WannaCry Ransomware

By : admin In: Articles, Blog May 24, 2017

In past few days a massive attack of ransomware has been identified across the globe, called "WannaCry" (also known as WannaCry ransomware, WCry, WanaCrypt and WanaCrypt0r) that is encrypting files with the .wnry, .wcry, .wncry, and .wncryt extensions. It is spreading through a Microsoft Windows exploit called "EternalBlue," which Microsoft released a patch for in March. It mainly targets computers running the Microsoft Windows operating system by encrypting all of its files and allows remote command execution via Samba Server Message Block (SMBv1) and distributed to other Windows machines that are in the same network data and demanding ransom payments in the Bitcoin cryptocurrency. And the most interesting thing is that, three Bitcoin addresses which are associated with WannaCry Ransomware, as on May 14th, have had a total of 103 confirmed payments. These addresses have received a total of around 15 BitCoins or approximately 28K USD, find it out here:-
https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

WannaCry ransomware is infecting over 300,000 PCs in over 150 countries. Organizations like FedEx in the US, National Health Service hospitals in the UK, the Russian Interior Ministry and Telefonica in Spain were among those victimized by the invasive WannaCry ransomware attack: They and others who fell prey to the worm were ordered to pay $300 in bitcoin to regain access to their encrypted files.

Countries infected with the ransomware

Shortly after the attack began, a web security researcher who blogs as "MalwareTech" with the twitter handle @malwaretech and Darien Huss found a 'kill-switch' which paused the ransomware i.e. by registering a domain name he found in the code of the ransomware. Basically the ransomware opens up an unregistered domain and if fail to open then the system is infected. So @malwaretech registered the domain which stopped the ransomware.

For this effort, he has now been offered a $10,000 reward from HackerOne. It is a platform that lets security professionals responsibly report potential security issues in software, often in return for a cash reward, a so-called bug bounty. In recognition of MalwareTech's efforts, the company publicly offered him the $10,000 bounty, writing, "Thank you for your active research into this malware and for making the internet safer!"

Precautions preferred are by modifying your firewall configurations to block access to SMB ports over the network or the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138. SMB can be disabled by following the given step in this link: -
https://support.microsoft.com/en-in/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows-server