WannaCry – A Simple Perspective

Till now more than 100 countries (UK, US, Russia, China, etc ) have been severely impacted by one of the professional crafted ransom-ware called “WannaCry” / “WannaCrypt”. The attack came into limelight when British National Health Service were targeted and their IT systems and patient information privacy was invaded and were bought down to knees. The worm has already made a damage worth millions and still likely to spread. Group name @0xSpamTech has claimed the responsibility. The worm encrypts the files using AES and RSA encryption which can only be decrypted using a unique key

As per wiki “Ransomware is a type of malicious software that carries out the cryptoviral extortion attack from cryptovirology that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it”

But this worm/ransomware operates differently from their standard definition. The worm includes a component (payload) that searches for vulnerable systems on the network to infect them as well. Due to its unconventional behaviour the worm is able to continue infecting millions of Windows based machines all over the globe. The world of security has not witnessed a worm of such kind in the last 2 years.

WannaCry worm uses a publicly known exploit (MS17-010) which is trigger by sending a specially crafted packet to a SMBv1 server. The vulnerability is fixed now by Microsoft but millions of organizations are still yet to completely patch their IT infrastructure.

Microsoft has already release a set of patches that needs to be installed in every production environment to prevent and block the worm from spreading/infecting others. Follow the link to read more.

List of windows affected by this worm.
1. Windows XP
2. Microsoft Windows Vista SP2
3. Windows 7
4. Windows 8.1
5. Windows RT 8.1
6. Windows Server 2008 SP2 and R2 SP1
7. Windows Server 2012 and R2

Two signatures of worm infection is being observed, which it utilizes to infect vulnerable machines.
– Social Engineering, where the end user is persuaded/tricked to click on a link.
– Unpatched machines running vulnerable version of SMB (v1) protocol.

After infecting the target PC user will be presented with a message where they are asked to deposit 300$-600$ in a form of bitcoins for decrypting and unlocking their files.

If you are interested to track the payments made to hacker’s account please follow the link and you can track payments to their Bitcoin addresses listed below
– 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
– 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
– 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

How can you protect yourself
1. Get the latest pacthes available from Microsoft and deploy them ()
2. Disable SMBv1 completely
3. Add firewall rules on the perimeter firewall to block any incoming connection for port 445