This blog was written by Jerome Bachelet, Mozy Systems Engineer; and Ela Moraru, Mozy Associate Systems Engineer 1
You’ve no doubt heard about the “Wanna” ransomware virus. Known by various names—including WannaCry, WannaBe, and WannaCrypt—this ransomware outbreak has spread globally and rapidly, affecting more than 250,000 computers in more than 150 countries in just a few short days. Individuals and businesses have been infected by the virus in the UK, Spain, US, and Russia.
What’s it do?
The Wanna ransomware infiltrates Windows machines and encrypts files, changing the extensions (for example, .wnry, .wcry, .wncry and .wncrypt) and makes files inaccessible to end users and applications. It impacts all Windows operating systems, from Windows XP to Windows 10, including the Server editions. Wanna uses a worm executable to spread further through local networks and the Internet, infecting any other Windows computers it can reach via the network. The scale of the attack prompted Microsoft to take the highly unusual step of releasing patches for unsupported operating systems, including Windows XP.
The goal of any ransomware is to incapacitate as many files and applications as possible, thus most ransomware is designed to infiltrate IT systems at the end user and then penetrate application servers.
It’s widespread and ongoing—and it’s paralyzing
Wanna is so devastating because it paralyzes any computer it can access and then causes application failures for systems that have a dependency on Windows OSs—like phone systems, email servers, and Microsoft SQL based applications. As of this writing, Wanna has infected more than 230,000 computers and has been identified in 150 countries. Wanna is so widespread that it has been localized into 28 languages.
Hundreds of victims have paid various amounts of ransom to bitcoin wallets in exchange for a decryption key that might allow them to regain access to their files. Unfortunately, decrypting files does not mean the malware infection itself has been removed from the computer. Even if your files are decrypted, there is no foolproof way to remove the ransomware, other than wiping your hard drive and reinstalling Windows.
How does it work?
Warning! A ransomware disaster usually, but not always, starts with a user clicking something they shouldn’t be clicking; for example, a suspicious attachment in an email.
There is a debate about exactly how the Wanna malware first broke out, but what is undeniable is that once virus gains access to a system it spreads unwittingly across unprotected SMB ports. Frustratingly, there has also been a spike of email phishing attacks based on the panic caused by Wanna. In these cases, a user is directed to open an email attachment or visit a website where the ransomware is presented, masquerading as a legitimate attachment or download.
Upon execution, Wanna will kill several system processes that may be locking files and grants itself full permission to every user account on the system.
Wanna then scans all drives (local and network) for 170+ file types and encrypts all the files with a new extension. Next, Wanna hard-deletes all the original files (bypasses the Recycle Bin). Files that are stored in a share, or synchronized via Google Drive, OneDrive, Dropbox, etc., will also be encrypted. Sync tools will automatically propagate to the cloud storage and appear on any other devices linked to the sync service.
Wanna removes any Shadow Volume Copies, disables Windows startup recovery, clears Windows Server Backup history, and bypasses the Recycle Bin, thus preventing any recovery from the Windows systems itself. Wanna changes the end-user wallpaper and displays a pop-up dialog box with instructions to send $300 worth of bitcoin in exchange for a key that will theoretically decrypt the files. The ransom will increase at a regular cadence, and the end user has 7 days to pay the ransom.
How can Mozy help?
Although Mozy by Dell cannot prevent a ransomware outbreak, millions of customers rely on the Mozy backup service to help avoid ransomware disasters. When a ransomware infection occurs, restoration of an endpoint or server from a backup works best when you can easily select a moment in time from where to restore. Once you have identified the point of infection (user and file) and the time the malware was introduced to the machine, Mozy can restore all of the files for the given user from the point in time just before the malware was introduced.
It’s true that there are a few dollars to be made through ransomware exploiting desktop and laptop computers; however, the primary focus of hackers is to make their money at the application server level. More than 95% of all ransomware attacks occur at the edge (that is, desktop and laptop computers). That’s where Mozy can help victims become productive again.
In the case of the Wanna virus, once the ransomware infection has been removed, Mozy would be reinstalled and re-activated with the original account. From the Restore window, the user would use the calendar to select the last healthy version of the files, select all of the files, and then click Restore. Mozy will automatically restore all the files to their original location in their original state.
To learn how you can use Mozy as a second line of defense for your data and to prevent a ransomware disaster, visit Mozy by Dell.