On May 11 2017, WannaCry hit the Global networks. It is one of the fastest spreading ransomware hitting around 99,000 computer systems worldwide in just 3 days of its first arrival. This ransomware was first seen in UK NHS and then spread out to railway stations and then to world encrypting thousands of PCs,Now over millions.
What Is WannaCry ransomware?
WannaCry with several names — WannaDecrypt ,WannaCrypt is a ransomware. A Ransomware is the software which is designed to encrypt the computer data, all your important files in your pc with AES and RSA encryptions and it demands for the money. If the money is not paid then the files stay encrypted or they can be destroyed by the hackers but if paid the hackers could directly decrypt it with unique decryption key. Overall, we cannot use our computer systems to do any kind of work unless we have a unique decryption key.
WannaCry works with the same concept, but the only thing that makes it so havoc is it’s way of spreading in a network like a Worm and destroying all the vulnerable machines it crosses by. The vulnerability WannaCry uses is SMB version 2 protocol’s remote execution , widely exploiting the networks that uses windows XP, & 7,8, 10. The vulnerability which Wannacry uses to spread like a worm is a NSA leaked EternalBlue which exploit windows SMB vulnerability. This vulnerability helps the hacker to get inside the system and once it is inside it can infect the file system and encrypt all data.
According to one of the posts by theregister.co.uk, the malware is not downloaded via any email attachments or any spear phishing techniques but it was infected by hackers via the public facing system and their SMB vulnerability.
WannaCry asks for $300 in the first week of infection and if the money is not paid in the first week it is increased to $600 for the second week and if still not paid then they[hackers] delete everything. With this it contains 4 bitcoin address for the money. The ransom amount is still not taken out by the hackers as the live public bitcoin ledger still have more than $55,000! Wannacry is open source and can be analysed and modified easily and hence there are chances that more variants of wannacry might hit the world.
Shielding Against WannaCry!
WannaCry 1.0 was accidentally slowed down by one of the UK security researcher,Marcus Hutchins who analysed WannaCry and register an unregistered domain in the code of Wannacry, accidentally creating a sinkhole for all the requests from worldwide infected PC’s. But he said there could be more versions of it.
Microsoft released the patch for SMB last week just 1 day after it hit the globe. Patch Here. It couldn’t infect all the system in the network since it can only look for SMB vulnerable port. You can disable the port from your network or apply the patch.Outdated systems have huge chances to be attacked by this ransomware! So Keep your systems updated!
It can only infect Windows, so MAC and Linux user are safe from this attack!
Recently a decryption tool for Wannacry have hit the internet by researcher Adrien Guinet. Found here. This decryption tool is not a perfect tool but could do the job on some of the versions of windows XP on which it is tested. This tool required that the infected machine should not be rebooted then only it could make out the private key by going through the volatile memory which still haven’t written on the disk permanently. It works on the basis of primary memory. But if the machine is rebooted, it couldn’t do anything. More or less this tool is still useful in everyway.