On Friday, a major Ransomware worm began to spread across consumers and businesses worldwide. The attacks are getting more agile, varied and widespread, and are increasingly taking aim at businesses of all sizes in all sectors. Not only the SMB, however the personal computer are also getting affected and its been increasing day by day.
Here are few steps that you may follow and do if you wanna stay away of the particular RansomWare and treat if your computer is already infected.
Need to know about the WannaCrypt RansomWare
The worm takes advantage of a flaw in the Microsoft Windows operating system, which is being used by most of our customers. Microsoft released a patch for the flaw back in March, so if the customers have automatic updates enabled, they should be protected. If automatic updates are disabled, please take a look at this article.
Additionally, if a customer is still running Windows XP, which is no longer supported by Microsoft, an emergency patch was issued and should be installed as soon as possible.
How to know if my computer is infected
The WannaCry, or WannaCrypt, Ransomware works by encrypting files on computers, locking users out or will stop certain apps from running (like your web browser).
A message will appear onscreen with a ransom demand, countdown timer and bitcoin wallet to pay funds into to get access to your PC or files.
The file name extension .WNCRY is appended to your files. You may also see some files like:
@WanaDecryptor@.bmp
@WanaDecryptor@.exe
Precautions and Safety measure
Here are list of steps that you should go through to ensure that you are not affected and your computer is safe.
- Enable automatic updates on your system for the latest security patch to be updated
- Do not visit any unsafe, suspicious, or fake websites.
- Do not open emails and email attachments from people you don't know, or that you weren't expecting.
- Do not click on any malicious or bad links in emails, Facebook, Twitter, and other social media posts, instant messenger chats, like Skype.
- Often fake emails and webpages have bad spelling, or just look unusual. Look out for strange spellings of company names (like "PayePal" instead of "PayPal") or unusual spaces, symbols, or punctuation (like "iTunesCustomer Service" instead of "iTunes Customer Service"). If you're unsure – don't click it!
- Download English language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64
- Run antivirus or anti-malware software: McAfee/ Norton have already released a critical update to stop the system from getting infected
- Be careful to click on harmful links in your emails. Avoid clicking suspicious or unnecessary links in email
- Avoid downloading unknown email attachments.
- Beware of visiting unsafe or unreliable sites.
- Never click on a link that you do not trust on a web page or access to Facebook or messaging applications and other applications.
- Install the patch release by Microsoft Windows.
- Keep your files backed up regularly and periodically.
- Use anti-virus and Always be updated.
- Use Windows Update to update windows and keep the Windows up to date.
What to do if my computer is already infected
- Use ADW cleaner and the Use the Updated Virus scanner to perform the scans
- Also use the Rogue Killer, to scan the computer.
- Use Windows Defender Offline Tool to scan the system for vulnerabilities. Windows Defender Offline can be downloaded for free at https://support.microsoft.com/en-us/help/17466/windows-defender-offline-help-protect-my-pc
- Use Malware bytes to scan the computer.
- Disable the SMBv1 protocol
Windows Vista or later :
- run the following commands in elevated cmd prompt (admin)
- sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
- sc.exe config mrxsmb10 start= disabled
- sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
- sc.exe config mrxsmb20 start= disabled
Windows 8.1 or later :
- Open Control Panel, click Programs, and then click Turn Windows features on or off
- In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window
- Restart the system
Note: If the computer is already infected, there is nothing much that we can do to decrypt the files. However we could boot the computer to the Safe Mode and run the Updated Virus scans. However you can also login to Safe Mode With the Networking and update the AV, and run the scans.
If it fixed, thats great, however if not, the only option is the Re-installation of the Operating System in the computer.