15 - 05
A harder-to-stop version of the WannaCry ransomware may already be circulating on the net, so if you are currently running a Windows OS, and you haven’t applied Microsoft’s patch, or at least disabled the Server Message Block (version 1), do so now.
The WannaCry ransomware is using the Server Message Block to seize control of your machines, and disabling SMBv1 will block this access route; Microsoft, which has issued instructions on how to disable SMBv1, SMBv2 and SMBv3, is however cautioning against permanently disabling v2 and v3.
The most robust defense against WannaCry is Microsoft’s MS17-010 Security Update, available for all Windows Server (2003, 2008, 2012, 2016 & R2 versions), XP, Vista, 7, 8, 8.1, R.T 8.1, 10 Operating Systems, X86 and X64.
Pertinent too is basic computer safety: don’t open email attachments from unknown sources, and install a decent antivirus, especially one with a browser scanner tool to protect you from phishing attempts and malicious email attachments.
No kill-switch domain
The original attack, which started on Friday, was devastating on its own, as was painfully clear when it crippled the UK’s National Health Service, shutting down telephone services, and disrupting surgical procedures, as the computers relied on to manage surgical machinery had either been rendered inaccessible or shut down to prevent their being compromised.
In all, more than 200,000 computers across 150 countries were affected.
The original attack was however stopped by the simple act of registering a domain name that had been embedded in the ransomware’s code as a kill-switch; if an infected machine pinged the site, and found it registered, WannaCry would shut itself down.
But, after this was exposed by the IT tech who registered the domain, a WannaCry variant with a different kill-switch domain popped up, which meant another domain name had to be registered to shut it down.
Now, even more worryingly, a version that doesn’t have such a kill-switch domain has been detected; while it can infect machines, it is slightly corrupted, which suggests that some copycats are busy modifying the initial ransomware.