WannaCry: Latest Ransomware What is it and How to be safe

June 22, 2017
admin
What is Ransomware?

From the name itself, it is quite clear that Ransomware refers to some kinds of ransom. Ransom is a common word in the criminal community as it is one of the best ways to make “easy money”. Basically demanding ransom means keeping someone or something hostage and asking money in exchange for the freedom of that person or thing. Ransomware is the electronic way to do the same. Ransomware is a piece of malware or we can say, “bad software” that locks the system and the owner of that system is asked for money in exchange for the key to unlock it.

There can be two scenarios. In the first scenario, your operating system will be locked and you will not be allowed to log into your system. In that case, The files in the system can be accessed by another operating system or booting from a bootable flash drive. We can refer the second scenario as the worst case scenario as in this case, every file in your system will be encrypted by a strong encryption algorithm and you will be demanded with money for the decryption of those files.

Ransomware Attack
What is WannaCry?

It can be easily said that this is the worst case scenario of Ransomware. Wanna Decryptor, also known as WannaCry or wcry, is a specific ransomware program that locks all the data on a computer system and leaves the user with only two files: instructions on what to do next and the Wanna Decryptor program itself. When the software is opened it tells computer users that their files have been encrypted, and gives them a few days to pay up, warning that their files will otherwise be deleted. It demands payment in Bitcoin, gives instructions on how to buy it, and provides a Bitcoin address to send it to.

Background of WannaCry

The presence of tools used by Lazarus on machines is identified with earlier versions of WannaCry. But those tools did not have the ability to spread across SMB. Google’s Neeta Mehta tweeted: there is some shared code between known Lazarus tools and the WannaCry ransomware. This is the ransomware computer worm that targets computers running Microsoft Windows. Initially, the worm uses the EternalBlue exploit to enter a computer, taking advantage of a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. It installs DoublePulsar, a backdoor implant tool, which then transfers and runs the WannaCry ransomware package.

How does it propagate?

The network infection vector, EternalBlue, was released by the hacker group called The Shadow Brokers on 14 April 2017, along with other tools apparently leaked from Equation Group, which is widely believed to be part of the United States National Security Agency.EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. This Windows vulnerability was not a zero-day flaw, but one for which Microsoft had released a “critical” advisory, along with a security patch to fix the vulnerability two months before, on 14 March 2017. The patch was to the Server Message Block (SMB) protocol used by Windows, and fixed several versions of the Microsoft Windows operating system, including Windows Vista, Windows 7, Windows 8.1, and Windows 10, as well as server and embedded versions such as Windows Server 2008 onwards and Windows Embedded POSReady 2009 respectively, but not the older unsupported Windows XP, Windows Server 2003, and Windows 8 (unsupported because Windows 8.1 is classified as a mandatory service pack upgrade). The day after the WannaCry outbreak Microsoft released updates for these too.

EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. This Windows vulnerability was not a zero-day flaw, but one for which Microsoft had released a “critical” advisory, along with a security patch to fix the vulnerability two months before, on 14 March 2017. The patch was to the Server Message Block (SMB) protocol used by Windows, and fixed several versions of the Microsoft Windows operating system, including Windows Vista, Windows 7, Windows 8.1, and Windows 10, as well as server and embedded versions such as Windows Server 2008 onwards and Windows Embedded POSReady 2009 respectively, but not the older unsupported Windows XP, Windows Server 2003, and Windows 8 (unsupported because Windows 8.1 is classified as a mandatory service pack upgrade). The day after the WannaCry outbreak Microsoft released updates for these too.

Can’t they be traced when I pay them?

The answer is no, they can’t be traced. They use Bitcoin for the payment. Bitcoin is a new currency that was created in 2009 by an unknown person using the alias Satoshi Nakamoto. Transactions are made with no middlemen – meaning, no banks! There are no transaction fees and no need to give your real name. More merchants are beginning to accept them: You can buy web-hosting services, pizza or even manicures. Though each Bitcoin transaction is recorded in a public log, names of buyers and sellers are never revealed – only their wallet IDs. While that keeps bitcoin users’ transactions private, it also lets them buy or sell anything without easily tracing it back to them. That’s why it has become the currency of choice for people online buying drugs or other illicit activities. This is why this currency system was used by the ransomware creators.

What happens when I get infected?

There are two files that can be accessed when one gets hit by this malware. The screenshots are as follows:

Ransomware

And there is a .txt file containing the instructions.

Wannacry

How can I be safe?

Update Windows Immediately

If you’re using one of the newer versions of Windows listed above (10/8.1/7, etc.) and you’ve kept your PC up-to-date with automatic updates, you should’ve received the fix back in March.

Turn Windows update on if it’s disabled

It’s not uncommon for people to disable Microsoft’s automatic updates, especially because earlier iterations had a tendency to auto-install even if you were in the middle of work. Microsoft has largely fixed that issue with the current version of Windows 10 (the recent Creators Update). If you have disabled automatic updates, head back into Control Panel in Windows, turn them back on and leave them on.

Install a dedicated Ransomware blocker

Install a dedicated anti-ransomware utility. Two free options: Cybereason Ransom fee and Malwarebytes Anti-Ransomware.

Block port 445 for extra safety

MalwareTech, whose security analyst on Friday briefly slowed the worldwide attack of the WannaCry ransomware posted to Twitter that blocking TCP port 445 could help with the vulnerability if you haven’t patched your OS yet.

Contributor:  Alvi MahadiNascenia

No comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.