The list of Microsoft Windows based systems and countries affected by the WannaCry ransomware is growing. The ransomware encrypts files on an attacked system and in turn requests payment in Bitcoins before the files can be decrypted and the system returned back to normal.
The attack is not only limited to personal computers and laptops but also attacks any Windows based server systems.
So, what can you do to reverse the effects of the attack without paying the ransom?
If your computer hasn't been affected yet, is there a way to protect against a possible attack?
Prevention Is Better Than Cure
If your Windows based systems haven't been affected yet then that is great as you are in a far better position to prevent against an attack by WannaCry.
The solution to prevent against the ransomware is reletively simple and was actually available a full month before the WannaCry ransomware was released publicly for anyone to use and exploit.
All you have to do is to install the latest Microsoft Windows security patch which is mentioned in this March 2017 Microsoft Security Bullettin. You can download the patch here and follow the instructions to install it and protect your system against a potential WannaCry ransomware attack.
Reversing The Damage
The best advice so far seems to come from Kaspersky Labs who have said they are also working on the possibility of creating a decryption tool to help victims.
Firstly, as advised by Kaspersky, you need to ensure that your Windows system is running any form of endpoint security and if running Kaspersky tools, ensure that the the Kaspersky System Watcher component is available on your system.
![System Watcher blocking the WannaCry attacks](/content/images/2017/05/wannacry_14.png)
Kasperky System Watcher component blocking the WannaCry attack.
Kasperky System Watcher has the ability to "rollback the changes done by ransomware in the event that a malicious sample managed to bypass other defenses".
Below are the steps to follow to try and recover the effects of the WannaCry ransomware:
1. Make sure that all hosts are running and have enabled endpoint security solutions.
2. Install the official patch (MS17-010) from Microsoft, which closes the affected SMB Server vulnerability used in this attack.
3. Ensure that Kaspersky Lab products have the System Watcher component enabled.
4. Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Once again, make sure MS17-010 patches are installed.