WannaCry Ransomware spreads all over the world..! - Everything you need to know

Organizations in dozens of countries have all been hit with the same ransomware program, a variant of "WannaCrypt," spouting the same ransom note and demanding $300 for the encryption key, with the demand escalating as time passes.

What has happened?

On May 12, 2017 a new variant of the Ransom.CryptXXX family (Detected as Ransom.Wannacry) of ransomware began spreading widely impacting a large number of organizations, particularly in Europe.

England's healthcare system came under a withering cyberattack Friday morning, with "at least 25" hospitals across the country falling prey to ransomware that locked doctors and employees out of critical systems and networks. It's now clear that this is not a (relatively) isolated attack but rather a single front in a massive digital assault.

A few hours ago, Spain’s Computer Emergency Response Team CCN-CERT, posted an alert on their site about a massive ransomware attack affecting several Spanish organizations. The alert recommends the installation of updates in the Microsoft March 2017 Security Bulletin as a means of stopping the spread of the attack.

So now as we have seen what has really happened in past few days, let us see the complete details of this ransomware and steps we should perform to protect ourselves from this attack.

What is WannaCry?

WannaCry encrypts data files and ask users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.

Click to view full size image

 It also drops a file named !Please Read Me!.txt which contains the ransom note.

Click to view full size image

The tool was designed to address users of multiple countries, with translated messages in different languages.

Click to view full size image

Note that the “payment will be raised” after a specific countdown, along with another display raising urgency to pay up, threatening that the user will completely lose their files after the set timeout. Not all ransomware provides this timer countdown.

To make sure that the user doesn’t miss the warning, the tool changes the user’s wallpaper with instructions on how to find the decryptor tool dropped by the malware.

Click to view full size image

For command and control, the malware extracts and uses Tor service executable with all necessary dependencies to access the Tor network. Hence, the IP address is hard to trace. Also, the malware is not spread through a single PC. Instead, they attackers used botnets to spread it and that makes it hard to be traced back.

The file extensions that the malware is targeting contain certain clusters of formats including:

1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
2. Less common and nation-specific office formats (.sxw, .odt, .hwp).
3. Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
4. Emails and email databases (.eml, .msg, .ost, .pst, .edb).
5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
6. Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
9. Virtual machine files (.vmx, .vmdk, .vdi).

WannaCry encrypts files with the following extensions, appending .WCRY to the end of the file name.

Countries infected with WannaCry

Currently, more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world are recorded. Most of them happened in Russia. It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher.

Click to view full size image

How does it work?

The infection vector appears to work through a known vulnerability, originally exploited as "ETERNALBLUE" and developed by the National Security Agency. That information was subsequently leaked by the hacking group known as The Shadow Brokers which has been dumping its cache of purloined NSA hacking tools onto the internet since last year.

The virus appears to have originally spread via email as compressed file attachment so, like last week's Google Docs issue, make sure you confirm that you email's attachments are legit before clicking on them. Once it's on one system, it can easily spread across private networks using a flaw in the Windows SMB Server. (To know more about Windows SMB Zero-day Attack, click here.)

Once a vulnerable PC becomes infected, the computer will attempt to spread to other machines over the local network as well as over the internet. The ransomware will specifically scan for unpatched machines that have the Server Message Block vulnerability exposed.

Windows SMB Server flaw allows unauthorized remote access to PCs in the network, using the infected PCs as Botnets. Hence, this vulnerability is exploited and ransomware is spread.

Also, make sure your computers are using software that's still receiving security updates, and that you've installed the latest updates available. Microsoft released a fix for the exploit used as a part of its March "Patch Tuesday" release, but unpatched Windows systems remain vulnerable.

As this article is too long, I will post the steps to prevent yourself from this attack in my next article. So stay tunned..!

If you have any extra information that you would like to share, or if you want to make discussion on a topic, just post comments in the comment box provided below and I will surely help you out.!

Update: Wrote an article on how to prevent yourself from being encrypted via WannaCry Ransomware. To read the article, click here...!