wannacry, ransomware
Photo: blog.kaspersky.de/wannacry-ransomware
WannaCry: Are you secure?

A few days ago an epidemic of the Trojan encryption program WannaCry broke out. It seems that the epidemic is global. We call it an epidemic because of its scale.</h1> We counted over 45,000 attacks in just one day. In reality this number is much higher.

What Happened?
Many large organizations have reported an infection at the same time. Among these organizations were several British hospitals, which had to resign their activities. According to data released by third parties, WannaCry has infected more than 100,000 computers. That is why it attracted so much attention.

The largest number of attacks took place in Russia, but Ukraine, India and Taiwan also suffered damage from WannaCry. All in all, we discovered WannaCry in 74 countries. This happened on the first day of the attack.

What is Wannacry?

In general, WannaCry consists of two parts. First, it is an exploit whose goal is to infect and spread. The second part is an encryption program that is downloaded to the computer after it has been infected.

This is the main difference between WannaCry and most other encryption programs. To infect a computer with a conventional encryption program, a user must make a mistake, for example, by clicking on a suspicious link or allowing Word to start a malicious macro or download a suspicious attachment from an email message. A system can be infected by WannaCry without doing anything.

WannaCry: Exploit and spread
The inventors of WannaCry have exploited the Windows exploit “EternalBlue”, which uses a vulnerability that Microsoft patched in security update MS17-010 of March 14th this year. By exploiting this exploit, the mobsters could get remote access to computers and install the encryption program.

If you have installed the update and this vulnerability no longer exists, all attempts to hack the computer will be useless. However, the researchers at Kaspersky Lab’s GReAT (Global Research & Analysis Team) wish to clarify that patching the vulnerability will not prevent the encryption program from acting. Therefore, the patch will not help you if you start the encryption program somehow (see above make a mistake).

After a computer has been successfully hacked, WannaCry will try to spread itself over the local network to other computers like a worm.

The encryption program scans other computers for the same vulnerability that can be exploited by EternalBlue, and when WannaCry finds an attackable machine, it scans and encrypts the files.

It comes out that WannaCry can infect a whole local network by infecting a computer and can encrypt all computers on that network. Therefore, larger companies suffered most from the WannaCry attack – the more computers in the network, the greater the damage.

WannaCry: Encryption program
As an encryption program, WannaCry (sometimes called WCrypt or WannaCry decoder, even if it is logically an encryption program and not a decoder) does the same as other encryption programs: it encrypts files on a computer and requests a ransom to decrypt them. It comes very close to a variation of the notorious CryptXXX Trojan.

WannaCry encrypts files of various types (the whole list is here), which, of course, includes Office documents, images, videos, archives, and other formats that potentially contain critical user data. The extensions of the encrypted files have been renamed to .WCRY (the name of the encryption program) and the files become completely inaccessible.

After that, the Trojan changes the desktop background image to an image that contains information about the infection and the actions that the user is supposed to take to restore the files. WannaCry spreads notifications as text files with the same information about files on the computer to ensure that the user actually receives the message.

As usual, it all comes down to sending a certain amount of bitcoins in favor of the misdeeds. After that, they will probably decrypt all files. Initially, the cyber criminals demanded $ 300, but then they decided to increase their use: the last WannaCry versions demand a ransom of more than 600 US dollars.

Misbehavers also shy away from the users by stating that the ransom would be increased within 3 days, and that it would also be impossible to decrypt the files in 7 days. We do not recommend paying the ransom to the misdeeds as no one can guarantee that they will decrypt your files after receiving the ransom. As a fact, researchers have shown that other cyber-blackmailers sometimes simply delete user data, which means that there is no physical

To decrypt the files, and the misdeeds continue to demand the ransom, as if nothing had happened.

How domain registration prevents an infection and why the epidemic is probably not over yet

Interestingly, a researcher named Malwaretech has managed to prevent an infection by registering a domain that has a long and nonsense name online.

It came out that some versions of WannaCry addressed this domain, and if they did not receive a positive response, they installed the encryption program to start their dirty business. If there was an answer (i.e., the domain was registered), the malware stopped all its activities.

After finding the reference to this domain in the code of the Trojan, the researcher registered this domain and interrupted the attack.

The rest of the day, the domain was thousands of times addressed, which means that thousands of computers have been saved from infection.

There is a theory that states that this function was embedded in WannaCry like a circuit breaker, in case something goes wrong. Another theory, which the researcher himself says, suggests that this is a way to make the analysis of the behavior of the malware more difficult. In test environments that have been used in research, it is often deliberately made so that positive feedback from any domain comes and the Trojan in these cases in the test environment does nothing.

Unfortunately, for new versions of the Trojan, it is sufficient for the misbehavers to change the domain name, which acted as a protection switch to resume the infection. Therefore, it is very possible that the first day of the WannaCry epidemic will not be the last.

How to protect yourself against WannaCry
Unfortunately, there is currently nothing you could do to decrypt the files encrypted by WannaCry (but our researchers are off). This means that the only method to fight against the infection is not to infect.

Here are a few tips on how to protect yourself from infection and how to minimize the damage.
1. If you have already installed the Kaspersky Lab Security solution on your system, we recommend that you do the following: Manually scan a scan to critical areas and when the solution identifies a malware such as MEM: Win64.EquationDrug.gen Anti-virus solution WannaCry), they should reboot their system.

2. If you are our customer, leave the SystemWatcher switched on, it is basic to fight new variants of the malware that may still appear.

3. Install software updates. This case is seriously calling for the MS17-010 system security update to be installed for all Windows users. Especially when Microsoft has released it for systems that are no longer officially supported, such as Windows XP or Windows 2003. Seriously, install it now. Now it’s really important.

4. Make file backup copies regularly and store these copies on a storage device that is not permanently connected to the computer. If there is a recent backup copy, then the infection with the encryption program is not a disaster, but a loss of several hours spent restoring the system. If you do not want to create the backup yourself, you can take advantage of the backup feature of Kaspersky Total Security, which can automate the process.

Translated from Source