We’re around the 48 hour mark … 48 hours after ransomware suddenly become big news as the WannaCry variant began shutting down everything from radio stations to entire health systems across the world … so what do we know at this point … apart from the fact that the damage done has been considerable?

The drama is not over … WannaCry ransomware is back
A few hours ago newspapers and television stations were happily telling everyone that an English geek had found the kill switch that everyone was missing and the drama was over.
Now we know that removing the kill switch worked on version one of WannaCry but now there’s a new version out there that has no kill switch so the threat to your business and the associated drama is far from over.

Who was targeted?
This ransomware was designed to target any computer that accessed the Internet via a proxy server. If the ransomware found itself in a computer that accessed the Internet directly it took no further action and became dormant.

Accessing the Internet via a proxy server is very common in large and small enterprises; it is not so common for home users or home-based businesses that do not use a proxy server. That would suggest that it large scale users who were the target for this ransomware.

However that doesn’t mean that you can be complacent and think that you don’t need to worry … because you do and you definitely need to start taking precautions.

How does WannaCry work?
As soon as the ransomware was downloaded it checked to see if Internet access was via a proxy server and if there was an unpatched version of part of the Windows operating system on that computer.

Windows patched this vulnerability back in March of this year but there are tens of thousands (if not more) Windows computers out there that have not had their operating systems updated and they are vulnerable.

If conditions were favourable for the ransomware then it attempted to contact a specific domain name … one that had not been registered.

If the ransomware got the expected response to its attempted contact it began locking all the files on the infected computer and spreading to every other computer on the network that had a vulnerable version of the Windows operating system.

At the same time, every computer that was locked began displaying a message that told the user that their computer files were encrypted and they would remain that way unless a ransom of $300 (paid in Bitcoin) was not made to an untraceable user.

Did anyone pay the ransom?
I’m yet to see reports of anyone attempting to pay the ransom so it’s impossible to say if paying the ransom would have led to the files being unlocked but it’s worth considering the amount of the ransom that was being asked.

If this ransomware really was targeting large entities then why only ask for $300 per infected computer? So was this a one-time grab for cash where there would be no attempt to provide a key to unlock the files or was it at attempt to establish some credibility so that more people would feel comfortable about paying the ransom in future?

How did WannaCry take control?
We may never know exactly how this version of ransomware found its way into so many computers but the usual way that ransomware is spread is via bad links in email and trojan downloads from infected websites and, in this case, my bet is on email.

Sending out emails have dodgy links is a business in itself … and a very profitable one … and it’s a foolproof way of distributing something like this ransomware across the planet in the shortest possible time.

All it takes is one employee of a company, government department or public utility to click on a link in one of those dodgy emails and, if the conditions in the computer and computer network are favourable for the ransomware, the end result is inevitable.

How was the spread of WannaCry stopped?
A self-trained IT specialist in the UK discovered that the domain name the ransomware was trying to contact was unregistered. Once he registered the domain name the response that the ransomware got when it tried to contact the domain name changed and the ransomware was programmed to shut down.

The domain name was the kill switch and now that it has been exposed the purveyors of this nasty piece of software appear to have re-written it to remove the need for the ransomware to get a specific response before it infects the computer that it’s on.

What can you do to avoid ransomware
It is so simple to reduce your chance of getting hit with ransomware. There are 4 very simple steps that anyone can take and you will find them by following this link.

What comes next?
Expect more attacks from the people who brought us WannaCry … and expect more from others as well.

Gone are the days when we were facing low-level attacks from kids working from their bedrooms. These days hacking and ransomware is BIG business … and it’s run like a business by organised crime and they are not going to go away any time soon