WannaCry Ransomware Attack: Everything you need to know!

On Friday, 12 May 2017, a large cyber-attack was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages. It was Described as unprecedented in scale. The worst-hit countries are reported to be Russia, Ukraine, India and Taiwan, but parts of Britain’s National Health Service (NHS), Spain’s Telefónica, FedEx and Deutsche Bahn were hit.

The bitcoin wallets tied to WannaCry ransomware have received around 50.34620429 BTC ($110,806.27).


What is the WannaCry Ransomware?

Ransomware is cryptoviral extortion.

WannaCry searches for and encrypts 176 different file types and appends. WCRY to the end of the file name. It asks users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days it claims the encrypted files will be deleted. However, nobody has found any code within the ransomware which would cause files to be deleted.

What can I do if I’m infected by WannaCry?

Unfortunately, there’s not a lot you can do. Your files will have been strongly encrypted, and you won’t be able to crack the code.

Symantec says that the ransomware deletes most of the user’s files after it encrypts copies of them, which means that some files might be recoverable using a common undelete tool. But the Symantec blog posting also notes that original files on the user’s Desktop or My Documents folders, as well as on any removable drives, would be fully overwritten instead of deleted, and hence unrecoverable.

“Kill switch”
On 19 May it was reported that hackers were trying to use a Mirai botnet variant to effect a distributed attack on WannaCry’s kill-switch domain with the intention of knocking it offline. On 22 May @MalwareTechBlog protected the domain by switching to a cached version of the site, capable of dealing with much higher traffic loads than the live site.

“WanaKiwi Decryption Tool”
On 18 May, Matthieu Suiche developed a decryption tool for WannaCry infected machines. Although success rate for this tool is low but people have decrypted their machines using WanaKiwi. Link for the tool: https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d

How can users save themselves from WannaCry?

WannaCry attacks are initiated using an SMBv1 remote code execution vulnerability in Microsoft Windows OS. The EternalBlue exploit has been patched by Microsoft on March 14 and made publicly available through the “Shadowbrokers dump” on April 14th, 2017. However, many companies and public organizations have not yet installed the patch to their systems. The Microsoft patches for legacy versions of Windows were released last week after the attack.

  1. Make sure that all hosts have enabled endpoint anti-malware solutions.
  2. Install the official Windows patch (MS17-010) https://technet.microsoft.com/en-us/library/security/ms17-010.aspx, which closes the SMB Server vulnerability used in this ransomware attack.
  3. Scan all systems. After detecting the malware attack as MEM: Trojan.Win64.EquationDrug.gen, reboot the system. Make sure MS17-010 patches are installed.
  4. Backup all important data to an external hard drive or cloud storage service.

Impact on India

India was indeed one of the countries affected by the WannaCry malware attacks. Closer home, police computers across 18 Indian units in Andhra Pradesh’s Chittoor, Krishna, Guntur, Visakhapatnam, and Srikakulam districts were affected. Gulshan Rai, Chief of Cybersecurity, said to India Today, “There are about 100 systems attacked in India and as of now there are no more threats. We understand systems in Andhra Pradesh are impacted, but so far our assessment is that there isn’t much impact.”

Indian Computer Emergency Response Team (CERT-In) on 15th May 2017 has come out with a list of dos and don’ts and webcast on how to protect networks from the global ransomware attack. Link for webcast: http://webcast.gov.in/cert-in/
On May 16 and 17, the Maharashtra Cyber issued a helpline number for all people, organizations, and institutions to call in case they have been infected, or if they want information on how to prevent a ransomware infection.

Mr. Brijesh Singh, Special Inspector General (Cyber Crime), Maharashtra guided people on prevention and remediation through a video message. Link: https://www.youtube.com/watch?v=YFz4I1lJfGc

Who is behind the attack?

Tools and infrastructure used in the WannaCry ransomware attacks have strong links to Lazarus, the group that was responsible for the destructive attacks on Sony Pictures and the theft of US$81 million from the Bangladesh Central Bank. Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign. As well as the U.S. government, have blamed North Korea for that attack.

Is WannaCry coming back?

It almost certainly will. Several new variants and copycats have already been spotted. One used a different web address as a kill switch, and was quickly shut down; another had no kill switch, but had a faulty payload that failed to encrypt any files. But other variants will not repeat those mistakes.
The most important thing you can do is install the system updates marked as important in Windows Update.

Leave a Reply

This post doesn't have any comment. Be the first one!

hide comments

This is a unique website which will require a more modern browser to work!

Please upgrade today!