This threat brief describes the WannaCry ransomware and how to protect yourself against it. We expect new variants of the ransomware to emerge throughout the week; they will seek to exploit the vulnerability in Microsoft Server Message Block (SMB) that WannaCry has been using. It is critical that Windows users protect themselves against this threat immediately.
Threat details 
- Virus name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt or WCRY.
- Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
- Symptoms on infected systems: Files are encrypted with the .wnry, .wcry, .wncry, and .wncryt End users see a screen with a ransom message demanding between $300 to $600. On restarting, affected machines show a blue screen error and do not start.
- Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DoublePulsar backdoor. It corrupts shadow volumes to make recovery harder.
- Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up, the virus exits instead of infecting the host. This domain has been sinkholed, which has stopped the worm from spreading.
How to protect yourself
- If you use Windows, install the patch Microsoft released to block the specific vulnerability that the WannaCry ransomware exploits. You can find instructions on this page in the Microsoft Knowledge Base.
- If you are using an unsupported version of Windows, like Windows XP, Windows 2008 or Server 2003, you can get the patches for your unsupported OS from the Microsoft Update Catalog. We recommend that you update to a supported version of Windows as soon as possible.
- Update your antivirus software definitions. Most AV vendors have now added detection capability to block WannaCry.
- Back up regularly and make sure you have offline backups. That way, if you are infected with ransomware, your backups won’t be encrypted.
- Organisations should also be monitoring their logs closely for suspicious activity across firewalls and anti-virus software.