Everything You Need To Know About WannaCry Ransomware - In Technology World


Post Top Ad

14 May 2017

Everything You Need To Know About WannaCry Ransomware

What is Ramsonware?

Ransomware is a malicious software the encrypt system files and will block user's access to it. This is cryptoviral extortion attack. The computer won't be unblocked until the payment is done. The system will show a message to unlock it by paying a certain amount of money. Currently, WannaCry is requesting $300 and threating to double the amount if not paid. The payment is done through bitcoin.

It's known to hit 99 countries and worst of all, the National Health Service in England and Scotland. Due to this, many hospitals were forced to cancel any new appointment and also patient's report files were all locked.

Where did it come from?

This concept of file encrypting was invented by two people at Columbia University, Young, and Yung. The was presented at the 1996 IEEE Security & Privacy conference. The operation works in the following way:
    1. [attackervictim] The attacker generates a key pair and places the corresponding public key in the malware. The malware is released.
    2. [victimattacker] To carry out the cryptoviral extortion attack, the malware generates a random symmetric key and encrypts the victim's data with it. It uses the public key in the malware to encrypt the symmetric key. This is known as hybrid encryption and it results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim's data. It zeroizes the symmetric key and the original plaintext data to prevent recovery. It puts up a message to the user that includes the asymmetric ciphertext and how to pay the ransom. The victim sends the asymmetric ciphertext and e-money to the attacker.
    3. [attackervictim] The attacker receives the payment, deciphers the asymmetric ciphertext with the attacker's private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key thereby completing the cryptovirology attack. - Wikipedia

How Is WannaCry Infecting Ramsonware?

Researchers have also found malicious email campaign spreading 5 infected email per hour.

WannaCry Ransomware Infected Areas Of Globe

WannaCry is using Windows exploit which was stole from NSA called EternalBlue by a hacking group Shadow Breakers a month earlier. Moreover, Microsoft has also released the patch for the exploit in March. Many companies and organization which are using systems that are not patched are vulnerable to this attack.
The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host" Microsoft says.
The Spanish computer emergency response organization (CCN-CERT) alerted that the malware can spread easily to other Windows machine on the same network:
The ransomware, a version of WannaCry, infects the machine by encrypting all its files and, using a remote command execution vulnerability through SMB, is distributed to other Windows machines on the same network
According to a report by Kaspersky Labs, ransomware has already hit 45,000 computers in 74 countries. Another report indicates that it has already infected 85% of computers at Telefonica, Spanish telecom firm. Besides that, 16 hospitals in the UK were shut down after the malware infected the computer and doctors were not able to access patient files.

An End To WannaCry

On Friday (12/Apr/17), A security researcher by the name MalwareTech was able to slow down the spreading of ransomware. The malware works like this: It tries to connect to a web domain, if it fails, the infection will proceed. But if it connected successfully then, that's the kill switch. So MalwareTech purchased this domain and was able to stop it for temporarily.

Even though this has stopped the spreading of the malware in a way but the infected computer will stay infected.

WannaCry Is Back With 2.0

WannaCry is now back again with a new name - WannaCry 2.0. After the activation of kill switch which is done by purchasing the domain, WannaCry came back again with no kill switch. However, the kill switch has really slowed down the spreading rate. But WannaCry 2.0 is still infecting unpatched Windows versions.

Over 213,000 computers in 99 countries have been infected and it is still rising every hour. So far they've earned payments from 100 victims and is counted to be $26,090, equals to 15 Bitcoins.
This is the domain that a 22-year-old British security researcher, MalwareTech, purchased. Thinking that the kill switch activated by this guy turned them off is not true.
Since the kill-switch feature was in the SMB worm, not in the ransomware module itself., "WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant," MalwareTech told The Hacker News.

Any Kill Switch To WannaCry 2.0? 

MalwareTech further said that,
Mirai botnet skids tried to DDoS the [sinkhole] server for lulz," in order to make it unavailable for WannaCry SMB exploit, which triggers infection if the connection fails. But "it failed hardcore.
However, after all this effort of stopping it, Costin Raiu, the director of global research and analysis team at Kaspersky Labs, claimed that they've found much ransomware with no kill switch option.
I can confirm we've had versions without the kill switch domain connect since yesterday," told The Hacker News.
Even after this has become one of the trending things on the internet, still, there are lots of computers which are vulnerable to this attack and still didn't patched.

The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it'll continue to spread," Matthew Hickey, a security expert and co-founder of Hacker House.
We will see a number of variants of this attack over the coming weeks and months so it's important to patch hosts. The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success. 

How To Prevent?

Since it's spreading at the speed of light, there are high possibilities that it would end up infecting your system too. Let us help you to take the precautions that you must need to prevent from getting infected.

Microsoft also released a security update for Windows XP, Vista, 8, Server 2003 and 2008. Furthermore, disable SMP to prevent this attack. All you need to do is find Windows Features and uncheck the SMB 1.0/CIFS File Sharing Support. Finally, you can sleep now without any stress.

Hope you find this information helpful. Feel free to share this with your friend and let them also protect their computer from ransomware attack and save an extra $300. Ask them to pay you for helping them protect their system and you pay us by subscribing to our newsletter. Stay Tuned!

1 comment:

Please type your exact name when you comment and please don't spam.

Post Top Ad