WannaCry – ransomware virus

WannaCry is a ransomware virus that infected many computers around the world as a result of an attack launched on May 12, 2017. Many well-known companies and ordinary users have suffered from the actions of the Wanna Decryptor ransomware virus.

The ransomware virus is known under the following names: WannaCry (Wanna Cry – “I want to cry”), Wanna Decrypt0r, WCry, Wanna Crypt, Wana Decrypt0r). As a result of the actions of the virus, many files on the computer are encrypted, including system files. After the files are encrypted, the user will see a splash screen informing them that the files on the computer are encrypted and that they are required to pay money to decrypt the data.

The time period for transferring money to hackers is limited, in case of failure to meet the conditions of the ransomware, all encrypted data will be deleted from the computer.

Unlike the behavior of regular ransomware viruses, no user action is required to infect Windows. WCry enters a computer in various ways: locally, as a normal virus (as an attachment in an e-mail, along with another program, etc.), or by spreading on its own over the network.

In addition to antivirus laboratory analysts, individual enthusiasts have joined the fight against dangerous malware.

Thanks to the British researcher MalwareTech, it was possible to temporarily stop the spread of the epidemic. He managed to register the iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain in time (the domain name was hardwired into the malware code), which stopped the spread of the Wana Decrypt0r virus.

A programmer from Thailand, Chanwit Keokashi, created the Wanna Cry virus blocker program, which can be downloaded from GitHab at this link.

Quarkslab specialist Adrien Guinet has found a way to decrypt files that only works on Windows XP.

New modified versions of the malware have appeared, created by other hackers who decided to take advantage of the current situation. A mimic of the Adylkuzz virus has appeared, which is much more difficult to detect. The Adylkuzz malware exploits the same vulnerability in Windows OS for mining (earning money using the resources of another computer).

How WannaCry is distributed

In the Windows operating system, there was a vulnerability in the SMB protocol, which was once discovered by the US National Security Agency (NSA). The NSA used the found gap for their own purposes. Microsoft was not aware of this security issue in the Windows operating system.

The Shadow Brokers hacker group was able to steal the EternalBlue and DoublePulsar exploits from the NSA, which were published in the public domain. Based on the stolen exploits, the attackers created a program that exploits this vulnerability in the operating system.

The virus scans computers on the Internet for an open port 445, which is used for file sharing. After infiltrating the computer, the Wanna Decryptor program encrypts the files, replacing the file extensions with “.wncry”. Encryption is carried out using a combination of AES-128 and RSA algorithms, at the moment, decrypting files is difficult.

Then a ransom message is displayed on the monitor screen in the language of the operating system (28 languages ​​are supported in total, including Russian).

For unlocking, the attackers demand a certain amount in bitcoins, in the equivalent of 300-600 dollars. If the funds are not paid within 3 days, the ransom amount is doubled, and after 7 days all encrypted data will be deleted from the computer. The malware executes commands from servers via the anonymous Tor network.

Upon learning of this issue, on March 14, 2017, Microsoft released the MS17-010 patch, which closes the security hole exploited by hackers.

How to protect yourself from Wanna Cry

Protection against the WannaCry virus exists, for this the user needs to perform some actions.

Close port 445 on the computer.

The Wanna Crypt virus uses the open port 445 to spread. Therefore, the first thing to do is to check if this port is closed or not. The easiest way to do this is with an online service, for example, here .

Enter the port number (445) in the verification field. Look at the result of the check (port closed or open).

If the port on the computer is open, run a command prompt as an administrator. In the command line interpreter window, enter the following command:

sc stop lanmanserver

Next, press the “Enter” key.

For Windows 10, enter the command:

sc config lanmanserver start=disabled

For other versions of Windows, enter the command:

sc config lanmanserver start= disabled

Then press “Enter” and then restart your computer.

Install a Windows update that protects against WannaCry.

If automatic installation of updates for the Windows operating system is enabled on the computer, this means that the security update was installed on the computer in a timely manner. If automatic updating is disabled on the computer, download and install the MS17-010 patch yourself, which will prevent the virus from entering the computer.

Go to the official Microsoft website. Download the patch MS17-010 of the Windows version installed on the computer with the appropriate bit depth. Due to the severity of the problem, it released patches for operating systems: Windows XP, Windows Vista, Windows Server 2003, Windows 8, support for which was discontinued at one time.

After you install the security update, restart your computer. Install all the latest security updates.

Check your computer with an antivirus.

Most antiviruses detect the Wanna Ransomware virus in a timely manner. Windows Defender also protects your computer from ransomware. Please note that if you accidentally run the ransomware yourself, the patch will not save your computer from infection. To remove a virus from a computer, an antivirus scan is required.

Routers, with default settings, will prevent the virus from using port 445 on the home computer. Infection is possible through the provider’s local network.

Ways to Avoid Wanna Decrypt0r Infection

Do not disable Windows operating system updates.

Most of the affected computers had pirated versions of Windows on which automatic updates were disabled due to fears that the registration of the operating system would be lost. The vast majority of Windows updates are security updates that fix discovered vulnerabilities in the operating system.

Create backups of your system and important files.

Regularly back up Windows and important data on your computer using a system tool or specialized programs. Store your backups on an external hard drive that is not permanently connected to your computer, or in the cloud.

In case of problems, you can restore the system and user files.

Use a reliable antivirus.

Paid antiviruses usually have more components to protect your computer. Many leading manufacturers have free versions of antiviruses ( Avast Free Antivirus , Kaspersky Free , etc.) that you can use to protect your PC from malware.

Do not open suspicious email messages.

Emails often hide danger (malicious links, infected files and archives, etc.), so take reasonable precautions when working with email.

Article Conclusions

The WannaCry ransomware virus infects computers using a Windows vulnerability. In order to avoid infection, patch MS17-010 must be installed in the operating system.

Leave a Reply

Your email address will not be published.