ngCERT 2nd Advisory on WannaCry/WCry/WCrypt0 Ransomware Warm and Remote Desktop Protocol (RDP) & Server Message Block (SMB) Protocol Vulnerability

Microsoft® Windows OS
Advisory ID:
May 15, 2017


The Remote Desktop Protocol (RDP) and a vulnerability in the implementation of the Server Message Block SMB protocol of Microsoft Windows Operating System is currently being exploited by a ransomware called WannaCry worm. The worm encrypts all files on an infected computer’s hard drive.

Description & Consequence

RDP is a protocol on Windows Operating systems that allows remote access and control of the Windows Operating System. This protocol is usually used by systems administrators to control computers running windows operating systems remotely. While the SMB protocol is commonly used by servers to communicate with computers on a domain and also used by computers to share files, printers and so on, on a network.

These protocols are currently being exploited by a Ransomware called WannaCry, to spread and infect computers on a network. When a computer is affected by the worm, the worm encrypts the host computer’s files and request for a ransom of .1784 bitcoin, which is equivalent to approximately $300 and further leaves a threat that, if the ransom is not paid within 3 days, the ransom amount will be doubled and if the ransom is still not paid after 7 days the files will be deleted such that they cannot be recovered forever. Figure A & B below showcases the messages displayed by an infected computer;

Image courtesy:

Figure A: showing a message popup on an infected computer

Image courtesy:

Figure B: Showing Instructions In a text file on an infected computer

Although Microsoft has released updates since March 2017, however computers that have not been updated remain vulnerable


1. Stakeholders are advised to ensure that computers running Windows 7 and above are up-to-date by checking the windows update center in the control panel. While stakeholders with computers running other variants of the Windows operating system can follow the links below to download the corresponding update for their operating system

               a.  for-wannacrypt-attacks/?


2. Stakeholders are also advised to upgrade any computer running later versions of the Microsoft Windows Operating System to windows 10 so as to utilize advance update features of the windows 10 operating system. Computer can be updated using the following link below:a.

3. Stakeholders are encouraged to run isolated or remote periodic backups of their critical data and files so as to ensure minimal downtime in the event of incident

4. If an infected computer is identified, power-off the system using the hardware power switch on the computer and unplug the system from the network if the computer is connected to a network and report the incident to ngCERT  via phone: 07044642378, email: or using the report and incident for on the ngCERT




Related Articles