7 Facts about WannaCry ransomware


On Friday, 12 May 2017, a ransomware attack called WannaCry ran riot. Within a day this massive global cyber extortion attack crippled more than 230,000 computers in over 150 countries and left others scrambling to protect themselves. It hit Britain’s National Health Service, Spain’s Telefónica, FedEx, as well as many other countries and companies worldwide, leading to PCs and data being locked up and held for ransom.

What is it, why is this happening, and how to defend against WannaCry and other ransomware? Here are 7 facts organizations must be aware of.

1. What is WannaCry and how does it work?

WannaCry is a piece of ransomware first spotted by security researchers MalwareHunterTeam, at 9.45am on 12 May. It is also being called WanaCrypt0r 2.0, Wanna Decryptor 2.0, WCry 2, WannaCry 2 and Wanna Decryptor 2.

This ransomware exploits a known vulnerability in Microsoft Windows operating system and it is believed to be using tools developed by the United States National Security Agency (NSA) that was leaked by an anonymous group calling itself “Shadow Brokers” in April.

The infection initially takes place through an exposed Server Message Block (SMB) port of a computer, then it uses the vulnerability to spread out to random computers on the Internet and laterally to computers on the same network. Once WannaCry takes hold of the computer, it then encrypts files, locks the user out of the computer, and requests a ransom.

2. Who was behind the attack?

Attribution is tricky in the world of cyberwarfare. The Shadow Brokers, who said in April it had stolen a “cyber weapon” from the NSA, is being partly blamed for the attack. The hacking tool, called “Eternal Blue”, gives unprecedented access to all computers using Microsoft Windows. It had been originally developed by the NSA to gain access to computers used by terrorists and enemy states. It is reported that a separate crime group might have spotted this opportunity and updated the tool to attack the computers around the world.

Some experts examining the code have found technical clues they said could link North Korea with the attack. Symantec and Kaspersky Lab said on Monday some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, which researchers from many companies have identified as a North Korea-run hacking operation.

3. How much money are they asking for and has anyone paid?


A key feature of successful ransomware is that the ransom is usually a modest sum – far less than the cost of paying a team of security experts to try to defeat the encryption attack. WannaCry is asking for $300-$600 worth of the cryptocurrency Bitcoin to unlock the contents of the computers. If victims did not pay up quickly, there is a threat that higher payments would be demanded.

Despite the widespread infection, only a small number of payments have been made. CNBC reports that payments have added up to just $50,000 worth of bitcoin payments, but the financial damage to victims around the world will be several orders of magnitude higher by the time all is said and done. Security experts continue to urge victims to not pay the ransom fee.

4. Will paying the ransom really unlock the files?

Sometimes paying the ransom will work, but sometimes it won’t. Security analysts say that over 200 of the WannaCry victims who promptly paid the ransom have gotten their data back. However, cybersecurity experts advise against paying the ransom, noting that historically only about two-thirds of compliant ransomware victims get their data back after meeting hacker demands. Microsoft also stated in the FAQ of ransomware that “there is no guarantee that handing over the ransom will give you access to your files again. Paying the ransom could also make you a target for more malware.”

5. What has Microsoft done to tackle it?

Microsoft stated that it had already released a security update to patch the vulnerability exploited by the ransomware. On 12 May, a Microsoft spokesman said its engineers had provided additional detection and protection services against the WannaCry ransomware and that it was working with customers to provide additional assistance. The spokesman reiterated that customers who have Windows Updates enabled and use the company’s free antivirus software are protected.

6. Will it continue to spread?

A British cybersecurity researcher has discovered a “kill switch” that can temporarily prevent the spread of the WannaCry ransomware. The researcher, tweeting as @MalwareTechBlog, said the discovery was accidental, but that registering a domain name used by the malware stops it from spreading.

However, it did not take long for new versions of WannaCry to appear after the kill switch code was removed.

7. How organizations can protect themselves?

Once ransomware has encrypted your files there’s not a lot you can do. The first line of defense against WannaCry is installing the latest Windows security updates. Resolving the flaw that allows this virus to propagate is vital.

Although WannaCry does not appear to have relied on phishing emails to spread, most ransomware viruses do, so another crucial tip is to avoid opening suspicious attachments or clicking mystery links in emails.

