On May 12, a computer worm called WannaCry began infecting over 300,000 Windows computers in 150 countries—and made headlines around the world. Here’s what you need to know.
Why the headlines? First, because WannaCry is one of the most widespread cases of ransomware—software that encrypts all of the files on your PC, and will not unlock them until you pay the bad guys. In WannaCry’s case, you’re supposed to pay $300 within three days; at that point, the price goes up. If you still haven’t paid in a week, all your files are gone forever. (Here’s what it looks like if you’re infected.)
(Why can’t the authorities just track who the money’s going to, and thereby catch the bad guys? Because you have to pay in Bitcoin, which is a digital currency whose transactions are essentially anonymous. Here’s my explainer on Bitcoin.)
The second notable feature: The WannaCry malware took advantage of a security hole in Windows that had already been discovered by the U.S. National Security Agency (NSA). But instead of letting Microsoft (MSFT) know what it had found, the NSA kept it a secret and, in fact, decided to write a “virus” of its own to exploit it.
Ransomware is nasty. There’s no way out, no fix. And even if you pay up, there’s no guarantee you’ll get your files back; some of these ransomware people take your money and run. (Why can’t these low-life hackers have more of a sense of decency?)
How security holes get patched
So why doesn’t Microsoft fix Windows’s security holes? It does—all the time. For example, if you have Windows 10, you’re safe from WannaCry. And even if you have Windows 7 or 8, and you accept Microsoft’s steady flow of software updates, you’re fine, too; Microsoft patched this hole back in March.
The only people vulnerable to WannaCry are people running old versions of Windows, and people who don’t keep their Windows updated with Microsoft’s free patches.
Here’s the real irony: Typically, a researcher discovers a security hole in Windows—and quietly tells Microsoft. Microsoft’s engineers write and release a patch—for a hole the hackers hadn’t known about before. But the bad guys know that millions of people won’t install that patch. So they write the virus after Microsoft has fixed the hole! They get the idea from the fix.
In any case, ransomware loves to target corporate networks: hospitals, banks, airlines, governments, utility companies, and so on. These are places that often don’t regularly update their copies of Windows. (Lots of them still run Windows XP, which is 16 years old. Microsoft no longer supports Windows XP, but to its credit, it has written and released a patch to prevent WannaCry for Windows XP, too.)
How not to get ransomware
If you’d rather not get a ransomware infection on your PC, here’s what to do.
- Back up your computer. I know you know. But only 8% of people backup daily, according to a 2016 poll of over 2,000 people. For $74, you can get a 2-terabye backup drive, and use your PC’s automatic backup software. Thereafter, if your files get locked by ransomware, you lose only a couple of hours as you restore from your backup. (For best results, keep the backup drive detached when you’re not using it, since some ransomware seeks out other connected drives.)
- Turn on automatic updating of Windows. Get those patches before the bad guys do.
- Don’t open file attachments you’re not expecting. Even if they seem to come from people you know. Don’t open zip files that come by email. Don’t ever click links that seem to be from your bank, or Google, or Amazon; they’re just trying to trick you into giving them your passwords. Here’s my explainer on those “phishing” scams.
Backup, turn on updating, don’t open email attachments you’re not expecting.
This has been a public service message.
More from David Pogue: