Wannacry (WannaCrypt,WanaCrypt0r 2.0,Wanna Decryptor), A Computer Malware family called Ransomware that actually target the Microsoft Windows Operating systems SMB exploit leaked by the Shadow Broker that encrypting data and demanding ransom payments in the cryptocurrency bitcoin
This Ransomware rule spreads by means of spam messages and malicious download links uniquely intended to lock the documents on a PC, until the casualty pays the payment request, more often than not $300-$500 in Bitcoins.
This Attack Started on 12 May 2017 and Infected more than 3,00,000 computers in over 150 countries which consider as on of the Biggest Ransomware cyber Attack which world Never Faced.
Wannacry used infect medium by Spam and Phishing Emails with embedded link which forced victims to Click the link and its leads to check whether or not for Microsoft Windows Machine unpatched(MS Released patch for SMB FLow).
According to the Microsoft, The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.
Once it sccessfully entered into the Victims Machine it will Start searching and trying to find the file Extension which including ,
123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der” , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.
Afer Finding all the file format it will rename the file format like , if the file format is “example.png” it will rename as “example.png.WNCRY”
Wannacry also perform and generate an file called “@Please_Read_Me@.txt“ in each and every folder where already encrypted files . this contain ransom message shown in the replaced wallpaper image in Desktop .
After this, executable will run and ransom note which indicates a $300 ransom in Bitcoins as well as a timer.
When you tap on the Check Payment catch, the ransomware associates back to the TOR C2 servers to check whether an installment has been made. Regardless of the possibility that one was made, the ransomware will automatically decrypt your files .
if payment has not been made its will give replay like,you didn’t pay or we did not confirm you account.
Russian Interior Ministry, Chinese universities, Hungarian telcos, FedEx branches,
TeIefonica IT staff is desperately telling employees to shut down computers and VPN connections in order to limit the ransomware’s reach.The hacking was done as doctor’s facilities and specialists’ surgeries in England were compelled to dismiss patients and wipe out arrangements after a ransomware attack crippled some computer systems in the state-run health service.
Kaspersky Lab have uncovered new evidence linking the WannaCry ransomware code to North Korea.
Renault‘s partner company Nissan was also affected, a UK representative affirmed that records at its Sunderland plant were affected on Friday night, however, wouldn’t affirm reports that creation was ended.
The Reserve Bank of India has asked banks to update specific Windows patches on ATMs urgently and not to operate ATM machines unless updates are in place,” TOI quoted an official with a public sector bank as saying.
ATM machines are highly valuable assets and vulnerable to infect the malware due lack of updates.
Many of the ATM Machines are running old version of Win OS which essentially needed for updates for this situation.There are a total of 2.25 lakh ATMs in country of which 60 per cent run on the outdated Windows XP, the report said. Microsoft, the maker of Windows software, has said that it has released a special update of the software.
In this case, RBI instructed to all bank that immediately update the all ATM machine OS which runs under un-patched Operating systems around India and strictly intimate not to operate it before the update.
In this case, Comodo always one step ahead to prevent such a sophisticated Cyber attacks. Comodo CEO Melih Abdulhayoğlu explains in his Blog Post,
Before Wannacry infects to your System, comodo Firewall 10 create a virtual hard drive, a virtual registry and virtual COM interface (Fake Hard Drive) which has been created earlier wannacry entered into victims machine.With Comodo’s technology create With comodo Firewall 10,
So what happens Next, wannacry ransomware start writing with virtual hard drive .and obviously, its has no idea where I am actually performing my Encryption process on files.
so virtual hard disk will be infected that has no such important files .finally victims all files has been successfully Protected by Comodo Firewall 10.
Security Researcher Malwaretech (Social Name) who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted with help of Darien Huss from security firm Proofpoint.What Researcher did was spend around £10 to register a domain he found in the ransomware’s source code.virulent and self-spreading Wana Decrypt0r was making a pre-infection check to a domain located at iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.
MalwaIf the domain was unregistered, the ransomware would start encrypting files. But if the domain was registered, the ransomware would stop its infection process.
By registering this domain, MalwareTech had accidentally triggered a worldwide kill-switch for the ransomware’s self-spreading feature.
It states that it doesn’t mean wanncry infection has over. But the specific version of wanncry infection has been stopped.
Here you can see Wcry infected tree Process.
These are the safe guidelines for Wannacry Guidelines.
if you didn’t update the Windows please follow the Manual method to turn of the SMB Manually.
Control Panel—>Programs—>Programs and Features.
Remove check Box SMB1.0/CIF File Sharing Support.
Once you have done this, Restart your computer. Finally your computer has been protected and wannacry cannot perform after this function has been done.
As per the Some Experts Analyse, world till yesterday(16-05-2017) WannaCry ransomware has potentially infected and Damage Cost Around $1 billion in bitcoins from their victims.
However, till Sunday evening, close to $33,000 was paid to the hackers in bitcoins, in order to unlock their systems.
Ransoms from $300 to $600 are being demanded by the hackers who installed WannaCry ransomware.
Wannycry Finally taught to whole world that how much important to keep eye on Cyber Security and Update your Technology environment.
Students, authors, and anybody else wishing to improve their vocabulary and language abilities frequently utilize…
The financially motivated GOLD MELODY threat group has been active at least since 2017, attacking…
MOVEit transfer service pack has been discovered with three vulnerabilities associated with SQL injections (2)…
A new financially motivated threat group named “LUCR-3” has been discovered targeting organizations to steal…
For taking part in a large international scheme to earn millions of dollars by selling pirated…