WannaCry Removal and How to Protect Your Data

WannaCry is an aptly named virus that infects unpatched computer systems worldwide. It is widespread and WannaCry removal continues to be one of the most common requests against this damaging ransomware threat.

What is Wannacry?

WannaCry is an example of crypto ransomware, a type of malicious software used by cybercriminals to take your most valuable data hostage. Once the ransomware infects your system, the perpetrators demand that you pay a Bitcoin ransom before allowing you access to your data. But beware , 42% of those who pay the ransom do not have their files released.

The WannaCry ransomware was designed to take advantage of vulnerabilities in Microsoft Windows systems that were not patched with the latest update. Patches are a type of code that is inserted (or patched) into the code of an existing software program and it is up to the user to ensure the patch is installed.

Every few weeks, Microsoft issues updates meant to fix malfunctioning bits of code, add features or perhaps, most importantly, to protect computers against security vulnerabilities exploited by ransomware like WannaCry.

How does Wannacry infect?

WannaCry infects your system by either encrypting valuable files so you are unable to read them, or by locking you out of your computer completely.

WannaCry access happens most often through a phishing email with an attachment that you are asked to download. Sometimes the phishing email will ask you to click on a link. Once you have downloaded the attachment or clicked the link, WannaCry, (or any other form of ransomware), will infect and corrupt your computer.

WannaCry can also infiltrate when a user unknowingly visits an infected website where malware is downloaded and installed without the user’s knowledge. This is called drive-by downloading.

How does Wannacry spread?

WannaCry spreads throughout your computer’s system encrypting your files and scrambling their names. It is particularly happy when it discovers links to shared networks. The WannaCry worm goes after a particular vulnerability in Windows’ Server Message Block (SMB) protocol used by devices to communicate on a shared network. It is searching for any PC with its Samba TCP port 445 accessible.

If you aren’t on a shared network, WannaCry will be content to encrypt your personal files and send you a ransom note.

How to protect against WannaCry?

You can protect your data against WannaCry with a few important steps.

First, always be sure to install any security updates (patches) to Microsoft Windows as soon as they are available. If you are running older versions of Windows, check for past updates you may have missed and install them immediately. The patches remain available for Windows XP and Vista.

Install up-to-date antivirus protection such as Sophos Home Premium. A good antivirus program is key to ensuring your home computer systems are safe against rapidly evolving ransomware threats.

Always backup your files, and do so once a week – or more often if you have lots of new daily work on your desktop. An external drive or cloud storage are easily accessed and affordable. A small home business would benefit from Datto’s security, back up and file restoration services. As would anyone working remotely from home.

How to remove WannaCry?

You can remove WannaCry from an infected computer using the following steps:

1.

Disconnect all devices on your network – your Wifi, smartphone, tablet, and all other household computers. Pull the plug out of your Wifi router, pull the ethernet cables out of your computer. Isolate it from the web as soon as possible.

2.

Also disconnect external drives, cloud storage, flash drives, and network drives. You want to isolate the infection and stop it from spreading.

3.

Ensure that the ransomware you are removing is, in fact, WannaCry. Identifying the ransomware will help you understand what type of ransomware you have, how it spreads, what types of files it encrypts, and help you understand what your options are for removal and disinfection. It also will enable you to report the attack to the authorities, which is strongly recommended. Some of the most common indicators are as follows:

Ransomware note
Encrypted files
Renamed files
Locked browser
Locked screen

4.

The Sophos Virus Removal Tool is a free download, and will identify and remove malware from a single Windows endpoint computer. The tool comes with the latest identities included. In order to stay current with the latest detections, the tool should be downloaded again when a new scan is required.

5.

If you have a complete backup of your system and files, wipe your computer hard drive completely then restore it from your last saved, clean, (pre virus) back up.

Further analysis of WannaCry:

This crypto ransomware also known as WannaCry, WCry, WanaCrypt, and WanaCrypt0r – shows that it encrypts victims’ files and changes the extensions to .wnry, .wcry, .wncry and .wncrypt. Perpetrators of the ransomware demand an escalating ransom payment for the encryption key required to recover your data.

Although WannaCry may be the largest single global ransomware attacker, the story is a familiar one. And, so are the responses from many Windows users who are not adequately protected:

How did this happen?
Why me?
What could I have done to prevent this?
Whose fault is this?
What is this going to cost me?
Why did my backup not work?

The bottom line is many small business owners are still treating IT security as if they were in the late 1990’s. They purchase the lowest cost antivirus solution they can find, put a firewall in the back room and never touch it again. They install PCs and servers and either never patch them or patch them only occasionally and randomly. They put in a backup solution and never test that it is actually working. They do not pay attention to security measures for their shared users and they do not enforce policies like strong passwords, changed regularly. The list goes on…

Steps you can take to protect your critical files right now

If you have not done so already, install all critical and security related updates on your existing Windows systems. Start with Microsoft Security Bulletin MS17-010 to secure your devices against the WannaCry malware.
For older unsupported Windows versions such as Windows XP and Server 2003, Microsoft has updates, which can be found at the Security Update Guide.
If you are running MACs, update those as well.
Ensure all your devices have antivirus installed and that it is up to date. Then check with your provider to confirm that it will protect you against known WannaCry variants. If you don’t know who to call, call us at Netcetera, we will assist you.
Make sure you have a current commercial grade firewall running security licenses that include IPS (Intrusion Prevention) at a minimum. Ensure it is properly configured and running up to date firmware. We use SonicWALL and Sophos firewalls. Both will protect against the known WannaCry variants when running IPS and up to date firmware. However, the likelihood of new attacks, based on the leaked exploits, is high so things can change rapidly no matter what you are running. The addition of a sandboxing service like SandStorm is easy to do and highly recommended.
If you are not sure about your AV, consider adding a product called InterceptX from Sophos. It is the most advanced anti-ransomware protection we have seen and it has been 100% effective so far. Even if you are not running a Sophos AV solution you can still add InterceptX. It will run in harmony with your current AV solution
A good backup is your last line of defense; make sure you have one. Consider adding a Datto (or similar) Backup & Disaster Recovery solution to protect your data if, despite your best efforts, you are compromised.
Review the security blogs on the Netcetera website, several are relevant
Use strong passwords with regular changes (every 3 months recommended). Never use the same password for another website.
If you do not have mail filtering, consider adding it as another layer of defense.
Consider signing up for the Sophos Home Premium beta, which adds proactive protection against exploits and ransomware and it’s free for the first year.

If you are a current Netcetera Managed client we have already taken care of this for you. If you are not a managed Netcetera client and need assistance or just some advice, give us a call. There is no cost to have a conversation and it just may save you from some unnecessary grief and potential losses.

Get a Free Assessment

Tell us more about your business and we'll show you how to protect it from the interruption and financial losses caused by Ransomware and other disasters.