Scroll Top

Wannacry Ransomware


WannaCry is a so-called encryption-based ransomware also known as Wanna Decryptor or WCRY. It encrypts users files using AES and RSA encryption ciphers meaning the hackers can directly decrypt system files using a unique decryption key. WannaCry changes the computer’s wallpaper with messages asking the victim to download the ransomware from Dropbox before demanding hundreds in bitcoin to work. WannaCry ransomware creates encrypted copies of specific file types before deleting the originals, leaving the victims with the encrypted copies, which can’t be accessed without a decryption key. WannaCry additionally increases the ransom amount, and threatens loss of data, at a predetermined time, creating a sense of urgency and greatly improving the chances victims will pay the ransom.
(AES and RSA-is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. RSA is one of the first practical public-key cryptosystems and is widely used for secure data transmission. In such a cryptosystem, the encryption key is public and differs from the decryption key which is kept secret.)
(BITCOIN-Bitcoin uses peer-to-peer technology to operate with no central authority or banks; managing transactions and the issuing of bitcoins is carried out collectively by the network. Bitcoin is open-source; its design is public, nobody owns or controls Bitcoin and everyone can take part. Through many of its unique properties, Bitcoin allows exciting uses that could not be covered by any previous payment system.
Starting from around 2012 the use of ransomware scams has grown internationally. in June 2013, security software vendor McAfee released data showing that it had collected more than double the number of samples of ransomware that quarter than it had in the same quarter of the previous year. CryptoLocker was particularly successful, procuring an estimated US $3 million before it was taken down by authorities and CryptoWall was estimated by the US Federal Bureau of Investigation (FBI) to have accrued over $18m by June 2015.

Root Cause
WannaCry ransomware was spread via Microsoft’s SMB flaw(SMB flaw-)This system is used to share files between computers typically on closed networks but can be exploited if one computer is connected to a public network. Malwarebytes has a detailed technical analysis of how the WannaCry ransomware typically spreads.
can be easily bought on the dark net, which makes these kinds of attacks common: according to security firm Malwarebytes, 40 per cent of companies worldwide have been targeted by it as of August 2016.
When ransomware is involved, Cristal said, “managing the human factor is key to overcoming a cyber crisis.”
“[Hackers] are serious, professional people with a criminal code of ethics”. This means negotiations are key to getting files back. “60 per cent of negotiation failures can be attributed to the gap between the negotiator and the decision maker,” continued Cristal.
This software has only been tested and known to work under Windows XP. In order to work, your computer must not have been rebooted after being infected,” Guinet writes alongside the software.


Widespread Of Malware

Irrespective of the immense widespread there has been a slow down in the rates of attack. Within the malware’s code is a long URL that effectively acts as a ‘kill switch’. Security researcher Marcus Hutchins, who posts on Twitter under @malwaretechblog, discovered the domain name when inspecting the malware’s code and registered it with internet services.
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.
— MalwareTechBlog (@MalwareTechBlog) May 13, 2017

While the registering of the domain name was too late for those who have already been infected with the malware but the activation of the kill switch helped to slow its spread. There is, however, the possibility that different variants of the malware (with different kill switches) exist or could further be developed by attackers. During its execution, the malicious code would look up the domain name and only continue to work if it wasn’t live; once the domain name was activated and detected by Wanna Decryptor it would stop spreading. The researcher behind the discovery said he was not certain at the time that buying the domain name would slow the spread.

Microsoft’s outlook-

Following the global attack, Microsoft took the unusual step of issuing a fix for versions of Windows it had previously “retired”; those no longer supported by the company. This included Windows XP. Windows XP is still in use on PCs, including many used by the NHS, leaving users exposed. Anyone using Windows XP should update their system to the latest version as soon as possible.
Despite Microsoft’s XP patch for WannaCry, subsequent research has indicated that the outdated system may not have been badly affected. Security companies Kaspersky and BitSight both say Windows 7 was hit most by the ransomware. Kaspersky said it saw around 97 per cent of infections coming from Windows 7 and BitSight said it saw 67 per cent of infections on 7. The amount of XP machines hit was said to be “insignificant”.


Protection against Ransomware

The safest way to protect yourself is to avoid clicking links from unknown sources. Security experts have strongly recommended all Windows users fully update their system with the latest available patches.
“It is critical you install all available OS updates to prevent getting exploited by the MS17-010 vulnerability,” added Malwarebytes. Any systems running a Windows version that did not receive a patch for this vulnerability should be removed from all networks.
Additionally, any systems affected by this attack will have DOUBLEPULSAR installed and this will need to be removed. Certain anti-virus software, including Malwarebytes, are protected from this backdoor but script is also available that can remotely detect and remove it.
It is also possible to disable the SMB1 file protocol, which the worm within the malware was using to spread across networks.

Impact of Ransomware in India

The government said there was no serious impact in the country due to a global ransomware cyber attack, except for a few isolated incidents in Kerala and Andhra Pradesh.
IT Minister Ravi Shankar Prasad said the systems run by the National Informatics Centre were secured and running smoothly.There is no major impact in India unlike other countries. We are keeping a close watch. As per the information received so far, there have been isolated incidents in limited areas in Kerala and Andhra Pradesh,” Prasad told reporters here. Ransomware is a malicious software that blocks access to data unless a ransom is paid.

Related Posts

Leave a comment

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.