Everything you need to know about WANNACRY RANSOMWARE!

This may 12th was a surprise party from a hacker downtown to the whole world! This was a nightmare attack which sucessfully cracking 230,000 computers across 150 countries in a day! Wow!! thats a jackpot !!

Ok now lets understand what is Wanna Cry Ransomware ??

Wcry is a type of ransomware which attacks you’er computer using phishing campaigns or fake targeted emails, then once installed on users computer the malware encrpts each and evry file in the system and prompts the user to pay upto $300 for each computer to decrypt.

So far, Criminals behind WannaCry Ransomware have received nearly 100 payments from victims, total 15 Bitcoins, equals to USD $26,090.- thehackernews

So far the ransomware has attacked across 150 countries and the latest report from kaspersky lab. Another report says in UK 16 hospitals were locked out and in spain telecome 90% of the computers were affected.

RANSOMWARE: Wcrypt / WeCry /Wana Decrypt0r/WannaCryptor /WCRY
IMPACT: 180,844 systems as of 15-05-2017
Spanish CERT  called it a "massive ransomware attack"
IN INDIA 2.25 lakh ATMs are vulnerable to attack nearly 100's ATMS already shutdown

HOW WAS THIS RANSOMWARE WORKING?

Wcry1.0 used MS17-010 vulnerability to exploit the users system which is the military grade exploit code used by NSA to hack into users computers to spy on them.

But the good news is microsoft released an emergency patch for unsupported version of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions here is the link for it

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so
Windows 10 PCs are not affected by this attack," Microsoft says.

So now what about the computers that arent patched and are still vulnerable?

Thanks to Twitter handle MalwareTech and works for security firm Kryptos Logicaccidently triggered a “KILL SWITCH” that can stop the attack vectors of spreading ransomware.

HOW DID THEY DO IT?

Basically when a system is infected with this ransomware it actaully triggers a two events it exploits the system with MS17-010 vulnerability and it spreads across the windows servers 2008 R2 network exploiting SMB vulnerablity used by NSA.

Once the system is affected the malware wont attack anything in the system rather it tries to connect to this domian which was unregistered

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Now if the connection to this URL is successful the malware wont attack the system the dopper drops a exploit and connects to the next system and does the same when the URL request is failed then all the files of the system are encrypted. The researcher registred this unregistered domain for 10EUR now he redirected the traffic to his domain to get the decryption keys.

"If NSA had privately disclosed the flaw used to attack hospitals when
they *found* it, not when they lost it, this may not have happened," NSA whistleblower Edward Snowden says.

DEMO:

Credits: Matthew Hickey

SMB ATTACK:

7 Easy Steps to Protect Yourself

Currently, there is no WannaCry decryption tool or any other solution available, so users are strongly advised to follow prevention measures in order to protect themselves.

  • Keep your system Up-to-date: First of all, if you are using supported, but older versions of Windows operating system, keep your system up to date, or simply upgrade your system to Windows 10.
  • Enable Firewall: Enable firewall, and if it is already there, modify your firewall configurations to block access to SMB ports over the network or the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138.
  • Disable SMB: Follow steps described by Microsoft to disable Server Message Block (SMB).
  • Keep your Antivirus software up-to-date: Virus definitions have already been updated to protect against this latest threat.
  • Beware of Phishing: Always be suspicious of uninvited documents sent an email and never click on links inside those documents unless verifying the source.’

THINK ALL DONE??

haha!! You’ve pissed the wrong hacker!!!! The hacker didnt like the whole idea of finding the “KILL SWITCH” so now security researchers have found another variant of this WECRYv2.0

Even now the rate of systems affected by this malware is increasing with v1.0 the hacker has released its version 2.0 without any KILL SWITCH and the scareiest part is that this variant is written by some other hacker.

“The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it’ll continue to spread,”  Matthew Hickey, a security expert and co-founder of Hacker House told thehackernews.com

"The worm functionality attempts to infect unpatched Windows machines in
 the local network. At the same time, it also executes massive scanning
 on Internet IP addresses to find and infect other vulnerable computers.
 This activity results in large SMB traffic from
 the infected host," Microsoft says.

Reference:

http://intel.malwaretech.com/botnet/wcrypt/?t=24h&bid=all

Thanks a ton for these guys for trying to make the world a better place!

@Costin Raiu @Matthieu Suiche @MalwareTech