ON MAY 12, 2017 a new variant of the Ransom.CryptXXX family (detected as Ransom.Wannacry) of ransomware began spreading widely impacting a large number of organisations, particularly in Europe. It has now been detected in over 100 countries including Malaysia.

WannaCry encrypts data files and asks users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted. WannaCry has the ability to spread itself within corporate networks, without user interaction, by exploiting a known vulnerability in Microsoft Windows.

Symantec Malaysia Systems Engineering director David Rajoo has the following advice for users:

Always keep your security software up to date to protect yourself against them.

Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.

Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.

Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.

Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However, organisations should ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.

Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to “roll back” to the unencrypted form.

What to do if you receive the WannaCry ransomware message?

Once the encryption process starts, there is little the user can do, as it happens very quickly. It is unlikely that the user will notice the ransomware is encrypting until it’s too late.

If the user realises in the seconds after running the malware, they may attempt to power off the machine, then use an external boot disk to boot the machine and run a cleaner tool like Norton Power Eraser. This may prevent the ransomware from encrypting all the files.

Any computer that has been infected should not be trusted. Tools like Norton Power Eraser, or Norton Internet Security may be able to remove the infection but the files will still be encrypted. It is always best to restore the computer either from a backup, or reset to factory using a recovery disk and then immediately update and apply all patches.

These are important steps, as we have seen ransomware, that not just ransoms the users’ files, but also installs banking Trojans to clean out the users’ bank accounts, typically capturing the users’ banking details when they log into their bank to pay the ransom. If the back-ups were not encrypted by the ransomware, it is unlikely that the files were infected.

Symantec recommends affected users not to pay the ransom. Paying criminals is never recommended, as it feeds them and rewards them for their crimes. There is also no guarantee that your files will be released back to you.

Ransomware stats from the Symantec Internet Security Threat Report, Volume 22

The average ransom per victim grew to US$1,077 in 2016, up from US$294 in 2015 (266% increase).
Ransomware attacks grew to 463,841 in 2016, up from 340,665 attacks in 2015 (36% increase).
More than 70% of malware attacks on the healthcare industry were ransomware in 2016, including hospitals, pharmacies and insurance agencies.
One in 131 emails contained a malicious link or attachment in 2016 – the highest rate in five years.
There was a two-fold increase in attempted attacks against IoT devices over the course of 2016 and, at times of peak activity, the average device was attacked once every two minutes.
Ransomware in Malaysia in 2016

Regional rank: 6 (up from 12 in 2015)
Global rank: 17 (up from 47 in 2015)
Percentage of global detections: 0.9% ransomware infections on unique machines (up from 0.03% in 2015)