Ransomware

A complete Lookback of Historical Wannacry Ransomware Cyber Attack

Wannacry (WannaCrypt,WanaCrypt0r 2.0,Wanna Decryptor), A Computer Malware family called Ransomware that actually target the Microsoft Windows Operating systems  SMB exploit leaked by the Shadow Broker that encrypting data and demanding ransom payments in the cryptocurrency bitcoin

This Ransomware rule spreads by means of spam messages and maliciousuniquely intended to lock the documents on a PC, until the casualty pays the payment request, more often than not $300-$500 in Bitcoins.

This Attack Started on 12 May 2017 and Infected more than 3,00,000 computers in over 150 countries which consider as on of the Biggest Ransomware cyber Attack which world Never Faced.

Russia, Ukraine, India, and Taiwan are the countries which Faced Major Hit by Wanncry Ransomware.

How Wannacry infect your machine :

Wannacry used infect medium by Spam and Phishing Emails with embedded link which forced victims to Click the link and its leads to check whether or not for  Microsoft Windows Machine unpatched(MS  Released patch for SMB FLow).

Once installed Wannacry uses  DoublePulsar backdoor developed by the U.S. National Security Agency, it spread through local networks and remote hosts and find the unpatched MS Operating systems.

The ransomware perpetrators used publicly available exploit code for the patched SMB “EternalBlue” vulnerability, CVE-2017-0145.

According to the Microsoft, The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.

Once it sccessfully entered into the Victims Machine it will Start searching and trying to find the file Extension which including ,
123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der” , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.

Afer Finding all the file format it will rename the file format like , if the file format is “example.png” it will rename as  “example.png.WNCRY”

Wannacry also perform and generate an file called @[email protected] in each  and every folder where already encrypted files . this contain ransom message shown in the replaced wallpaper image in Desktop .

After this, executable will run and ransom note which indicates a $300 ransom in Bitcoins as well as a timer.

When you tap on the Check Payment catch, the ransomware associates back to the TOR C2 servers to check whether an installment has been made. Regardless of the possibility that one was made, the ransomware will automatically decrypt your files .

if payment has not been made its will give replay like,you didn’t pay or we did not confirm you account.

Infected Companies and Countries

WannyCRY Ransomware outbreak performs all over the world in many countries.including Russia, Ukraine, India and Taiwan are the countries which Faced Major Hit by Wanncry Ransomware.

Russian Interior Ministry, Chinese universities, Hungarian telcos, FedEx branches, hospitals across England and Spanish telecommunications company, Telefonica.

TeIefonica IT staff is desperately telling employees to shut down computers and VPN connections in order to limit the ransomware’s reach.

The hacking was done as doctor’s facilities and specialists’ surgeries in England were compelled to dismiss patients and wipe out arrangements after a ransomware attack crippled some computer systems in the state-run health service.

Kaspersky Lab have uncovered new evidence linking the WannaCry ransomware code to North Korea.

Renault‘s partner company Nissan was also affected, a UK representative affirmed that records at its Sunderland plant were affected on Friday night, however, wouldn’t affirm reports that creation was ended.

  • Andhra Pradesh Police
  • Automobile Dacia
  • Chinese public security bureau, Ministry of Internal Affairs of the Russian Federation
  • NHS Scotland
  • Universitas Jember
  • PetroChin
  • Vivo
  • Government of Gujarat
  • LATAM Airlines Group
  • Cambrian College
  • MegaFon
  • Russian Railways
  • Hitachi
  • Government of West Bengal
  • NHS Scotland
  • Timrå kommun
  • LATAM Airlines Group
  • Nissan Motor Manufacturing UK
  • Colombia’s Instituto Nacional de Salud
  • Faculty Hospital
  • Nitra
  • University of Milano-Bicocca
  • Sandvik
  • PetroChina
  • National Health Service (England)
  • Cambrian College
  • Sberbank
  • Ministry of Foreign Affairs (Romania)
  • Dharmais Hospital
  • FedEx

RBI (India) asks all bank to update their ATM’s

The Reserve Bank of India has asked banks to update specific Windows patches on ATMs urgently and not to operate ATM machines unless updates are in place,” TOI quoted an official with a public sector bank as saying.

ATM machines are highly valuable assets and vulnerable to infect the malware due lack of updates.

Many of the ATM Machines are running old version of  Win OS which essentially needed for updates for this situation.

There are a total of 2.25 lakh ATMs in country of which 60 per cent run on the outdated Windows XP, the report said. Microsoft, the maker of Windows software, has said that it has released a special update of the software.

In this case, RBI instructed to all bank that immediately update the all ATM machine OS which runs under un-patched Operating systems around India and strictly intimate not to operate it before the update.

Comodo Firewall 10 Prevent your System from Wannacry Ransomware:

In this case, Comodo always one step ahead to prevent such a sophisticated  Cyber attacks. Comodo CEO Melih Abdulhayoğlu explains in his Blog Post,

Before Wannacry infects to your System, comodo Firewall 10 create a virtual hard drive, a virtual registry and virtual COM interface (Fake Hard Drive) which has been created earlier wannacry entered into victims machine.

With Comodo’s technology create With comodo Firewall 10,
-Virtual Hard Drive
-Virtual Registry
-Virtual COM interfaces

So what happens Next, wannacry ransomware start writing with virtual hard drive .and obviously, its has no idea where I am actually performing my Encryption process on files.

so virtual hard disk will be infected that has no such important files .finally victims all files has been successfully Protected by Comodo Firewall 10.

Initially, halts ransomware attack and warns by Malware Tech

Security Researcher Malwaretech (Social Name)  who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted with help of Darien Huss from security firm Proofpoint.

What Researcher did was spend around £10 to register a domain he found in the ransomware’s source code.virulent and self-spreading Wana Decrypt0r was making a pre-infection check to a domain located at iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

MalwaIf the domain was unregistered, the ransomware would start encrypting files. But if the domain was registered, the ransomware would stop its infection process.

By registering this domain, MalwareTech had accidentally triggered a worldwide kill-switch for the ransomware’s self-spreading feature.

It states that it doesn’t mean wanncry infection has over. But the specific version of wanncry infection has been stopped.

Wannacry Ransomware Technical Analysis:

Here you can see  Wcry infected tree Process.

Wannacry Guidelines for safe by Microsoft:

These are the safe guidelines for Wannacry Guidelines.

  • Be careful to click on harmful links in your emails.
  • Be wary of visiting unsafe or unreliable sites.
  • Never click on a link that you do not trust on a web page or access to Facebook or messaging applications such as WatSab and other applications.
  • If you receive a message from your friend with a link, ask him before opening the link to confirm, (infected machines send random messages with links).
  • Keep your files backed up regularly and periodically.
  • Be aware of fraudulent e-mail messages that use names similar to popular services such as PayePal instead of PayPal or use popular service names without commas or excessive characters.
  • Use anti-virus and Always make have the last update.
  • Make sure your windows have the last update close the gap

if you didn’t update the Windows please follow the Manual method to turn of the SMB Manually.

Control Panel—>Programs—>Programs and Features.

(CREDIT:Microsoft)

Remove check Box  SMB1.0/CIF File Sharing Support.

Once you have done this, Restart your computer. Finally your computer has been protected and wannacry cannot perform after this function has been done.

Wannacry outbreak cost

As per the Some Experts Analyse, world till yesterday(16-05-2017) WannaCry ransomware has potentially infected and Damage Cost Around $1 billion in bitcoins from their victims.

However, till Sunday evening, close to $33,000 was paid to the hackers in bitcoins, in order to unlock their systems.

Also Read:

To Top

Pin It on Pinterest

Share This