Posted in Pyx of repository, Security

WannaCry – A ransomware

What is WannaCry?

WannaCry (also known as WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeted on Microsoft Systems as on May 12, 2017. It is said that more than 2 lac systems were infected in more than 150 countries. Most affected in Russia (>70%) followed by Ukraine (<10%) and India (<10%). It demands a ransom of $300 payable as Bitcoin along with warning that the sum will be doubled in 3 days. It encrypts important files in the computer, locks them up from decrypting and preventing access to it, changes the desktop’s wallpaper to textual warning along with the desktop program with detailed explanation in almost all 28 major languages.

What is ransomware?

It is a computer program that gets into the computer by installing malicious program either by clicking popups or downloading the wrong application. The application then takes the responsibility of the machine in which it got installed until the demanded ransom has been met. WannaCry attack spread by phishing emails, old systems without proper updates as a computer worm.

What is a worm?

These are applications that replicate functional copies of themselves that cause damage to the system’s data or software. This affects the system’s usual behavior making it behave unusually. It is different from Virus in the way how it gets replicated. While virus requires the host to spread or propagate the infected file, worm is a standalone application that self-propagates itself.

What files are affected by this ransomware?

  1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  2. Less common and nation-specific office formats (.sxw, .odt, .hwp).
  3. Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  4. Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  6. Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  9. Virtual machine files (.vmx, .vmdk, .vdi).

What does it say?

The English version of the manual says:

What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.

Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.
You can decrypt some of your files for free. Try now by clicking .
But if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don’t pay in 7 days, you won’t be able to recover your files forever.
We will have free events for users who are so poor that they couldn’t pay in 6 months.

How Do I Pay?
Payment is accepted in Bitcoin only. For more information, click .
Please check the current price of Bitcoin and buy some bitcoins. For more information, click.
And send the correct amount to the address specified in this window.
After your payment, click. Best time to check: 9:00am – 11:00am GMT from Monday to Friday.
Once the payment is checked, you can start decrypting your files immediately.

Contact
If you need our assistance, send a message by clicking.

We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets
updated and removes this software automatically, it will not be able to recover your files even if you pay!

The window:

It also drops batch and VBS script files and a readme file in several directories of the victim.

How to prevent?

In case you are not affected with the ransomware, you can protect yourself by following few steps:

1. Update your windows with latest patch and security update.

According to the Windows blog, “The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack. To get the latest protection from Microsoft, upgrade to Windows 10. Keeping your computers up-to-date gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.”

Also read, available solution from Microsoft from their TechNet Blog to protect your system.

2. Block the popups in the browser and use AdBlockers.

3. Refrain from downloading the application that you are unaware of or even from clicking links that you are not familiar with.

4. In addition, according to this Stack Overflow answer, close ports 135 and 445 as the ransomware penetrates through SMB ports as they are not used by ordinary users and disable SMBv1 support.

References:
https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/
https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
http://stackoverflow.com/a/43952061/5447994

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s