WannaCry spread on May 12th 2017 and was eventually stopped thanks to Microsoft releasing patches for Windows and by the discovery by a security researcher of a ‘kill switch’. The ransomware checked for a URL and if found, it deactivated itself, so the domain was registered and infections slowed.
Some interesting facts have come to light since the outbreak and one is that an up to date Windows 10 system was immune from infection. Apparently it didn’t work properly on Windows XP, so nearly all the infected computers were running Windows 7.
Although Microsoft had released a patch to fix the security flaw, many companies and organisations had not applied it, allowing the ransomware to spread.
The security flaw was discovered some time ago by the US National Security Agency and used in a tool called EternalBlue for their own purposes. WannaCry used this tool or at least the same security flaw to get onto computer systems.
Test for EternalBlue exploit
WannaCry is pretty much over, but now we are faced with several variants of the original ransomware and they could be much worse. Is your computer at risk from WannaCry variants exploiting EternalBlue?
Security company ESET has created a tool to test for EternalBlue. Click the link, download the file and run it. Here’s what it looks like if your PC is protected:
If your PC is not protected, what can you do? Use Windows Update to get the latest security fixes. This is an old security flaw that has been fixed.
Clean up your computer
Before decrypting your files locked by ransomware, you need to remove the malware. Here is looked at 9 free cleanup tools to remove adware, spyware and viruses. They can be used no matter which security software you are currently using. Keep them on the disk for emergencies.
Several security companies have produced utilities that can decrypt certain common types of ransomware. Before you think of paying the ransom, which only encourages the creators, try these ransomware decryptors.
Many types of ransomware don’t encrypt every file on the computer’s disk, they target specific file types, such as .doc files, encrypting them and changing the extension. With the right tools you can decrypt them and change the extension back to the original.
AVG provides decryption tools for Apocalypse, BadBlock, Bart, Crypt888, Legion, SZFLocker, TeslaCrypt. There is information on each of the types of ransomware decribing what they do.
Kaspersky provides six ransomware decryption tools and each of these decrypts multiple variants of ransomware. There are too many to list and this is one of the best collections of ransomware cleanup tools.
Avast has a collection of free ransomware decryption tools. It targets 16 different types of ransomware and there are downloadable tools for each one. There are sometimes 32-bit and 64-bit versions, so make sure you get the right one. Open System in Control Panel and look at System Type to see which version of Windows you have.
Trend Micro’s collection of ransomware decryptors covers a lot of malware and its variants. 26 ransomware families can be handled and there are instructions further down the page. Unlike other decryptors, there is just one tool to download and when it is run, you select the type of ransomwware that has infected your computer.
Protect against ransomware
A related article, How to protect against ransomware in Windows and stay safe is worth reading and it contains valuable information for keeping ransomware out of your computer.
McAfee has an anti-ransomware utility that could be worth trying. It is called a pilot, but most people would regard it as a beta.
Ransomware Interceptor is available in 32-bit and 64-bit versions and it appears as a taskbar icon. Click it to turn monitoring on or off. When it is on it alerts you to ransomware and terminates the process so it cannot encrypt your files.