Since last month’s appearance of WannaCry, the network worm that wriggled its way around the world using the EternalBlue exploit and infected hundreds of thousands of computers with ransomware, we’ve been getting a lot of questions.

As a cybersecurity company, we at Panda Security have made ourselves available as a source of information for other security companies internationally, answering the main worries that WannaCry brought up. We’ve compiled some of the most important points here to share with you.

Did it come by email?

The majority of media outlets reported that the initial attack was sent via spam messages through email.

Here you can see one example from The Financial Times, where they even give details such as how it arrived in a zip file. Well, it’s not true. Since day one, every single attack we have seen has come through the EternalBlue exploit.

Is it as massive as the media reports?

It was indeed a massive attack on a global scale, there is no doubt about it. But at the same time, if we remember past threats, such as SQLSlammer or Blaster, WannaCry does not reach the same magnitude. Nowadays most home users have Windows Updates activated by default, which means they were already protected. However the damage caused by the payload in this attack is far greater than any of the other massive threats we have seen to date, as the ransomware will encrypt all valuable information in the computer and in network shares. In that sense, it is one of the most serious attacks in history.

The latest figures claim there are around 300,000 victims. In fact, the number is much higher. There are a number of computers within corporate networks that have been infected but which have no connection to the outside, so we are probably talking about millions of computers infected.

Why didn’t it stop when the kill-switch domain was registered?

One of the characteristics of WannaCry is that it tries to connect to a specific URL. If it exists, it doesn’t do anything, it won’t spread anymore and won’t execute the ransomware payload. Over the weekend of the attack a security researcher registered that domain. However, that didn’t stop the worm from spreading. There are several explanations for this: companies whose computers connect to the Internet via proxy, meaning WannaCry could not connect to the URL and continues to wreak havoc on local networks; or companies that have disconnected completely from the Internet in order to rein in the situation. And not only that — there are variants which have a different domain, so the kill-switch is only able act upon a portion of the infections.

How many variants of WannaCry are there?

It all depends on how you define a variant. Since the beginning we have seen several different variations, however all of them share the same functionality. The last time I checked we were at over 700, the changes go from small changes to the file to try to avoid signature detections, to changing the kill-switch domain, as mentioned above.

Can regular antiviruses clean the infection?

The short answer is yes. The long one is… it depends. Unless your security solution is able to protect your computer from the EternalBlue exploit, it will be getting hit with the malware again and again, and as soon as it misses a new variant or a new malware using the same attack vector, the computer will be compromised.

Recommendations

Even though not all corporations were infected, we can say that the attack has affected not only infected companies, but also companies that hadn’t applied the update to the computers in their network. These companies basically stopped everything until the patch was deployed. From this perspective, the solution would have to come by way of a fundamentally different approach to cybersecurity, such as that offered by Adaptive Defense from Panda Security. And of course, the following practices should always be kept in mind:

  • Use adequate protection tools such as next-generation anti-virus / anti-malware solutions against advanced attacks and firewalls.
  • Keep your computer updated! Remember that if the affected computers had been updated they could not have been attacked. This is crucial to increasing system security, improving performance, and eliminating execution errors. Also keep in mind that companies that need to use computers with obsolete operating systems (for example Windows XP) should have them adequately fortified and keep them as isolated as possible.
  • Do not open files, attachments, or links from untrusted emails, or reply to this type of email.
  • Caution when following links in emails, instant messaging, and social networks, even if they are from known contacts.
  • Perform periodic backups, especially of the most sensitive or important data.

For more information, you can watch a recording of the webinar given by Luis Corrons, technical director of PandaLabs, here: