1 Million Dollars
I found this many times repeated Tweet:
So far, Criminals behind WannaCry Ransomware have received nearly 100 payments from victims, total 15 Bitcoins, equals to USD $26,090.
First note that I despise all Terrorists and Cyber Criminals equally and feel they should be 'rubbed out' without compassion based on the suffering and harm that they cause. However, one has to rather chuckle as to the WannaCry criminals who are extorting relatively small amounts of money per compromised machine (230 GBP?).
I think the attack was supposed to go more prolific, but it has been blocked thanks predominantly to researcher MalwareTech, oh and the criminals design that included a 'kill switch' within their Malware, namely the existence of the internet domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, which if registered would stop any further WannaCry ransoming.
NB: I predict further strains of this Malware will not be so relatively benign. (Already another domain)
- Recover your system from a backup you made earlier. This plan has 2 huge flaws
01 When was the last time you made a backup (and tested a recovery) ?
02 And data entered since the time of the last backup that you have restored, will be lost
- Option #2
Pay the modest ransomware demand
Remove the Infection
Protect your systems as described below
Make a Backup
Test the Restore
Schedule a Regular Backup
Protecting Your Systems
01 Read this Article
Microsoft posted the above article in 2016 but nobody really took any notice. Many older systems are known to use SMBv1. The commands in the above article will trigger logging and you can check etc.
02 Remove SMB1 (Server Message Block) networking V1
For a Microsoft Windows 2012 2016 server this Powershell comand removes SMB1
For a Windows 10 system the corresponding command in Powershell
03 Install Fixes
Additionally, make sure this fix is installed on your 32 Windows 10 or 64 bit Windows 10 / 2016 server
This stems from MS17-010
Note if you are on the latest Windows 10 build (use winver command), example I am on build 1703, not the older 1607, the bugfix wont apply presumably since its already in build 1703
04 Older Systems
And if you are on a lower than Windows 10/ Windows Server 2012/2016 there are actually fixes. Very generous of Microsoft
05 On Linux
Whilst Linux is not yet vulnerable to this Malware it would be good citizenship to ensure that your Linux server uses at least SMB version 2 protocol.
Add the following 2 lines into smb.conf, in my [global] section
# Lets try to be secure eh
min protocol = SMB2
[ ok ] Restarting ssh (via systemctl): ssh.service
06 And Finally
Your IT dept can track down SMB1 using code from this article
microsoft.com/ralphkyttle/ 2017/04/07/discover-smb1-in- your-environment-with-dscea/