As ransomware encrypts data, the best defense against ransomware attacks is to maintain good backups of valuable data. In case a ransomware strikes, the system can be cleaned off, and a safe backup copy of the data can be restored. Backups of important data should be kept safe from contamination, so the best protection strategy is to store the backup data in multiple remote and cloud destinations.

Looking ahead, there will only be more rampant ransomware threatening organizations and individuals worldwide. It is now imperative for everyone to start backing up their computers in order to survive from the next waves of ransomware attacks. Just drop us a message if you would like to know more about offering backup solutions to your customers.

Sources: The Guardian, The San Diego Union Tribune, The Telegraph

Back up Your Customer’s WordPress Site in 2 Steps


Having a current backup of your customer’s WordPress website hosted by you is critical for protecting their websites against disastrous data loss or corruption initiated by the top 5 security issues in WordPress. There are two parts to back up an entire WordPress Site: Database (MySQL database) and Files. With Ahsay backup solution, you are just 2 simple steps away from completely safeguarding your customers’ WordPress sites.

WordPress MySQL database backup

On AhsayOBM client backup application, create a MySQL database backup set (free add-on module) to back up your customer’s WordPress database. After proper configuration, the database will be backed up to your selected destinations, such as your AhsayCBS backup server, local storage or public cloud storage, according to the defined backup schedule.

WordPress site files backup

On AhsayOBM client backup application, create a file backup set (free add-on module) to back up WordPress site files, such as WordPress core installation, plugins, themes, images, JavaScript and PHP scripts, and other code files that is under the folder you installed WordPress. After proper configuration, the WordPress site files will be backed up to your selected destinations, such as your AhsayCBS backup server, local storage or public cloud storage, according to the defined backup schedule.

Even if hackers, server crash or user errors completely wiped out your customer’s WordPress sites, you can still quickly restore their most recent WordPress database and files from the secure backup destination with ease.

How it works

Suppose you have your own AhsayCBS backup server up and running, and AhsayOBM client backup software installed on your web server that has WordPress and MySQL database running on it. All you need to do is to create 2 backup sets mentioned previously.

For example, I have a WordPress site, My Ahsay Blog, with site files installed on  D:\wordpress. I have create a database called “blog” in MySQL for storing WordPress data.wp-01 wp-02 wp-03

Let’s see how to back up this site.

Create a backup set for backing up WordPress MySQL database

Login to your AhsayOBM client software, click on the Backup Sets button.
Create MySQL backup set in AhsayOBM client backup software

Create a MySQL Backup Set. Enter the MySQL login info and the path to your mysqldump. wp-05

Select the WordPress database node.wp-06

Setup the backup schedule for automated backup. Here, I  created 2 daily backups. If the site has content updates frequently everyday, then you can create more frequent scheduled backups.wp-07

Setup the backup destination. For demo purpose, I just set AhsayCBS backup server as the only destination.wp-08

Keep the default encryption settings.wp-23

Copy the encryption key and save it securely so that when you need to restore the backed up data on another machine, you will need to enter the encryption key then.wp-24

That’s it. The backup set for backing up WordPress MySQL database is created. Click on the “Backup Now” button to fire a backup to AhsayCBS manually.wp-11

Done. The selected MySQL database is backed up to AhsayCBS successful.wp-12

Next, we need to create a File backup set for backing up WordPress site files that are stored in D:\wordpress.Create MySQL backup set in AhsayOBM client backup softwarewp-15 wp-16

Also, I will back up my PHP (php.ini) and Apache configuration files so that in case my PHP or Apache has problem, I can restore those configurations after re-installation. wp-18 wp-19

As these files update frequency is lower, once per day backup is good enough. Don’t worry that it will backup all the files everyday. After the initial full backup, AhsayOBM won’t backup those files which have not been modified.wp-20

Set AhsayCBS as the backup destination for this backup set.wp-22

Keep the default encryption settings.wp-23 wp-24

Done. Backup set created. Fire a backup manually by clicking the “Backup Now” button.wp-25

All site files, PHP and Apache configurations have been backed up to AhsayCBS backup server.wp-26

Restore WordPress MySQL database if user accidentally deleted contents

Let’s see how the restore works. Assume the WordPress editor has accidentally deleted all the site posts, we can easily restore them back to the WordPress site by restoring the backed up MySQL database with just a few click.

