending "WNCRY" to the file name. For example, if a file is named "dog.jpg," it encrypts it and renames it "dog.jpg.WNCRY."
That done, it then deletes your Volume Shadow files. So, forget about recovering your files from the Windows standard local-backup. It won't work. If you don't have a third-party backup of your files, you're screwed. Their is no way to recover your encrypted files. In theory, you could pay the $300 of Bitcoin ransom -- and some people have paid -- but there's no record of anyone getting their files back.
So, what can you do? In short order:
Stop using Windows on the desktop, use Linux instead.
If you insist on using Windows, upgrade to Windows 10
Block port 445 on your network firewall.
While we now note in great detail how WannaCrypt works, there is no cure for it.