It has been reported that a new ransomware named as “WannaCry” is a worldwide cyberattack by the WannaCry ransomware cryptoworm. The attack started on 12 May 2017 and has been described as unusual in scale, infecting more than 230,000 computers in over 150 countries.
WannaCry targets computers running the Microsoft Windows operating system and encrypts the files on infected Windows systems. After encryption, they demand ransom payments of US $300 in the Bitcoin cryptocurrency, and if you don’t pay that given amount within 3 days it will be doubled. And even after seven days if payment is not made then they claim to delete the encrypted files.
This ransomware spreads by using a vulnerability in implementations of Server Message Block (SMB) known as ETERNALBLUE exploit to spread in Windows systems. WannaCry encrypts the computer’s hard disk drive and then spreads laterally between computers on the same LAN. It also spreads through malicious attachments to emails.
After infecting, this WannaCry ransomware displays following screen on the infected system:
People are asking to pay the ransom, and many people have paid the $300–$600 ransom. But there were no known cases of someone paying and being given the means to decrypt their data. According to Check Point Software Technologies, “WannaCry doesn’t seem to have a way of associating payment to the person making it”. It seems from WannaCry’s code that decryption cannot occur without direct manual intervention by the hackers, and no communications sent to them have been answered. In light of these facts, experts strongly advise against paying the ransom.
How to protect your system from WannaCry ransomware attack:
Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links or attachments. Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email. If possible disable SMB protocol and Macros.
New ransomware variants appear on a regular basis so always keep your security software up to date to protect yourself against any new ransomware. Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
In order to prevent WannaCry infection, users are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010.
Keep the operating system and third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches. Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up.
Download WannaCry decryption tool for free
Researchers have finally been able to create a decryptor for the WannaCry ransomware that has affected more than 3,00,000 computers in 150 nations since its attack on computers running the Microsoft Windows operating system last Friday. For those unfamiliar, the WannaCry ransomware cryptoworm encrypts data and demands ransom payments from the infected computers in the Bitcoin cyrptocurrency.
Adrien Guinet, a French security researcher from Quarkslab, has discovered a method for finding the ransomware’s decryption key making use of a flaw in which WannaCry functions, according to The Hacker News.
Basically, WannaCry encryption creates a pair of keys – “public” and “private”. While the ransomware uses prime numbers to generate a “public” key, the “private” key is for encryption and decryption of the system files. WannaCry erases the keys from the system, thus compelling the victim to pay $300 to the cybercriminals.
However, Guinet found out that WannaCry “does not erase the prime numbers from memory before freeing the associated memory.” As a result, it allows a chance to retrieve the prime numbers and hence, generate the private key for decryption.
Using this information, Guinet released a tool called “WannaKey” that recovers the private key used to encrypt files on an infected system, allowing the contents of the files to be decrypted without paying the ransom demanded by WannaCry’s creators. The WannaKey decryption tool is available for free and works on Windows XP operating system.
However, the tool will only work on those affected computer that haven’t been rebooted after the attack or for computers with associated memory that have not been erased or allocated by some other processes, added Guinet.
Based on Guinet’s findings, another security researcher named Benjamin Delpy has created ‘WanaKiwi’, a tool that can unlock WannaCry infected systems. While it is similar to WannaKey in the way it functions, it is however compatible with Windows XP, Vista, 7, Server 2003, and Server 2008, and can run using the command prompt.
Users who are infected by the virus can download WannaKey tool or WannaKiwi tool from GitHub and try it on their affected Windows.