Let’s delete all the posts permanently first to simulate the data loss scenario. Just go to WordPress admin section > Posts, and trash all the contents permanently.wp-restore-02 wp-restore-04 wp-restore-05 wp-restore-07 wp-restore-08

Load the WordPress site and all the contents should be gone.wp-restore-09

Now, open AhsayOBM and click the “Restore” button.wp-restore-10

Select the WordPress MySQL database backup set to restore.wp-restore-11

Select the backup destination from which to restore. Since we have just one destination, just click on that.wp-restore-12

Select the database node, i.e. blog, to restore.wp-restore-14

Since we want to restore all the backed up contents back to the site, we can simply choose to restore to “Original location”.wp-restore-15

Choose a temporary directory for AhsayOBM to store temporary files during the restore process. Then, click the “Restore” button to start the restoration.wp-restore-16wp-restore-18

After successful restoration, go back to the WordPress admin page > Posts. All the contents should be reappeared.wp-restore-20

Reload the site and all the contents should be restored successfully.wp-01

Sounds good? Just drop us a message if you want to offer WordPress backup solution to your customers.

Top 5 Reasons to Back Up Your Customer’s WordPress Site


Imagine this situation. As a web hosting service provider, one day one of your web servers is hacked, causing hundreds or even thousands of your customers’ WordPress sites to be inaccessible and show error screens. Angry phone calls and emails follow soon. Can you afford to tell your customers their sites have no backups (or only long-outdated backups), all the lost posts, images and comments are gone for good, and the only resolution is to rebuild the sites? A business isn’t a business without a website these days. Once your customers’ years of hard work, blood, sweat and tears turn to dust, you can count yourself lucky if any of them still stay with you.

Even if it’s not about hacking, many different things can cause a site to crash or become vulnerable. That’s why a web hosting service provider should always back up customers’ WordPress sites. If you’re not convinced yet, here are the top 5 reasons that get you to act.

1. Brute Force Login Attempts

A brute force attack on WordPress is when someone attempts to gain access to your customer’s site by trying an enormous number of different username and password combinations. As WordPress has unlimited login attempts by default, hackers can exploit the WordPress login page and use this trial and error method over and over until a successful username and password combination is discovered. Even if it is unsuccessful, brute force attacks can still wreak havoc on the web hosting server because enormous login attempts may overload the system.

2. Using Outdated WordPress or Plugins and Themes from Suspect Sources

Your customers may expose their sites to risks and attacks unwittingly. By default anyone can find out what version of WordPress your customer’s site is running. Some themes may even show the version number on every page of the site. The reason this could be a security risk is that, if your customer is running an older version of WordPress, hackers will be able to target specific security vulnerabilities that have since been patched by more recent updates.

Another common way attackers can exploit is poorly-written and insecure plugins and themes from untrustworthy sources. According to a report by wpscan.org, of the 4,000 known WordPress security vulnerabilities more than half are from WordPress plugins. Files of torrented “free” versions of premium plugins and themes may have been modified to contain malware.

3. File Inclusion Exploits

PHP, the code that runs a WordPress website along with plugins and themes, is another security issue that can be exploited by attackers. File inclusion exploits usually happen when vulnerable code is used to load remote files that allow attackers to gain access to your customer’s website. There could be serious consequence once an unscrupulous attacker has access to the “wp-config.php” file, one of the most important files in your customer’s WordPress installation.

4. SQL Injections

Your customer’s WordPress website uses a MySQL database to operate. The database contains all the posts, comments, and links on the website. Attackers can gain access to the WordPress database and to all of your customer’s website data using SQL injections. According to Wordfense, SQL injections are the second most common vulnerabilities found in WordPress in 2016. With the injection, the attacker may be able to create a new admin-level user account, which can then be used to login and get full access to your customer’s WordPress website. SQL injections can also be used to insert new data into the database, including links to malicious or spam websites

5. Malware

Malware (i.e. malicious software) is commonly utilized by cybercriminals to gain unauthorized access to a website to gather sensitive data. The popularity of WordPress as a blogging platform and CMS makes WordPress a target for malware. A hacked WordPress site usually means malware has been injected into the website’s files. Take a look at the website’s recently changed files and one may be able to detect if any malware exists on the website. There are thousands of malware types on the web, but WordPress is not vulnerable to all of them. Some of the most common WordPress malware infections are Backdoors, Drive-by downloads, Pharma hacks, and Malicious redirects.


Without a backup, your customers’ WordPress websites could be lost forever because of the above security issues. You need a reliable backup solution in place to protect their WordPress websites from unexpected disasters. Click here to find out how Ahsay can help.