Ransomware and WannaCrypt special

Everyone is talking about ransomware now that the WannaCrypt has spread like crazy across the world.  These nasty viruses target your documents and precious files including Microsoft Office files and Windows backups.

This is a little embarrassing for us because Office-Watch.com has just released a new book that’s suddenly become very topical.  Everyday BACKUPS – protecting your documents, photos and personal info has a section on ransomware, written before the latest news broke.

Ransomware has been around for a few years, it’s nothing new. The latest attack has been very good at infecting vulnerable computers.

The attack will scan all your drives and network shares looking for documents, pictures, videos and other data files.  It encrypts all those target files so you can’t read, let alone edit them. You see a message telling you to pay a ransom for the password to unlock the files.

Cloud storage files can also be attacked if synced to your local computer (which is what Microsoft encourages customers to do with OneDrive). The virus encrypts the local copy of files which are then automatically synced with the cloud.

If you pay, you might (if you’re lucky) get a working password to unlock your files. In many cases you don’t.

The exact files targeted varies but Office documents (old and new formats), PDF, RTF, ZIP and RAR files are definitely included. Ransomware uses the file extensions (.doc  .docx etc.) to identify files to lockup.

Before we get into more detail, here’s the important thing you need to know about updating any machines with Windows.

Windows Patches

Back in March, Microsoft released updates for Windows to block the vulnerability used by the latest ransomware including WannaCrypt. Redmond could have done this a lot sooner if agencies in the US government had acted ethically, see below.

For recent versions of Windows (Windows 10, 8.1, 8, 7 and Vista plus Server 2016, 2012 and 2008) just run Windows Update to get the update. Most likely the patch has been installed already, sometime over the last two months.

For this one time, Microsoft has gone further and released patches for earlier Windows versions that normally don’t get updated. Go to the Update Catalog to find patches for Windows XP and Windows Server 2003 plus the recent Windows listed above (if you have some special need to individually patch a machine that’s not auto-updated).

Microsoft calls this vulnerability an attack on Microsoft Server Message Block 1.0 (SMBv1) server.  References:  MS17-010 or CVE-2017-0143.

Wannacrypt variations

WannaCrypt isn’t a single virus. It’s a broad name for a wide range of variations on the same virus. The emails used to spread the virus, the exact files targeted and how to disable it changes with new variations appearing regularly.

For example, you’ve probably seen the story of the clever guy to bought a specific domain name which disabled the first WannaCrypt attack.  The worked because the virus had an in-built ‘kill switch’.  The virus checked for the presence of a certain web site, if it exists, the virus shuts down.

That doesn’t mean the WannaCrypt problem is over (we wish). It just meant that specific variation of the ransomware would not attack.  Already encrypted computers still had a big problem and there’s many other WannaCrypt variations out there which use different domains or have no kill switch at all.

What you must do

All the usual suggestions for protecting yourself against virus attacks apply.

  • Make sure your anti-virus software is up to date. For most people that means Windows Defender in Windows.
    • Makers of other anti-virus software will take the opportunity to sell their wares, but there’s no need to spend more money. Windows Defender (supplied with Windows) is a perfectly good anti-virus program.
  • Microsoft has released patches to protect against WannaCrypt, see above.
  • Beware of email attachments and web links from unknown sources
    • This is the standard advice but Office-Watch.com doesn’t think it goes far enough.
  • Beware unexpected files, attachments or web links from people you know.
    • Viruses can spoof real people/email addresses in their messages. The fact that you know someone isn’t a complete guarantee.
    • Does the email look like it comes from the person? Is the writing style match? Does it have their usual signature line?
  • Have good backups
    • Another piece of standard and good advice but it doesn’t go far enough, see below.

Backups

Some recent articles have suggested that having backups is a protection against ransomware. That’s not the whole story.

Some ransomware target .bkp files – a backup format.  We’ve already mentioned that ZIP and RAR compressed files are included.  .ZIP is used by Windows Backup these days.

Windows File History keeps the original file extensions. Any of those files are vulnerable.

Everyday Backups

Office-Watch.com has published a new book that’s unwittingly very topical.

Everyday Backups is our new and comprehensive guide to making backups easy and automatic.

There’s a special section on the problem of ransomware and the dilemma it poses for backup planning. It was written before the name WannaCrypt hit the headlines but has suddenly become very useful.

10 minute backup

The first chapter is ’10 minute backup’ with steps to help you create two different types of backup in Windows which will run right away and automatically in the future.

Backups must be offline

To be safe from ransomware, your backups need to be offline. That means not connected to your computer or network.

The big problem with backups and ransomware is access. The File History feature is a good example.

File History saves your files to a folder on another drive or a network share. Ransomware will find and attack any available drive or network share.

The very thing that makes File History so useful (regular, background file copying) makes it vulnerable to ransomware attacks.

<rant>Many people have asked Microsoft to extend the File History feature to support multiple backup drives. That would let users switch between different backup drives, leaving one offline and safe from attack.  There’s no technical reason it can’t be done. All it lacks is Microsoft’s willingness to do it</rant>

The same goes for regular backups. They are vulnerable if connected to your computer.

Having offline and off-site backups has always been a good idea.  Ransomware is just one more reason to do it.

US government is to blame

It sounds like a crazy conspiracy theory but it’s sadly true and reliably confirmed.

We have the US CIA and National Security Agency (NSA) to blame for the WannaCrypt attacks. The CIA found the Windows security bug and developed a way to exploit it. The NSA had the same information.  Neither agency informed Microsoft (as any other ethical security researcher would have done).

Details of the Windows bug and how to exploit it leaked out of the NSA and was made public (Wikileaks in this case). That gave ransomware makers had a ready-made way to attack computers around the world.

This was suspected and the confirmation came from Microsoft itself. Not just anyone at Microsoft but their President and Chief Legal Officer. He’s posted an article with the bland heading The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack.
Way down in a long blog post is this crucial paragraph:

“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”

That’s an extraordinary statement. In journalistic terms the whole blog post is a classic case of ‘burying the lede‘.

Want More?

Office Watch has the latest news and tips about Microsoft Office.  Delivered once a week.