Ransomware attacks reported on Windows machines internationally

Friday’s unprecedented ransomware attack may have stopped spreading to new machines -- at least briefly -- thanks to a "kill switch" that a security researcher has activated.

However, the ransomware also contains a kill switch that may have backfired on its developers, according to security researchers.

Wana Decryptor infects systems through a malicious program that first tries to connect to an unregistered web domain. The kill switch appears to work like this: If the malicious program can’t connect to the domain, it’ll proceed with the infection. If the connection succeeds, the program will stop the attack.

A security researcher who goes by the name MalwareTech found that he could activate the kill switch by registering the web domain and posting a page on it.

A 'kill switch' is slowing the spread of WannaCry ransomware | PCWorld

Comodo Firewall 10 vs WannaCry Ransomware - YouTube

As we feared in yesterday’s alert, another ransomware variant, known as Uiwix, has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used. Cyber criminals are quick to incorporate vulnerabilities, especially when they have the potential to infect a large number of targets like the EternalBlue exploit has.

As expected, this strain does not include a killswitch domain, like WannaCry did.

We reckon that this is the first of many variants to follow, which will aim to exploit this vulnerability and infect as many devices as possible until the necessary patch is applied. Uiwix also has self-replicating capabilities, as WannaCry did.

Security Alert: WannaCry Leaves Exploited Computers Vulnerable to Round Two - Heimdal Security Blog

Security Alert: Uiwix Ransomware Is Here and It Can Be Worse Than Wannacry - Heimdal Security Blog

But come Monday, things could escalate as a new variant has been detected apparently...

Looking here for info on how this exploit actually gets on a PC.
Is it by email, or infected website?
If email, does it deliver the payload on receipt of the email, on previewing, on opening the email, or by opening an attachment?

TV2 said:

Looking here for info on how this exploit actually gets on a PC.
Is it by email, or infected website?
If email, does it deliver the payload on receipt of the email, on previewing, on opening the email, or by opening an attachment?

Malwarebytes technical analysis here:

The worm that spreads WanaCrypt0r - Malwarebytes Labs | Malwarebytes Labs

Thanks for the link. But the article dives right in to how the exploit works and skips right over the answer to my question, like so many other articles do.

As close as they get is this:
"but the initial component that gets dropped on systems appears to be a worm that contains and runs the ransomware".

So, I'm still curious. How does the exploit get "dropped on a system"?

eMail and then spread over SMB network connections- via a recently discovered vulnerability in SMB stack, that has already been corrected in Supported Windows up to 8.1 - Microsoft has also released fixes for the vulnerability for unsupported OS's such at XP Vista and several server systems. Windows 10 has never had the vulnerability

Basically the bottom line is if you are up-to date with your updates for Windows or have applied the patch for XP or Windows Vista you are safe - for now - expect the next worm and it's payload to be more advanced

I think that the gaps in information given are to stop the casually curious from making themselves victims.

Apparently email is the vector.

You can download the thing from certain websites, and get yourself infected.

But I am not going to give out that information either!

So, when people ask, do I tell them:
Don't check you Email!
Don't preview your Email! Right click and delete everything!
Don't open ANY email!
Or just the tired old mantra: "Don't open any attachments unless you know what they are".