Update 5/16/2017 Re: WannaCry (also known as WannaCrypt, WanaCrypt0r 2.0, and Wanna Decryptor) Malware/Ransomware

  1. Most critical to combating this strain of malware is to patch your Windows machine to the most current level. Refer to: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598 or http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012212 to find the appropriate patch level for your operating system.  This is especially important if you are running a version of Windows which is no longer supported, like XP or Windows Server 2003.
  2. Regardless of the patching steps you take, it is possible to be infected by WannaCry—subsequent to patching—if you click on a malicious email link or attachment. Please review our instructions on how to handle phishing messages and messages with odd attachments: http://www.nyu.edu/servicelink/KB0014438.
  3. After an initial machine is infected, WannaCry is spread via a vulnerability with SMB, the protocol which manages Windows file sharing. This vulnerability was patched by Microsoft in March. See https://technet.microsoft.com/en-us/library/security/ms17-010.aspx for more information.  So, if you’ve patched since March, you are not vulnerable to MS 17-010 unless you execute a malicious email attachment or link, so likelihood of infection is lower.
  4. We strongly recommend that machines with out-of-date operating systems be updated or retired. If you must use them, then they should be run in Standalone Mode, unconnected to the network. If you have questions about running an unsupported OS and how to transition your business process to a modern system, please contact the IT Service Desk at AskIT@nyu.edu.

WannaCry and Generic Ransomware Advice for Shared Network Drives  / NYU Box / Google Drive / DropBox

Since the WannaCry malware encrypts your data, the encrypted data can move to your backup or cloud-based file sharing service like Box, DropBox, Drive, and others, if you sync to those services.  The sequential steps to follow if you are the victim of the encryption via ransomware is:

  1. Talk to your local IT group or NYU IT Office of Information Security (security@nyu.edu)
  2. Wipe your device
  3. Patch system to an up-to-date level
  4. Recover files from a backup or a sync performed prior to the encryption.
  5. Disconnect backups by dismounting backup devices or disconnecting from file sharing services

As an example, in March an NYU user encountered ransomware, on a Windows machine, that encrypted files on computers, USB drives, and shared network drives. To recover from this event, they were able to recover files from Google Drive, NYU Box, and the respective system administrator’s departmental network drive backups.

For more information, see: