WannaCry ~ All You Wanted to Know
May 12, the same day when my results got uploaded, the internet was hit with an offensive cyber attack. A ransomware named WannaCry hit the markets of Europe encrypting all files and folders and demanding around $300-400 in Bitcoin for decryption.
As the name goes WannaCry, is making us cry because it is not a hoax or any other virus which is being circulated in WhatsApp groups but is real, and tons of people have faced it 🙁
In the first few hours, an estimate has done that almost 57,000 computers in 150 countries were affected by the end of Friday, (i.e.,) 57,000 in 150 countries just in few hours of launch, is kind of big deal in internet history.
As of Monday, it has been confirmed that more than 200,000 systems have been affected all over the globe. India is included in the list too 🙁
So in this post, I will share what WannaCry is, What does WannaCry do, Who created it, How to prevent it, and how to get rid if been affected.
- 1 What is WannaCry?
- 2 What does WannaCry do?
- 3 What is Ransomware?
- 4 Who has created this dreadful ransomware?
- 5 The Attack and the patch released
- 6 Why are the hackers asking money in the form of Bitcoins?
- 7 Is the attack over?
- 8 Tips to keep in mind to prevent the attack
- 9 What to do if you have already been affected?
What is WannaCry?
WannaCry is a dreadful Trojan virus created by an individual group of hackers known as The Shadow Brokers which locks the files of the user and demands a ransom for decryption of data within seven days, if user won’t pays, all the files will be deleted from the computer forever. It actually made me cry :p
What does WannaCry do?
If you install anything from some unknown sender or visit some suspicious links, and if the virus attacks you, then WannaCry encrypts all your data in minutes and shows a dialog box in the picture shown below. It demands $300 in the form of Bitcoin to decrypt the files, after three days if the ransom isn’t paid then the ransom is doubled to $600 for decryption and after seven days, if no ransom is paid then it will automatically delete all your data from the computer.
What is Ransomware?
So let me get into the detail of what is a Ransomware.
Ransomware is a malware which blocks the victim’s access to his/her files, and you can only regain the data if you pay a ransom, it’s like kidnapping in real life, it blocks your access to victims, and you can only access to the victim if you pay some ransom. Let’s understand this way and make life much easier :p
So a new Ransomware has hit the markets by the name WannaCry or WannaCrypt which has attacked some major companies in the leading countries like Australia, India, China, etc.Big organizations such as Renault and NHS were first struck by the attack which was spread slowly and created havoc in health care industry. This ransomware took down hospitals across leading countries like the United Kingdom, which gave them a lost access to patients data and they tried to move away patients suffering from serious ailments.
Ransomware has some certain unique features which keep itself away from another form of malware.
- It has unbreakable encryption which means you can decrypt the files on your own.
- It can encrypt all kinds of files, pictures, videos, documents, everything you have on your PC
- It can spread to other pcs connected using a local network
- It demands money in the form of bitcoins, as it is cryptographic currency and can’t be tracked by cyber officials
- It uses a very complicated evasion technique to go undetected by antivirus
There are many features which set itself separate from other malware, but these points are enough to scare you :p and give you a lot of information on what a ransomware is?
Who has created this dreadful ransomware?
You can thank NSA for finding out the “EternalBlue” exploit and releasing it in the public domain. EternalBlue is an exploit developed by NSA which showcases the Microsoft OS Vulnerability. The hackers who have created the WannaCry or WannaCrypt are known as The Shadow Brokers who have stolen the exploit from NSA and used it to create the malware which is now spread in more than 100 countries. Unlike other malware, it doesn’t require humans to click on attachments to spread, it spreads automatically and affects all the computer connected to that network.
The Attack and the patch released
This trojan virus has hit many important organizations. Companies like Renault, Fed Ex, Hitachi, NHS, Vivo has been affected. Banks, hospitals, and colleges too were affected by this virus such as Andhra Pradesh Police, Chinese public security bureau, Cambrian College, Deutsche Bahn, Dharmais Hospital, Faculty Hospital, Nitra.Government of Kerala, Government of West Bengal, Harapan Kita Hospital, PetroChina, Portugal Telecom, Russian Railways, etc
Those who were using old versions of Microsoft such as XP were under attack because the company released no security patches after April 2014. Microsoft on Sunday released a security patch for “EternalBlue Exploit” for users to prevent from getting being affected, Microsoft recommends to install the patch to be on safe side. Meanwhile, Linux users are having more fun as the attack was only for Microsoft users. Microsoft blames NSA for the trojan virus.
Why are the hackers asking money in the form of Bitcoins?
It is simple; Bitcoins are a cryptographic currency which is very hard to trace back. The hackers are using three solid bitcoin addresses which keep track for every user who has paid. Bitcoins are not illegal; it is just a form of digital currency which is favorite among all the hackers because it is entirely anonymous.
When you usually purchase something online by debit card, credit card, net banking or any other mode of online payment, all your details (name, address, phone number) can be tracked, but in the case of bitcoins, it’s not like that, it is entirely anonymous and protects one’s identity.
You too can purchase and sell bitcoins, as it is legal from any BTC (Bitcoins) marketplaces. Currently 1 BTC is equal to $1820 or RS 1,16,654 (Indian Currency)
Should you pay the ransom?
$300 is not a big amount for some people to retrieve all the data which is more important to them than those $300. A total of only 181 payments and $50,000 worth of bitcoins have been received by the Hackers, and there is no evident that all your files will be unencrypted after paying the ransom since it deals with criminals and there is no guarantee of the honest transaction here. According to CERT-In, victims of the ransomware are advised not to pay the ransom as there is no ensure that the files will be unencrypted. Instead, report any such case with CERT-In at firstname.lastname@example.org
Is the attack over?
No, the attack is not over yet, but it has been slowed. On Saturday, a 22-year-old security researcher named Marcus Hutchins accidentally slowed the spread of the WannaCry virus when he registered a domain name hidden within the virus’ code in an attempt to track the spread of WannaCry, unintentionally stopping its progress in the process. So the virus has not stopped spreading, but it has been slowed.
Tips to keep in mind to prevent the attack
- Keep a backup of all your important documents, pictures, videos anything either cloud or offline storage devices like pen drive or hard disk
- Personal computer users, as well as organizations, have been advised to install security patches released by Microsoft for all version of windows which is mentioned in Microsoft Bulletin MS17-010.
- Don’t open email from unknown senders
- Don’t visit links or download anything from the unknown sender as it can be the Trojan virus waiting to get into your computer.
- If you use pirated version of windows which most of us does, then you won’t received the periodical patches hence making you more vulnerable, so switch to the original version or download the patches from Microsoft releases latest security patches
- Disable Server Message Block 1 (SMB1) network file sharing. Read the complete guide on how to do it from the official Microsoft website How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
- Close the firewall port 139 or 145 or both because SMB uses these ports
What to do if you have already been affected?
If you have a backup ready, then excellent, just wipe the affected machines and reinstall them and install the patch first before you restore your backed up stuff.
Do not pay the Ransom, as there is no guarantee that you will get all your data back, even after paying.
Disconnect your computer from the network as soon as possible to prevent it from spreading to other computers connected to your network, as Ransomware quickly spreads to computers plugged in a network
Remove the Hard Drive, and preferably don’t use it again, because Ransomware will have some traces left which you won’t probably know as it scrambles file name which will confuse the user as which file is infected. Ransomware, as it has some traces left behind, won’t be disabled even after you completely format your PC
You can mail CERT-In at email@example.com to get some help after being affected
Many people have experimented and came out with the decryptor key (DM me if needed) It has been tested on Windows 8, and it works fine, and it is not necessary it will work for you too, but you can give a headshot
Bleeping computer has given in-depth guide on How to remove WannaCry Virus
If none of them works then the only option left is PRAY :p
I have covered almost everything about the WannaCry virus, if you have any doubts then feel free to ask in a comment or message me on Facebook. My facebook profile link is Abishiekh Jain, or you can connect with me on Twitter too, Twitter link is Abishiekh Jain is on Twitter
I have witnessed the two dreadful days in 2017
May 12 – My result and the launch of WannaCry Virus
To those who want to know my result, I have passed my twelfth board with 80.17%
May 13 – Rumors of World War 3, though it has not started yet, fingers crossed, you never know.
I apologize to the persons whom I have promised to have a conversation on call; I couldn’t because these days am bonded with my upcoming Book, upcoming social networking site, travelling for college admissions, and my upcoming event work Speak Out, if you haven’t bought the tickets already, buy it now (Only three left) Buy Speak Out Tickets
So I promise to take calls ASAP. Thanks for the love <3
Latest posts by Abishiekh Jain (see all)
- WannaCry ~ All You Wanted to Know - May 17, 2017
- Happy Birthday Hackers Den ~Journey of Three Years! - May 10, 2017
- TOP Hidden Google URLs and Internal Chrome Pages - April 13, 2017