Hijack hacks: What you need to know about 'ransomware'

ByJonathan Bloom KGO logo

Tuesday, May 16, 2017

Hijack hacks: What you need to know about 'ransomware'

Security researchers say they encounter "ransomware" every day: malicious software that hijacks your computer and scrambles your files, demanding money to get them back. But the ransomware making headlines, called WannaCry, is a bit unusual. Here's what you need to know.

SUNNYVALE, Calif. (KGO) -- Security researchers say they encounter "ransomware" every day: malicious software that hijacks your computer and scrambles your files, demanding money to get them back. But the ransomware making headlines, called WannaCry, is a bit unusual. Here's what you need to know.

What is WannaCry?

The security world calls it a "ransomware worm." That means it spreads over networks from one computer to another, encrypting files and demanding money as it goes.

Who's vulnerable?

Companies -- especially ones using older computer equipment that runs Windows XP. Although Microsoft officially dropped support for Windows XP in 2014, it issued a security update two months ago that would have prevented WannaCry from spreading -- if companies had bothered to install it. Because WannaCry uses an outdated Windows file sharing mechanism to spread across offices and organizations, most home computers are safe.

What's this about the NSA?

Researchers studying WannaCry say it appears to have been built using code that was released by a hacker group called the Shadow Brokers back in March. At the time, the Shadow Brokers claimed the code, which contained exploits for security flaws in Microsoft Windows and other widely-used software, was stolen from the National Security Agency. Although the origin of the code hasn't been officially confirmed, the release garnered enough attention to prompt Microsoft to issue a security patch for Windows XP, even though it had previously said it was no longer going to update the aging software.

What if my computer is infected?

If your computer is infected by WannaCry, experts agree the best solution is to wipe it clean and restore it from a recent backup. If you don't have a recent backup, your options are limited. You can attempt to pay the roughly $300 ransom using Bitcoin, but there's no guarantee you'll get your files back. Although security firms told us some of their clients have successfully paid the attackers to decrypt their computers, they say the response time is getting slower and slower, as the attackers themselves are likely getting overwhelmed with the staggering number of requests. If you don't want to line the pockets of criminals, experts suggest that you hold onto the scrambled files in case researchers manage to crack the encryption at some point in the future.

How did researchers stop WannaCry?

Sunnyvale-based security firm ProofPoint says one of its employees in France first noticed WannaCry's digital "signature" matched up with the purported NSA code leaked by the Shadow Brokers. That gave the security community a good idea of how the malware was spreading. Then, a 22-year-old security researcher in the U.K. who's known by the pseudonym MalwareTech discovered that WannaCry was reaching out to a specific web address every time it infected a new computer. The web address was a long string of meaningless letters -- a domain name that wasn't registered to anyone. So MalwareTech bought the domain name himself, hoping to use it to track WannaCry as it spread. When his website started getting hits from the malicious software, MalwareTech told ABC News he worried he'd triggered the program to do something awful. But Darien Huss, a ProofPoint researcher in Indiana, confirmed that what MalwareTech had actually triggered was a "kill switch" that instructed WannaCry to stop spreading.

So, is the threat over?

Not entirely. Computers that are already infected will remain encrypted by the ransomware. And it's possible the attackers behind WannaCry are already working on a new version without a kill switch. With the purported NSA code now out in the open, ProofPoint says it's also started to see copycats appear.

Why would somebody do this?

According to ProofPoint, the main motive for ransomware is profit. And the attackers behind WannaCry have already been paid tens of thousands of dollars by users hoping to get their encrypted files back. It's also possible, according to ProofPoint, that the attackers didn't mean to release the malware this soon, or this broadly, and were just as surprised at its rapid spread as everyone else. There are also other theories. The CEO of security firm Vectra Networks suggests this attack could've been a test, or even a distraction, prior to a larger cyber-attack whose motive is destruction, rather than profit. His advice to companies: install the latest operating system updates, secure your internal network, and -- most importantly -- back up everything.